Windows Server 2016 Essentials
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
I am having this issue that I have been researching for a week now. I decided to post here to see if anyone has seen it before. I have Windows Server 2016 Essentials running and all. All four drives are encrypted with vericrypt (8 drives in RAID 1 arrays). In the server manager / file and storage services / volumes it only sees the C: drive. All other drives are listed as system favorates, but the volumes do not show up. This is causing an issue because when I use the Essentials Dashboard to add a user I cannot add any shares to their account. It is as if the three mounted drives don't exist, but they are still on the network as shares and work and in windows explorer. I originally set up this server and had no issue using the Essentials Dashboard to set up users and shares. I just receintly discovered this. Windows sees the drives, just not the mounted volumes. Any help with this would be appreciated.
Last edit: 1210 2018-08-28
I forgot to also mention that I recently upgraded from 1.21 to 1.22. Maybe a downgrade is in order?
You mentionned that you did not have a problem before. Does this mean the drives were already encrypted when it was working and after upgrading to 1.22 it does not work anymore?
Personally, I don't see how this could be caused by upgrade from 1.21 to 1.22.
Are you using VeraCrypt system encryption on this server?
I will try to see if I can reproduce on my side to analyse it.
Yes, I am using system encryption. It boots with the loader just fine while mounting the drives. I can access the drives through network shares and file explorer, but not through some of the windows system tools. I do believe I started out on 1.17 or 1.19. Worked fine to create the volumes and than use the Essentials Dashboard to create the shares and assign users permissions to them. It is also possible that a windows update caused this way before I realized it. I keep this server up to date within a week. I was adding a user so my Kodi device could access shares and I could not add permissions to each share. I found out that the shares are marked as "missing" in the dashboard, and the hard drives not listed either. I had to go to each share and put permissions manually. That is my only work around right now. I was tempted to try the beta, but when I realized I could not downgrade from 1.22 to 1.21 I decided not to try beta.
Thank you for these details.
My feeling is that Microsoft introduced some changes that make virtual drives like VeraCrypt ones not usable from system tools. A similar issue exist in Windows 10 with respect to the Windows defragmenter and I had to implement a specific workaround for it in 1.23-BETA.
In such situations, only a low level analysis can help find the root cause and so I will try to find time to setup a Windows Server 2016 machine to reproduce.
Yeah, I would love to help by giving you access to my system, but I won't for security reasons. I believe you can understand. I came to VeraCrypt from Diskcryptor. Diskcryptor is also an off shoot of TrueCrypt, but seems to be 4 years since any update has happened. With Diskcryptor, in Disk Management all the drives showed up as normal drives, as if not running encryption. Where as VeraCrypt always show as RAW. This idea might be useful, if possible to use.
The fix in 1.23-BETA for the defragmenter, is it only for the defragmenter? I would be willing to go to beta, but I am worried that it would make it worse and not be able to go back to stable.
I also noticed that the drives do not show up in the "Resorce Monitor" (the disk tab) that is opened from the Performance tab of the Task Manager. I am unsure if this is the same issue.
For your test I would suggest installing 2016 Essentials (or standard and install the essentials experience) before installing updates. Two hard drives, C: and another (I use X:). The second hard drive as a system favoriate. Encrypt system and second drive. Set up users and shares pointing at the second hard drive in Essentials Dashboard. Run windows update fully. You might also have an issue with updates. I have to download them from the catalog website owned by MS. Check the dashboard.
Maybe start with veracrypt 1.19 and update one by one to 1.21. I could also give you the installed updates I have, if that would help.
I did some testing of this last night. Starting with Server 2016 Essentials fresh install, auto updates turned off. Made sure dashboard saw both hard drives. Installed VeraCrypt 1.19. Encrypted C:. Dashboard still saw both drives. Encrypted Z: and added to system favorites. Dashboard no longer saw Z:. So, it obvously has nothing to do with any windows update. I than updated to 1.21, and still no Z: in dashboard. I was going to go to 1.20, but could not find the binary for install. I than went to 1.23-Beta8, still the same.
Something I did in the begining when I first set up the server made it so I could set up the dashboard. I remember installing windows, than VeraCrypt and immediately encrypting. Obvously I am wrong with that.
I have my test bed still and do not plan to delete, so if you need a tester, then I am here and won't break my current daily install. I can also go back to 1.19 easily, because it is a VM and I backed up the vhdx file.
Last edit: 1210 2018-09-05
I did noticed in 1.23-Beta8 that turning on the allow defragmentor on non-system drives causes the encrypted drives show up in "Resource Monitor" but just not in Server Manager or Essentials Dashboard.
Thank you for all your feedback.
I did a quick check on my side and it looks like Microsoft has made
changes in order to exclude virtual drivers like VeraCrypt volumes from
being accessed from certain disk related services (like Server Manager).
The workaround I did for defragmenter consisted of answering a disk
specific message by returning a "fake" physical disk ID that is equal to
the ID of the underlying disk. This proved to be enough for the
defragmenter but it is not enough for the other advanced services which
requests physical disks properties that we can not answer from within
VeraCrypt driver.
I'm not sure if a solution exists for such Windows change. The only real
way would be a complete rewrite of VeraCrypt driver in order to behave
like an SCSI adapter so that VeraCrypt volumes are seen by Windows like
real SCSI disks. This is no small feat and it comes with huge technical
challenges.
The only intriguing point is that you seem to have made it work somehow
when you installed the server the first time. This would mean there is
or there was some kind of workaround for this. Not easy to find out
without further clues.
I do believe that it worked just fine when setting up, but than I could be wrong. I could have possibly set up everything unencrypted than encrypted. I don't totally remember every detail.
I am unsure of what further clues you would need.
And also I did point out that I do not have any updates on this VM.
Last edit: 1210 2018-09-08
If it is any useful, I can send the link to the other disc encryption software I mentioned. It is GPLv3 licensed.
Last edit: 1210 2018-10-16
@Mounir IDRASSI Thank you for your check!
I'm having exactly the same issue. As I read your text it means there won't be any solution or at least workaround for this problem?
I wonder why there are not more people who have exactly the same. How do you guys encrypt your Windows Servers? Do you have any recommendation?
Last edit: krzfx 2018-12-25
I don't think it is that they don't encrypt their servers. I think it is that they don't use Essentials Experience. Honestly, there really isn't any reason to go and add support for it anymore. It has been deprecated in Server 2019. So, it is going to go away,
It is also possible it might be worth it, given the following dates from Microsoft.
Windows Server 2016
Release Date:October 15, 2016
End of Life:January 11, 2022
Extended Support:January 11, 2027