Can I use Veracrypt to encrypt my Win 8.1 system partition if it is gpt - formatted? This was a limitation that truecrypt had, has Veracrypt addressed the issue in some way?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2014-09-05
any chance to add gpt support in the future?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
GPT support is on the top of the TODO list. It is a complicated feature to implement thus needing a lot of time. We hope to have it implemented between 6 and 12 months from now.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2014-09-30
Hello again Mounir, if you have some time I just wanted to share some thoughts and ask about some more details about this issue, like some information about why is it actually so hard to design or implement such a feature. I was thinking that the process could actually be implemented in 3 steps, like:
1. Be able to create and manage non-system containers on gpt partitions. For this step you would not have to deal with boot loader at all. I think this is done.
2. Figure out how to encrypt the windows partition(s) and the boot process. The plural is because windows 8 need at least 2 more partitions in order to be installed and boot in uefi mode, and the update process to 8.1 may create one more.. Obviously the "efi system partition" cannot be encypted, but what about the "Ms reserved" and the other ones?
3. Leave secure boot and features like "create a hidden operating system with another passphrase" for the end, as most motherboards are shipped with a feature to disable secure boot, and most people need their main os encrypted, and dont care about having a decoy one.
Also, maybe this project could somehow benefit from refind boot manager or maybe even gummiboot? The whole process of uefi secure booting with encrypted luks and logical volume management inside it can achieved in linux in a various ways.
I'm sorry for the length of my post. Thanks for all your great efforts.
D.
Last edit: Mounir IDRASSI 2014-09-30
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the ideas.
Actually, the main difficulty comes from the fact that we have no expertise on GPT/UEFI and it takes time to build skills and knowledge on this field especially when you want to implement it for secure environments.
Indeed, there are many projects out there that support GPT/UEFI but it is on other contexts and their code can't be reused as it is.
Moreover, studying Windows 8 boot mechanisms and understanding its internals is no small task. Of course, you can't count on Microsoft documentation for this. Don't forget that it took TrueCrypt many years to have the kind of smooth system encryption that we have today.
If you or anyone reading this have technical know-how on this field, please don't hesitate to submit a patch or some code. For complex projects like VeraCrypt, it is essential that as much developers as possible collaborate to bring up new features like this because our small team has limited resources (we all have day jobs) and we manage development priorities in the best way possible.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2014-10-15
yes a very important feature!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2014-10-23
i hope you will add this feature very soon!!!! It's very important - how are the things going in the development of this features?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
For now the development UEFI support is on standby. We are finalizing other features that we want to include in the upcoming 1.0f and also solving few issues.
Unfortunately we can't work on all the subjects at the same time and for now we are not receiving any help from the open source community. Hopefully with time, people with more expertise than us on UEFI will contribute implementations that would be helpful.
FYI, the difficulty is to find a way to intercept read/write operations at UEFI level in order to perform decryption/encryption operations on the fly while Windows is booting.
In BIOS mode, this is done through the interrupt INT13 which we filter to intercept read/write operations.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2014-11-01
Did some research, just because I'd like VeraCrypt to support UEFI/GPT booting. Unfortunately I don't have the C and UEFI skills, nor the time or crypto experience to implement something atm.
I started from here which states the Windows Loader uses BLOCK_IO to read/write to disk. Note that this is just for the Windows loader and not for the UEFI Boot Manager, so if you want to encrypt the ESP Partition too you may have to intercept another I/O Path, or at least intercept as early as possible (afaik NVRAM variables specify UEFI Driver loading order, and drivers load before Boot Manager, but I didn't yet look how Boot Manager reads the ESP internally). Also I'm not sure from where to load VeraCrypt UEFI Driver in that case. From there on I informed myself about UEFI programming per se and UEFI driver programming (driver writers guide) especially.
The first way of filtering BLOCK_IO protocol I found was using ReinstallProtocolInterface, but that info mostly was from about 2008/2009 and was rather perceived a hacky and probably unreliable way of doing things (aka calling ReinstallProtocolInterface depends on being called from the driver itself).
The most interesting and possibly cleanest way is discussed in this thread on the EDK2 mailing list. Especially Micheal D Kinneys post looks interesting. He wrote a similar post half a year later, that has one or two details explained better IMHO.
After having a look at the True/VeraCrypt boot code it looks like the UEFI driver implementation could turn out quite a bit easier/nicer. I see your having a look at the DiskCryptor source code, so I'm not sure if this information is still a valid approach for you. Anyway, let me finish this post and say thank you for your invaluable contributions to the Open Source Community.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you very much for your research and for sharing your results.
I really appreciate these valuable information. When I resume work on this, I'll let you know the results of my experimentation.
Thank you also for your kind words. I have benefited from other Open Source contributions and it is a minimum to give back part of that knowledge to the community so that others continue improving it. As I always say, sharing is living.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2014-11-02
I hope you could add this feature as soon as possible - every new laptop now has uefi bios with gpt partion and windows 8.1 installed - in case of theft of laptop it would be a disaster as the os would not encrypted - the use of bitlocker is the only solution but it is avalaible only on the pro version of windows - the upgrade costs 160 eur and I think is too much for the use of only this feature - I really hope you can find all needed solution soon to include gpt os encryption - you would be the first indipendent tool to do that.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2014-11-03
As far as GPT boot drivers encryption still isn't implemented and I respect Mounir's efforts. So yeah, it will be done when the time comes! But you can easily encrypt DATA drives/volumes formatted with GPT/NTFS. I've done it on all of my 2TB drives.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2014-12-16
From what I can gather, the following pieces are key to making this feature possible:
1: File system de/encryption on the fly, making it so Windows doesn't know it's encrypted and it still able to read the files on the system by tunneling through Veracrypt. Already done for creating non-system partitions/containers, but of course would need some extra work for the entire OS to do it.
2: Creating a means for Booting the VeraCrypt Bootloader, which in turn would boot Windows. From what I've read up about EFI, all it would require is the creation of an efi boot file/program. I'm not very skilled in programming, but a good look at the boot code in Truecrypt might help figure out how it did background decryption on MBR systems. Of course, on systems with Secure Boot enabled, it would require getting the Bootloader signed.
3: A possible means to help prevent Evil Maid problems would be that while the FDE is performed, the bootloader could call a second file that holds the decryption process/encrypted Master Key, and the second file is signed with a System Unique Private Key, while the bootloader or some other file is created with the corresponding Public Key. That way if the program that does the decryption is altered by The Evil Maid, the bootloader would detect it and request you restore it with the DVD backup that was made.
Obviously part 3 is a little over the top, and not completely possible, but it might give someone the idea for how to make it more secure from even Evil Maid everywhere.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2015-05-06
Hopefully 2015 will bring this feature! We are all standby waiting for this essential security ;)
Thanks a lot for bringing us Veracrypt!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2015-05-10
As UEFI/GPT support is essential going forward I would propose the possibility of seeking outside help.
By this I mean paying someone with experience/knowledge for a bit of their time to lay the foundation for a UEFI bootloader.
As for the mechanism I'd suggest perhaps setting up a gofundme or similar for Veracrypt bootloader development. I'd be happy to chip in a bit of money and I'm sure others would as well (as presently the only commercial software that has working UEFI bootloader support is Bestcrypt and they charge something like $100 for a single computer disk encryption only license [which only supports windows at that!]).
I've been reading up on UEFI internals/programming but free resources are scarce (and paid ones hard to find) and I feel that 6-12 months may be a conservative time table. With all respect to Mounir for his extensive work so far on this excellent piece of software, I don't feel the burden should be solely on him and I feel there is probably someone out there with the skills and an open source interest who might be willing to contribute their help at a reduced cost.
At any rate I think the value of this proposition speaks for itself considering the other paid contender in the market and their pricing.
In closing I find myself frustrated by the lack of progress on this front as it is something I desperately need. I don't blame Mounir in the least (having nothing but the greatest appreciation and gratitude for his work) and am sure I speak for many others who would never take the time to post here when I say that I would gladly pay for this feature. I have not paid the bestcrypt people because I believe in truly open source software and any software chained by licensing restrictions cannot be trusted in my mind.
P.S. Perhaps the subtext of any fundraiser could mention the project would be in essence a code-set for an open source secure UEFI bootloader (encryption stub?), which could help get other projects onboard and additional funding plus support and it would further give back.
P.P.S. It is something that I believe is best started sooner so it may be subject to cryptographic review as if I were an intelligence agency looking to backdoor encryption software something arcane like UEFI bootloader would be the place I'd seek to strike.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you for your feedback and your comments on the UEFI issue.
Indeed, an external help from people expert on this field would make things easier and I agree it should be done in a way so that other projects can benefit from it.
I have always communicated about the need of external help but so far I have received no offer. It is clear to me that people with such expertise prefer to earn money thanks to their knowledge instead of sharing it with the public. So, probably, having a budget to pay for the work of such UEFI experts will have more chances to succeed.
Concerning crowdfunding, my only concern is that the UEFI boot encryption is a technical feature that is not easily understood by non technical people and that may limit the chances of success of any funding campaign. So, it is important to come up with a description that would explain in easy words the importance of such feature.
I'm open to any help/proposal to help setup this.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2015-06-15
The crowd-funding can be explained in the context of the full system encryption. I think there are enough software engineers that are eager to get this feature and wouldn't mind donating $20 or $50. Do you have an estimate the time needed to finish this? Say 6 months or 1 year?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2015-06-20
Did you notice a fork of ciphershed implementing an initial version of EFI drivers and applications for EFI/GPT support ? some work seems to be needed on the OS driver side, but this initial work seems pretty competent.
Yes, I have been pointed previously to this work but because of lack of time I still didn't review it and play with the code.
There are many points that need to be finalized for the next VeraCrypt release planned on July but I'll definitely look at it to make an assessment and evaluate the work needed to have a working UEFI solution.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The only software that can encrypt on GPT file systems is BestCrypt. It's closed source though, so I'd rather utilize veracrypt. You've got 11 days left before the "12 month" mark from when you estimated implementation.
Any closer?
Last edit: Anonymous 2015-12-06
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Can I use Veracrypt to encrypt my Win 8.1 system partition if it is gpt - formatted? This was a limitation that truecrypt had, has Veracrypt addressed the issue in some way?
any chance to add gpt support in the future?
GPT support is on the top of the TODO list. It is a complicated feature to implement thus needing a lot of time. We hope to have it implemented between 6 and 12 months from now.
Hello again Mounir, if you have some time I just wanted to share some thoughts and ask about some more details about this issue, like some information about why is it actually so hard to design or implement such a feature. I was thinking that the process could actually be implemented in 3 steps, like:
1. Be able to create and manage non-system containers on gpt partitions. For this step you would not have to deal with boot loader at all. I think this is done.
2. Figure out how to encrypt the windows partition(s) and the boot process. The plural is because windows 8 need at least 2 more partitions in order to be installed and boot in uefi mode, and the update process to 8.1 may create one more.. Obviously the "efi system partition" cannot be encypted, but what about the "Ms reserved" and the other ones?
3. Leave secure boot and features like "create a hidden operating system with another passphrase" for the end, as most motherboards are shipped with a feature to disable secure boot, and most people need their main os encrypted, and dont care about having a decoy one.
Also, maybe this project could somehow benefit from refind boot manager or maybe even gummiboot? The whole process of uefi secure booting with encrypted luks and logical volume management inside it can achieved in linux in a various ways.
I'm sorry for the length of my post. Thanks for all your great efforts.
D.
Last edit: Mounir IDRASSI 2014-09-30
Thanks for the ideas.
Actually, the main difficulty comes from the fact that we have no expertise on GPT/UEFI and it takes time to build skills and knowledge on this field especially when you want to implement it for secure environments.
Indeed, there are many projects out there that support GPT/UEFI but it is on other contexts and their code can't be reused as it is.
Moreover, studying Windows 8 boot mechanisms and understanding its internals is no small task. Of course, you can't count on Microsoft documentation for this. Don't forget that it took TrueCrypt many years to have the kind of smooth system encryption that we have today.
If you or anyone reading this have technical know-how on this field, please don't hesitate to submit a patch or some code. For complex projects like VeraCrypt, it is essential that as much developers as possible collaborate to bring up new features like this because our small team has limited resources (we all have day jobs) and we manage development priorities in the best way possible.
yes a very important feature!
i hope you will add this feature very soon!!!! It's very important - how are the things going in the development of this features?
For now the development UEFI support is on standby. We are finalizing other features that we want to include in the upcoming 1.0f and also solving few issues.
Unfortunately we can't work on all the subjects at the same time and for now we are not receiving any help from the open source community. Hopefully with time, people with more expertise than us on UEFI will contribute implementations that would be helpful.
FYI, the difficulty is to find a way to intercept read/write operations at UEFI level in order to perform decryption/encryption operations on the fly while Windows is booting.
In BIOS mode, this is done through the interrupt INT13 which we filter to intercept read/write operations.
Did some research, just because I'd like VeraCrypt to support UEFI/GPT booting. Unfortunately I don't have the C and UEFI skills, nor the time or crypto experience to implement something atm.
I started from here which states the Windows Loader uses BLOCK_IO to read/write to disk. Note that this is just for the Windows loader and not for the UEFI Boot Manager, so if you want to encrypt the ESP Partition too you may have to intercept another I/O Path, or at least intercept as early as possible (afaik NVRAM variables specify UEFI Driver loading order, and drivers load before Boot Manager, but I didn't yet look how Boot Manager reads the ESP internally). Also I'm not sure from where to load VeraCrypt UEFI Driver in that case. From there on I informed myself about UEFI programming per se and UEFI driver programming (driver writers guide) especially.
The first way of filtering BLOCK_IO protocol I found was using ReinstallProtocolInterface, but that info mostly was from about 2008/2009 and was rather perceived a hacky and probably unreliable way of doing things (aka calling ReinstallProtocolInterface depends on being called from the driver itself).
The most interesting and possibly cleanest way is discussed in this thread on the EDK2 mailing list. Especially Micheal D Kinneys post looks interesting. He wrote a similar post half a year later, that has one or two details explained better IMHO.
After having a look at the True/VeraCrypt boot code it looks like the UEFI driver implementation could turn out quite a bit easier/nicer. I see your having a look at the DiskCryptor source code, so I'm not sure if this information is still a valid approach for you. Anyway, let me finish this post and say thank you for your invaluable contributions to the Open Source Community.
Thank you very much for your research and for sharing your results.
I really appreciate these valuable information. When I resume work on this, I'll let you know the results of my experimentation.
Thank you also for your kind words. I have benefited from other Open Source contributions and it is a minimum to give back part of that knowledge to the community so that others continue improving it. As I always say, sharing is living.
I hope you could add this feature as soon as possible - every new laptop now has uefi bios with gpt partion and windows 8.1 installed - in case of theft of laptop it would be a disaster as the os would not encrypted - the use of bitlocker is the only solution but it is avalaible only on the pro version of windows - the upgrade costs 160 eur and I think is too much for the use of only this feature - I really hope you can find all needed solution soon to include gpt os encryption - you would be the first indipendent tool to do that.
As far as GPT boot drivers encryption still isn't implemented and I respect Mounir's efforts. So yeah, it will be done when the time comes! But you can easily encrypt DATA drives/volumes formatted with GPT/NTFS. I've done it on all of my 2TB drives.
From what I can gather, the following pieces are key to making this feature possible:
1: File system de/encryption on the fly, making it so Windows doesn't know it's encrypted and it still able to read the files on the system by tunneling through Veracrypt. Already done for creating non-system partitions/containers, but of course would need some extra work for the entire OS to do it.
2: Creating a means for Booting the VeraCrypt Bootloader, which in turn would boot Windows. From what I've read up about EFI, all it would require is the creation of an efi boot file/program. I'm not very skilled in programming, but a good look at the boot code in Truecrypt might help figure out how it did background decryption on MBR systems. Of course, on systems with Secure Boot enabled, it would require getting the Bootloader signed.
3: A possible means to help prevent Evil Maid problems would be that while the FDE is performed, the bootloader could call a second file that holds the decryption process/encrypted Master Key, and the second file is signed with a System Unique Private Key, while the bootloader or some other file is created with the corresponding Public Key. That way if the program that does the decryption is altered by The Evil Maid, the bootloader would detect it and request you restore it with the DVD backup that was made.
Obviously part 3 is a little over the top, and not completely possible, but it might give someone the idea for how to make it more secure from even Evil Maid everywhere.
HI, there.
I just wanted to link this. As it might help to understand UEFI loopholes better:
http://events.ccc.de/congress/2014/Fahrplan/events/6129.html
The presentations are also recorded and can be reviewed here:
http://streaming.media.ccc.de/relive/
Hopefully 2015 will bring this feature! We are all standby waiting for this essential security ;)
Thanks a lot for bringing us Veracrypt!
As UEFI/GPT support is essential going forward I would propose the possibility of seeking outside help.
By this I mean paying someone with experience/knowledge for a bit of their time to lay the foundation for a UEFI bootloader.
As for the mechanism I'd suggest perhaps setting up a gofundme or similar for Veracrypt bootloader development. I'd be happy to chip in a bit of money and I'm sure others would as well (as presently the only commercial software that has working UEFI bootloader support is Bestcrypt and they charge something like $100 for a single computer disk encryption only license [which only supports windows at that!]).
I've been reading up on UEFI internals/programming but free resources are scarce (and paid ones hard to find) and I feel that 6-12 months may be a conservative time table. With all respect to Mounir for his extensive work so far on this excellent piece of software, I don't feel the burden should be solely on him and I feel there is probably someone out there with the skills and an open source interest who might be willing to contribute their help at a reduced cost.
At any rate I think the value of this proposition speaks for itself considering the other paid contender in the market and their pricing.
In closing I find myself frustrated by the lack of progress on this front as it is something I desperately need. I don't blame Mounir in the least (having nothing but the greatest appreciation and gratitude for his work) and am sure I speak for many others who would never take the time to post here when I say that I would gladly pay for this feature. I have not paid the bestcrypt people because I believe in truly open source software and any software chained by licensing restrictions cannot be trusted in my mind.
P.S. Perhaps the subtext of any fundraiser could mention the project would be in essence a code-set for an open source secure UEFI bootloader (encryption stub?), which could help get other projects onboard and additional funding plus support and it would further give back.
P.P.S. It is something that I believe is best started sooner so it may be subject to cryptographic review as if I were an intelligence agency looking to backdoor encryption software something arcane like UEFI bootloader would be the place I'd seek to strike.
Thank you for your feedback and your comments on the UEFI issue.
Indeed, an external help from people expert on this field would make things easier and I agree it should be done in a way so that other projects can benefit from it.
I have always communicated about the need of external help but so far I have received no offer. It is clear to me that people with such expertise prefer to earn money thanks to their knowledge instead of sharing it with the public. So, probably, having a budget to pay for the work of such UEFI experts will have more chances to succeed.
Concerning crowdfunding, my only concern is that the UEFI boot encryption is a technical feature that is not easily understood by non technical people and that may limit the chances of success of any funding campaign. So, it is important to come up with a description that would explain in easy words the importance of such feature.
I'm open to any help/proposal to help setup this.
The crowd-funding can be explained in the context of the full system encryption. I think there are enough software engineers that are eager to get this feature and wouldn't mind donating $20 or $50. Do you have an estimate the time needed to finish this? Say 6 months or 1 year?
Also doesn't linux support UEFI (https://help.ubuntu.com/community/UEFI, http://askubuntu.com/questions/244329/how-to-install-linux-on-a-computer-with-gpt)? You may want to check with people who implemented it for linux and seek their help.
Did you notice a fork of ciphershed implementing an initial version of EFI drivers and applications for EFI/GPT support ? some work seems to be needed on the OS driver side, but this initial work seems pretty competent.
see
https://github.com/f-n/CipherShed
Yes, I have been pointed previously to this work but because of lack of time I still didn't review it and play with the code.
There are many points that need to be finalized for the next VeraCrypt release planned on July but I'll definitely look at it to make an assessment and evaluate the work needed to have a working UEFI solution.
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
Do you know when this will be ready? Should I change into MBR? What disadvantages will I have then?
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
Not problem change GPT to clasic MBR in diskpart previnous instalation in command line...
help you :D ???
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
The only software that can encrypt on GPT file systems is BestCrypt. It's closed source though, so I'd rather utilize veracrypt. You've got 11 days left before the "12 month" mark from when you estimated implementation.
Any closer?
Last edit: Anonymous 2015-12-06
View and moderate all "Technical Topics" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
I'm waiting too..
Last edit: Anonymous 2018-01-26