ok. good result. I'd recommend to backup original volume via "dd". https://sourceforge.net/p/dc5/tickets/5/
ok. good result. I'd recommend to backup original volume via "dd".
rebuild. Main idea: image contains sectors, encrypted sectors high entropy, possible ops: login, decrypt, save.
end of the week will try to update to the latest VC. note: dcsfv main goal to find volumes. files as VC container it might be not useful.
dcsfv tool scans entire disk or image. I'd recommend to backup disk to new image via "dd" tool. Then scan the image file. Scan, there are two modes - "slow" try to authorize. "fast" - check entropy of a sector. To rebuild unpack newer version of VC and dcsfv then build.
src attached. as is. to build vs2015
Experimental support of TPM was added. https://sourceforge.net/projects/dc5/files/beta/dcs_tpm_owner_02.pdf/download
You system uses EFI boot. See details about EFI boot loader (DCS). It is possible - multi boot, hidden OS but whole drive is not possible because of ESP
DCS is used by VC project almost without modification till now. It was frozen because no interest from community.
DcsFV tool can help in complex recovery cases to find valid header or decrypt data via backup header https://sourceforge.net/projects/dc5/files/beta/
See DCS project (it is used by VeraCrypt as EFI loader) https://sourceforge.net/projects/dc5/files/beta/ There are: 1. Picture password 2. possibility to select video mode DCS configuration is in DcsProp. Current DcsProp is on ESP EFI\VeraCrypt PS. This is not "one button solution" but enough for personal use.
In general agree but there is note. It is possible to hide hidden OS (even low level hdd tools) but it requires serious efforts and does not work from box. Idea is the same hide one activity inside other activity.
Have you created rescue USB? It is possible to boot from the USB and restore boot loader. Other way: It is possible to boot from any MS Windows boot disk and restore the loader via bootcfg tool
in pwd prompt. VeraCrypt loader should skip authorization check and return to next loader. if you see BIOS it means - no other loaders. what version of VeraCrypt do you use? The latest version of VeraCrypt updates MS loader to solve compaibility problem. It can cause your problem. Original MS boot loader it is possible to start from EFI shell if it is present.
DcsWinCfg tool can overwrite header of file container. Main headerwith keys- in 0 sector Backup of main header - end of file minus 256 sectors Hidden volume header - 128 sector Backup of hidden volume - end of file minus 128 sectors Just write these sectors with random data
DcsWinCfg tool can overwrite header of file container. Main headerwith keys- in 0 sector Backup of main header - end of file minus 256 sectors Hidden volume header - 128 sector Backup of hidden volume - end of file minus 256 sectors Just write these sectors with random data
press <esc></esc>
Both are possible with EFI boot loader Note 1: if VeraCrypt loader is installed decoy OS encrypted has to be present (to prove use of the loader) Note 2: To avoid password prompt use "AutoLogin=1" and "AutoPassword=..." in DcsProp file. Note 3: To enter password for hidden OS use external USB with keys.(prompt is shown if the USB flash is connected)
Hidden volume and Hidden OS use the same idea - encrypted data inside encrypted data impossible to distinguish. The idea is good but requires extra steps to use and good knowledge what data will be protected and who will try to attack the data. "A suspicion or guess is not enough" - it depends of place and who asks. In some countries it is necessary to prove that no hidden encrypted data. (IMHO eg. UK) Eg. to prove "real" data - timestamps of files accessed and mark of region written. About SSD -...
Hidden volume is good technology but it is not simple to use like plain encryption. Plausible deniability - the main complex part. 1. Outer volume has to contain real data to prove. 2. Several hidden volumes in single outer volume can help also. 3. Probably SSD is not good choice because it contains counters for sectors written. => It is possible to guess region used. Note: It is possible to improve protection but there is no interest to DCS project from community.
DCS contains DcsWinCfg tool. The tool can create headers for volume encrypted and position of the range encrypted to the any place of the volume.
No. It can be TODO for next release of dcs.
There is discussion : https://sourceforge.net/p/veracrypt/discussion/technical/thread/aaeeb26b/ docs: https://sourceforge.net/p/veracrypt/discussion/technical/thread/aaeeb26b/10df/attachment/HiddenOS.pdf https://sourceforge.net/p/veracrypt/discussion/technical/thread/aaeeb26b/e4ee/attachment/Veracrypt%20hidden%20OS%20on%20EFI%20for%20dummies.pdf https://sourceforge.net/p/veracrypt/discussion/technical/thread/aaeeb26b/c278/d6f9/attachment/EFI_hiddenOS_v2.0.pdf
dcs is efi boot loader for VeraCrypt but some features of dcs were not tested in the latest version of VeraCrypt. So you can use any project.
the only possibility supported for now is password cache. It is possible to save 4 passwords to security region (SR) on usb. To auto-login windows - there is little interest from community to dcs project. singe sign on is convenient professional feature. Need to implement custom login UI.
it is possible. see details about efi hidden os on the forum
it is efi boot. just unpack it to fat formatted usb
sys encryption is possible with key files on external usb. see efi hidden os discussion on the forum. there are several guides. it is long story.
try to remove dcsinfo.dcs if efi boot. dcsinfo on ESP, path EFI\VeraCrypt, to mount ESP - mountvol /s
usage of both tools simultaneously was not tested. Your experience is interesting. I just try to explain the behavior. is it possible to use bitlocker and veracrypt at the same time for full encryption system disk ? If you encrypt first with bitlocker then veracrypt, then the boot.sqm can't connect to TPM anymore (from what I've seen in the event viewer log) and so bitlocker will ask for the recoevery key at each boot after the screen from veracrypt. it is normal - VC is executed before bitlocker...
too much... general notes there two ways to make trusted boot(different concepts) it is possible to use both. 1. Measured boot via TPM. based on BIOS and TPM chip(changed boot sequence => it requests key to unlock bitlocker) 2. Secure boot based on RSA certificates in EFI BIOS About VeraCrypt - it is good open source project and the only cross platform FDE in progress for now => with limited support and resources About Bitlocker - closed source MS tool. Good commercial product from largest software...
general notes there two ways to make trusted boot(different concepts) it is possible to use both. 1. Measured boot via TPM. based on BIOS and TPM chip(changed boot sequence => it requsts key to unlock bitlocker) 2. Secure boot based on RSA certificates in EFI BIOS About VeraCrypt - it is good open source project and the only cross platform FDE in progress for now => with limited support and resources About Bitlocker - closed source MS tool. Good commercial product from largest software company To...
BMP - yes. the only format. size - depends of video mode. to check EFI\VeraCrypt\PlatformInfo
ESP. (EFI System partition) Directory EFI\VeraCrypt to assign letter from admin cmd: mountvol /S Details in DcsProp.example https://sourceforge.net/projects/dc5/files/beta/
TODO: probably it is necessary to add parameter to dcsprop to control the delay.
It is possible to fit speed of yubikey
hidden volume - encrypted data inside another encrypted data. (main idea) Note: It is possible to create many hidden volumes inside one nomal :) Its is up to you
it is possible with EFI and SR defined. See "dcscfg -pwdcache". It is possible to save 4 passwords in SR.
for DCS EFI loader: 1. You can select video mode 2. You can use picture password see DcsProp.example https://sourceforge.net/projects/dc5/files/beta/
Probably yes. (if 62 sector of system disk is not changed). try portable version of VC and mount with option "mount partition using system encryption without preboot authentication"
Probably this can help. <!-- AutoLogin 0/1 Posibility to avoid password prompt AutoPassword is password by default Use it with PlatformLocked or TPMLocked enabled to lock password to the computer. --> <config key="AutoLogin">0</config> <config key="AutoPassword"></config> see DcsProp.example https://sourceforge.net/projects/dc5/files/beta/
Probably this can help. <!-- AutoLogin 0/1 Posibility to avoid password prompt AutoPassword is password by default Use it with PlatformLocked or TPMLocked enabled to lock password to the computer. --> <config key="AutoLogin">0</config> <config key="AutoPassword"></config> see DcsProp.example https://sourceforge.net/projects/dc5/files/beta/
Probably version 1.23 problem. v1.23 updates bootloader and renames original windows loader (bootmgfw.efi) DcsBoot.efi => bootmgfw.efi DcsBoot.efi => bootx64.efi To solve - execute backup of bootmgfw.efi
it uses the same TPM pwd with Windows to share TPM. Create TPM pwd manually in Windows See https://sourceforge.net/projects/dc5/files/beta/dcs_tpm_owner_02.pdf/download
do f5, f9, or f7 work? (f2 - it might be kbd problem) can touch screen be configured?
version of VC do you use? The latest I did not test.
<your pwd><F2> - (without <enter>). It has to ask new pwd.
<your pwd=""><f2> - (without <enter>). It has to ask new pwd.</enter></f2></your>
there are special keys f2 - change password. enter old pwd and press f2(instead of enter) f5 - show pwd f7 - pwd platform locked. pwd mixed with serial of BIOS, MB etc f8 - TPM locked. pwd mixed with key from TPM if configured f9 - smart card locked. todo :) Note: it is possible to change via picture pwd.
I wrote about the problem because I know how to solve but for me personally it is not vital. I share my ideas and codes to community if someone can continue - welcome to do.
In general current way of "What I have" authorization factor is enough in VeraCrypt. Main reason - keys for data encryption is in general system memory(to crypt disk) => e.g. spectra bug to get keys. To improve special hardware support is required but it can be optional and for hardware manufactures trusted if there is interest.
EFI loader - its possible DcsProp.example https://sourceforge.net/projects/dc5/files/beta/ <config key="PasswordTimeout">0</config> Or use external USB with key. Pwd prompt is displayed if the USB is connected
VeraCrypt is old and complex project. It requires regular work but current situation - slow step by step according to resources. Performance problem - several months of full time work. (research, PoC, beta, release)
It is included.
It is possible. See DcsProp.example https://sourceforge.net/projects/dc5/files/beta/ <config key="AutoLogin">1</config> <config key="AutoPassword">Pwd</config> Note (optional): check TPM setup to save key and lock it to PCRs
To decrypt header the only secret (password) is used. Header is encrypted by the same ciphers cascade as data. Agree - keys in header are independent.
VeraCrypt uses independent unrelated keys for chained cypher modes. It is correct for data encryption but for header...
I wouldn't call it a performance problem Your hardware is powerful. It can be a problem for atom based computers. I just note - there is possibility to improve. diskcryptor Agree - it is outdated but it is good optimized for windows and partition encryption. I made UEFI loader for VeraCrypt because it looks the most dynamic project. Multiple chained cyphers let's imagine cyphers = locks password = key for lock if one lock is broken and gives possibility to get key => key is the same for other locks...
interesting results. performance problem is known. windows driver is not very efficient. e.g. diskcryptor does not contain intermediate level because it encrypts partitions (not file containers) note: multiple cryptors in one chain is not stronger. (to decrypt one secret is used (pwd)) choice - up to you.
details of EFI bootloader options in DcsProp.example https://sourceforge.net/projects/dc5/files/beta/
for EFI it is possible to use picture password. It contains vector font. It is resizable. One more - resolution can be selected via DcsProp. List of possible resolutions in ESP \EFI\VeraCrypt\PlatformInfo or via "DcsCfg -gl"
Almost done. To locate block device with keys special mark is used. The mark is in 61 sector of the block device with keys (SR). The mark is unique for the computer (based on BIOS serial etc) I guess - wrong mark or multiple marks are present.
in theory the problem can be solved partially via TPM boot chain (PCR based) or arm trustzone but there is no interest from community. IMHO.
D_ESP Logic of boot loader: 1. It is started from D_ESP (according to EFI boot menu (bootorder)) 2. It loads DcsProp from D_ESP 3. If SecRegionSearch selected => Search for block devices marked by "DcsCfg -srm" 4. If the device is found => Check for DcsProp in security region => load and update parameters according to the DcsProp found 5. Authorization...
Hello alfie mr see demo dcsprop https://sourceforge.net/projects/dc5/files/beta/DcsProp.example/download
it is possible to execute original backup loader from ESP (not USB) Try to locate fsN: with EFI folder.
1.23 version updates bootmgfw. check efi\veracrypt folder on ESP to select original windows loader
dcsfv_03 is the latest and the most stable. cfg is different. detect - probably yes but I prefer to use dcsfv
to execute efi shell copy it to rescue disk to efi\shell\shell.efi (download it from tianocore https://github.com/tianocore/edk2/tree/master/ShellBinPkg/UefiShell/X64 ) note: disable secure boot.
to boot windows execute efi\microsoft\boot\bootmgfw.efi from ESP (via efi shell or any other loader) note: 1.23 version can backup and repalce original bootmgfw. Check it.
press ESC to bypass password. Remove loader from boot menu via rescue disk
Hi Arashster, Probably it is better to save results to file(not entire volume). Check contents. It has to be regular (not random). => data is decrypted correct. Next step is to locate bounadries of data encrypted (note: data might be encrypted several times). Do you use dcsfv_03.zip?
Probably yes. See DcsFV tool. It can decrypt/encrypt any sectors ranges, any times and saves results to file.
In theory it is posible to implement for EFI boot systems Notes: 1. Linux can create header less crypto container. 2. EFI boot manager can start any loader (e.g. kernel + initrd) from hidden volume TODO ;)
if sectors with keys are not damaged data can be recovered.
Do you mount as system drive? VeraCrypt is rather stable. It updates header with keys during encryption process.
Hi Miguel, Header of ordinary volume is in 0 sector and backup is in (total sectors - 256) Header of hidden volume is in 128 sector and backup is in (total sectors - 128) To check the header I wrote DcsFV tool but it is for Windows. Note: size of header - 512B. Header contains keys for sectors. Header is encrypted by password, PIM (and keyfile if it is used) Regards, Alex
Hi Wes, Specification of EFI contains USB protocol but some BIOS developers can limit drivers to support media only. See UsbScTransmit in EfiUsb.c (it sends APDU) but on my old laptop it does not work. This is one of the reasons because I stopped the development. OpenSC - good reference code but it might need some internals from the SC manufacture. Regards, Alex
Hi Wes, DCS contains experimental code to test low level API of smart card at APDU level(see "DcsCFg -scapdu".(DCS is EFI bootloader for VeraCrypt) General PKCS11 is too complex IMHO. if there is interest from card manufacture it might be possible to add support of one card type to start . Regards, Alex
The most important - UEFI requires ESP (efi system partition) to boot => full disk is not possible To boot linux - there are many scenarios. 1. Press ESC at pwd prompt - next boot item is executed 2. Configure DcsProp to execute loader (grub) <config key="ActionFailed">Exit</config> 3. see demo https://sourceforge.net/projects/dc5/files/beta/ it shows more complex scenario.
there is exception. It is possible to specify 3 passwords in SR for hidden os. see "dcscfg -pwdcache"
there is man for DcsCfg and several docs about hidden os install. https://github.com/veracrypt/VeraCrypt-DCS/blob/master/DcsCfg/DcsCfg.man Discussion of HOS: https://sourceforge.net/p/veracrypt/discussion/technical/thread/aaeeb26b/ Docs: https://sourceforge.net/p/veracrypt/discussion/technical/thread/aaeeb26b/e4ee/attachment/Veracrypt%20hidden%20OS%20on%20EFI%20for%20dummies.pdf https://sourceforge.net/p/veracrypt/discussion/technical/thread/aaeeb26b/c278/d6f9/attachment/EFI_hiddenOS_v2.0.pdf ht...
Hi voja1, TPM20 is implemented but not tested. (i do not have equipment) the following configuration is tested with TPM 1.2 1. Hidden OS. 2. hdd key on external USB. 3. the USB contains extra passwords(up to 3) to mount data volume 4. hdd key and extra passwords are encrypted by system password, TPM secret, USB and BIOS id(serials) 5. Secure boot enabled in custom mode. I did not write extra docs because very little interest to the problem (even quarks lab during audit did not have questions) page...
Hi voja1, TPM20 is implemented but not tested. (i do not have equipment) the following configuration is tested with TPM 1.2 1. Hidden OS. 2. hdd key on external USB. 3. the USB contains extra passwords(up to 3) to mount data volume 4. hdd key and extra passwords are encrypted by system password, TPM secret, USB and BIOS id(serials) 5. Secure boot enabled in custom mode. I did not write extra docs because very little interest to the problem (even quarks lab during audit did not have questions) page...
Hi voja1, TPM20 is implemented but not tested. (i do not have equipment) the following configuration is tested with TPM 1.2 1. Hidden OS. 2. hdd key on external USB. 3. the USB contains extra passwords(up to 3) to mount data volume 4. hdd key and extra passwords are encrypted by system password, TPM secret, USB and BIOS id(serials) 5. Secure boot enabled in custom mode. I did not write extra docs because very little interest to the problem (even quarks lab during audit did not have questions)
Hi petitlou60, Source of the problem - EFI in some notebook do not work according to spec. I suggest solution (temporary). https://sourceforge.net/p/veracrypt/discussion/technical/thread/d2987c18/#5098 Unfortunately better way was not found. Mounir decided to integrate the solution in BETA2 (to test). Probably this solution has to be optional.
hidden os logic is diffrent. partition and file to be excuted is saved in SR of the HOS booted. You can edit the path via "dcscfg -pexec" (select SR with "-pf" and do not forget to save "-ps"!)
there is possibility - PicturePassword. (touch zones to enter password like mobilephone) Have you tried this? details in DscProp. demo: https://sourceforge.net/projects/dc5/files/beta/
I wrote DcsFV tool. it can help to decrypt/encrypt any data any number of times and save result.
I wrote DcsFV tool. it can help to decrypt/encrypt any data any number of tiimes and save result.
try v1.23 or follow the guide of HP notebook install.
No. it is suffix of files created. Each file is region. do not forget select volume with SR (-ds <n> )
What version of veracrypt do you use? Probably it is neccessary to select correct windows loader in DcsProp. See <config key="ActionSuccess">File((EFI\Microsoft\Boot\bootmgfw_ms.efi)</config> Details in DcsProp.example https://sourceforge.net/projects/dc5/files/beta/
yes. see "dcscfg -srdump". It saves regions to set of ifles. region with gpt can be decrypted ("dcscfg -pd").