Use of veracrypt and bitlocker at the same time + other questions

[Thor]

Hi,

Sorry to ask this question here but I can't find the answer to that anywhere else + there are actual tutorial or reviews which are saying to use both (in an evasive way)
So I would like to know why the use of veracrypt or bitlocker annihilates the effort of the other?
Would it not be encrypted in double ?

Is it incompatible together? From what I've seen bitlocker encryption first then veracrypt (on a system drive) just doesn't give the possible to bitlocker to contact TPM device so you need to type in the recovery key each time.

Is veracrypt compatible with TPM2.0 device like bitlocker? I really wanted to use my TPM device even if I know as I've read a few days ago how to decrypt a drive encrypted with TPM and bitlocker.
I've seen in other post that it was compatible with TPM1.2 and secureboot but apparently you need to enter the key for the secureboot?
Is veracrypt compatible with the encryption hardware system of SSDs like bitlocker? I know also that it has been breached.

How to remove the veracrypt bootloader? Is it automatic when I'm permanently decrypt the system drive?

Any links to any reference or previous post (as I continue my scrolling on the forum post) or if oyu want to advice me against something with any references, you are welcome... As I don't know yet how I'm going to encrypt this device, I'm already using containers with veracrypt but if veracrypt doesn't support my hardware I would gladly use bitlocker to use the full potential of the hardware first...
Any way any thought and technical recommandation would be appreciated.

Thanks in advance

[Alex]

too much... general notes
there two ways to make trusted boot(different concepts) it is possible to use both.
1. Measured boot via TPM. based on BIOS and TPM chip(changed boot sequence => it requests key to unlock bitlocker)
2. Secure boot based on RSA certificates in EFI BIOS

About VeraCrypt - it is good open source project and the only cross platform FDE in progress for now => with limited support and resources
About Bitlocker - closed source MS tool. Good commercial product from largest software company
To choose - up to you.

There is experimental support of TPM 2.0 in VC but due to little interest to the feature from community it was not tested. Details in dcs_tpm_owner: https://sourceforge.net/projects/dc5/files/beta/

[Thor]

Okey so sorry I'm going to summarize because I didn't understand everything.
I didn't understand the "too much ... general notes"

Why did I read that the use of one would circumvene the effort of the second (when used at the same time)?
Is it possible to use bitlocker and veracrypt at the same time for full encryption system disk ?
If you encrypt first with bitlocker then veracrypt, then the boot.sqm can't connect to TPM anymore (from what I've seen in the event viewer log) and so bitlocker will ask for the recoevery key at each boot after the screen from veracrypt.
I don't know what happen in the other way but since veracrypt is adding its files to the bootloader then I guess it is impossible to put bitlocker in first(by encrypting the device in last by bitlocker and first by veracrypt)?

From what I understand of you message and the subtitles of it:
I've understood that TPM wasn't really about encrypting the drive but more about secure boot. I understand that. I don't have secure boot on this mobile device unfortunetaly since it's a small startup and the bios doesn't include that for the moment at least, that's why it would be great to use TPM. And I totally understand why EFI RSA and TPM are compatible to be used both.

In the mean time, I wanted to link this https://pulsesecurity.co.nz/articles/TPM-sniffing about how to crack bitlocker with TPM2.0 and TPM1.2 this is one of the ways since there are other github source to how to crack bitlocker even if all those solutions ask for a lot of ressources in time, money (sometimes) and knowledge.

[Alex]

usage of both tools simultaneously was not tested. Your experience is interesting. I just try to explain the behavior.

is it possible to use bitlocker and veracrypt at the same time for full encryption system disk ? If you encrypt first with bitlocker then veracrypt, then the boot.sqm can't connect to TPM anymore (from what I've seen in the event viewer log) and so bitlocker will ask for the recoevery key at each boot after the screen from veracrypt.

it is normal - VC is executed before bitlocker key retrieved from TPM => PCR with wrong values => bitlocker can not get key from TPM => it requests recovery key.
probably if you encrypt VC first and then bitlocker(reset TPM before bitlocker encryption and take ownership) it might work but it depends of windows logic - windows can lock PCR without VC loader in boot chain.

"General notes" - I just try to explain to different ways to create "trusted boot". (no untrusted code before OS loader executed)
1. Measured boot - the TPM/TCG way (see https://trustedcomputinggroup.org/)
2. Secure boot - EFI feature. it is based on RSA signature in loaders and certificates in BIOS

Another problem is authorization.. See https://en.wikipedia.org/wiki/Multi-factor_authentication The best way (possible to create for now) - (PIN/password - factor what I know)+(TPM+USB/SC - factor what I have) + Bio identification(fingerprint before login)

Note: TPM good addition but the only - it is not the strong way.