Windows 11 UEFI/GPT manual DCS hidden OS works with auth USB, but decoy OS is plain. Possible to classic decoy/hidden behavior?

[Sara]

Hello,

I have a Windows 11 Home x64 machine using UEFI/GPT and VeraCrypt 1.26 manual DCS hidden OS flow.

Current state:

• Internal NVMe is GPT/UEFI.
• Normal/decoy Windows currently boots through the normal internal Windows Boot Manager.
• Normal/decoy Windows is NOT VeraCrypt system-encrypted.
• Hidden OS is installed on a separate partition and VeraCrypt system encryption completed successfully.
• I created the DCS/auth USB flow manually.
• Both authorization USBs now work.
• With the authorization USB, DcsBoot.efi accepts the H_OS password and boots the hidden OS.
• Without the USB, the machine boots normal Windows.
• The normal/decoy password does not work at the DCS prompt, which makes sense because normal Windows is currently not VeraCrypt-encrypted.

Important commands/results:

• gpt_enc and gpt_hid exist on the auth USB.

• DcsProp contains:
  SecRegionSearch=1
  SecRegionInfoDelay=3
  DcsBootForce=0

• The working auth USB was prepared with:
  DcsCfg.dcs -rnd 2 -ds <usbno> -srw 1
  DcsCfg.dcs -ds <usbno> -srm 1
  DcsCfg.dcs -pf gpt_enc -sra 0 -ds <usbno></usbno></usbno></usbno>

• Trying to use gpt_hid with -sra returned:
  GPT has to be encrypted

• After using gpt_enc with -sra, DcsBoot.efi accepted the H_OS password and booted H_OS.

Question:

My original goal is classic plausible deniability: one VeraCrypt/DCS boot prompt where:

• decoy password boots normal/decoy Windows
• hidden password boots H_OS

Is that possible with this EFI/GPT manual DCS setup?

If yes, is the correct next step to VeraCrypt system-encrypt the normal/decoy Windows first, then add its encrypted GPT/header/auth data to the same DCS security-region USB as another slot?

Which DcsCfg commands should be used for the decoy OS side, and which files should be used for the decoy slot?

I already have:

• full Rescuezilla image of the internal disk
• full-device image of both working authorization USBs

I do not want to continue writing to disk blindly.

Thank you!

[Mounir IDRASSI]

Yes, the EFI DCS mechanism can technically support this: one DCS prompt can accept either the hidden OS password or the decoy OS password, provided both OS entries have their own encrypted DCS/GPT package in separate security region slots.

Your current result is expected. A plain decoy Windows installation can't be accepted by the DCS prompt because there is no system encryption header for DCS to test. Also, gpt_hid being rejected with GPT has to be encrypted means it isn't the encrypted package to add with -sra. Use the encrypted package that already boots H_OS.

The decoy side must be created only after decoy Windows has been encrypted and the sector-62 system encryption header exists. At a high level:

1. Keep full sector level backups of the internal disk and authorization USB.
2. Boot the decoy Windows installation.
3. Encrypt the decoy Windows installation.
4. From EFI shell, capture the decoy GPT/package from the encrypted decoy disk:
   DcsCfg.dcs -dl d
   DcsCfg.dcs -ds <osdisk> -pf gpt_decoy_enc -ps
   DcsCfg.dcs -aa -pf gpt_decoy_enc -pe</osdisk>
5. Rebuild the authorization USB with two security-region slots:
   DcsCfg.dcs -rnd 2 -ds <usb> -srw 2
   DcsCfg.dcs -ds <usb> -srm 2
   DcsCfg.dcs -ds <usb> -pf <existing_encrypted_h_os_package> -sra 0
   DcsCfg.dcs -ds <usb> -pf gpt_decoy_enc -sra 1</usb></existing_encrypted_h_os_package></usb></usb></usb>

Use the decoy password/PIM/hash when running -pe for gpt_decoy_enc. If hidden and decoy use different PIM or hash settings, configure DcsProp so DCS asks for them or use matching settings.

Don't blindly apply -phide to the decoy package. The correct GPT view depends on the exact disk layout. If the hidden OS is on a separate visible partition or the layout differs from the standard DCS hidden-OS flow, the GPT view must be reviewed carefully before writing anything.