Open trias702 opened 3 years ago
Why not just disable secure boot?
Here you have the required shim zips
It should work but no guarantees of any kind, total failure is always an option. Keep a backup on hand and a deity of your choosing on speed dial ;)
Thank you kindly for the quick reply!
But how can I use these, as I mentioned in my OP, the file selector box (in the config bootloader menu) never activates (it always remains grey), even when I check the "Install shim" checkbox. So I have no way to get DiskCryptor to point to the shim.
Ah... that should work when you put the zips in the instalation directory where DCrypt.exe lyes
I'm afraid that didn't work. I already have DiskCryptor (and the driver) installed on my box. I downloaded both zips and placed them in the install directory, where dcrypt.exe lives.
However, the file selector remains greyed out, even after checking the "install shim" checkbox. I have tried restarting DiskCryptor.exe and rebooting my box, but neither fixes the issue.
hmm... for me that works, strange... First select the drive then check the check box, then click install bootloader and that should be all you need to do
Wait, so I don't need to use the "Select path to file" box at all?
All I need to do is select the disk, click the "install shim" checkbox, and then click install bootloader and I'm done? I do NOT need to use the "select path to file" box to point to the correct shim file?
If that is true, and I can leave the "path to file" box empty, how will DiskCryptor know which shim zip file to use, the x64 vs the ia32 one?
yes, it will pick the right based on the OS bittness you are using
Okay, thank you, I will try it out later today.
One last question: given it appears quite easy and straightforward to use the shim (just put the zip file in the install directory), I'm curious to know why you haven't been including the shim files as part of the normal installer? Put in another way, what is so dangerous and unreliable about using the shim (putting aside all standard warnings about Beta software)?
If I choose to use the shim, and it appears to work on a day-to-day basis, what could potentially disrupt that? A new update for Windows for example? Or something else which could possibly torpedo me?
To answer your earlier question, I do not wish to disable Secure Boot because I like the security feature it provides, namely that it becomes much more difficult for bootkits/rootkits to install malicious payload.
Well the shim disables all security anyways its a card Blanche solution not better than disabling Secure Boot outright, Also systems with enabled secure boot put higher limitations on what drivers they load, so without some registry trickery windows may not want to load the driver resulting in a not Bootable system.
Got it, thank you.
I had no idea that the shim basically just disables Secure Boot. And here I thought I could have the best of both worlds by using the shim: Secure Boot rootkit protection and the ability to use DiskCryptor, at the same time. Sadly this doesn't appear to be the case.
Well, linux supports secure boot properly so you could set soemthing up with grub and a custom certificate to have secure boot and DC
Well, linux supports secure boot properly so you could set soemthing up with grub and a custom certificate to have secure boot and DC
Could you please elaborate on how to do this? I'd like to set up Windows 11 with DC and Windows 7 (could stay unencrypted) in dual boot on the same disk, both in UEFI mode with secure boot (which Microsoft added to Windows 7 recently).
You can do without shim and other third-party bootloaders. With DC bootloader only.
It is assumed that you have already deployed the DC bootloader ("Install loader" button).
diskpart
list disk
sel disk 0
list part
sel part 1
ass letter=x
exit
Run any 3rd-party file manager (Explorer++, etc) as admin, grab X:\DCS\DcsBoot.efi and sign it (use DcsBoot.efi instead of bootx64.efi of course)
Place signed DcsBoot.efi to X:\DCS\, unmount partition (mountvol X: /d
) and deploy your keys into UEFI.
It could be made easier if the DC loader was stored as a separate file in the program directory. User could sign it before deployment.
Could I please trouble you for some detailed instructions on how to use the bootloader shim to enable DiskCryptor to work with SecureBoot enabled? Where can I download/create the shim? How do I correctly use it to install the DiskCryptor Bootloader?
I have already read the article here: https://habr.com/ru/post/446238/ And seen the GitHub page here: https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk
But neither of these seem to indicate where/how to get the shim itself, and there are no instructions on how to correctly use it with DiskCryptor once you have it.
Also, I note that after installing DiskCryptor on my Win10 system, if I go to Tools -> Config Bootloader, then select a Drive, and I check the box for "Install shim" then the "Select path to file" box does NOT activate, meaning that whether or not the Install shim box is checked, the path selector never activates. Is this a bug or by design? It appears to me that you cannot use a shim anymore even if you have one, because the dialog box to point to the shim file cannot be activated no matter what. Is this working as designed?