(This isn't an issue, but I'm having trouble accessing my forum account, so I decided to just post it here.)
How to integrate DiskCryptor into Windows installation media
It is possible to run DiskCryptor from Windows setup, from there you can encrypt the system partition before installing Windows to it, which saves time and ensures no unencrypted data is ever written to the disk.
Disclaimer: this guide is written by me, an average DiskCryptor user, who isn't related to the original author ntldr or the current maintainer DavidXanatos. As such, this guide lacks some technical details and may contain errors, please do point out any errors you find.
This guide is based on the information on the original DiskCryptor wiki (down now, you can access it from the Internet Archive. Do note: the wiki is very old, doesn't even reflect the last version released by ntldr.
Preparation
To follow this guide, you need a USB drive (at least 8 GB) to hold the Windows installation files.
Also, you'll need access to a system, preferably the same version as which you're about to integrate DiskCryptor into. I recommend you do this in a fresh installed virtual machine to avoid any problem, we'll need to install DiskCryptor onto this system to get the files and registry entries needed.
This guide has been tested with Windows 7 SP1 and Windows 10 LTSC 2021 (21H2).
Basic usage of Dism
We'll use Dism (which is included in Windows) to manipulate the boot.wim and install.wim from the Windows installation media.
This tool is very powerful, but we only need the following 3 basic commands:
dism /get-wiminfo /wimfile:boot.wim
This command will list the content of the wim file, so we know which index to use when mounting the wim.
This command will mount the wim into a (empty) NTFS folder, will have to create the folder in advance.
dism /unmount-wim /mountdir:c:\mount /commit
This command saves the changes we made to the mounted image and unmount it.
Step-by-step guide
First, install DiskCryptor. You don't need to reboot, as we can already get the registry and files we need at this stage.
Open Registry Editor (regedit.exe), find dcrypt under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ , right click on it and select Export, save the exported content as dc.reg .
Right click on dc.reg and choose Edit, remove the section "Enum" if any, and replace "SYSTEM" with "DC", you should get something like this:
The above registry is the default values after installing DiskCryptor 1.1.846.118 on Windows 7 SP1. At the time of writing, version 1.1.846.118 is the latest stable release by ntldr, which doesn't have UEFI support. If you have to use UEFI, choose the latest beta release by DavidXanatos instead.
Create two folders: c:\wim and c:\mount. Copy boot.wim and install.wim from the Windows Installation media to c:\wim and leave c:\mount empty.
Open PowerShell with Admin privilege, run the following commands:
cd c:\wim
dism /get-wiminfo /wimfile:boot.wim
The last command would return something like this:
Index : 2
Name : Microsoft Windows Setup (x64)
Description : Microsoft Windows Setup (x64)
The index for Windows Setup is what we're looking for, in this case it's 2.
Open Registry Editor, click on HKEY_LOCAL_MACHINE , then head to menu bar and click on File - Load Hive...
Load C:\mount\Windows\System32\config\SYSTEM and type DC when prompt for a name.
Then you'll find a new key DC under HKEY_LOCAL_MACHINE , this is where we begin to edit the registry.
First, import dc.reg created in step 3. Check if HKEY_LOCAL_MACHINE\DC\ControlSet001\services\dcrypt is successfully imported.
Then, head to HKEY_LOCAL_MACHINE\DC\ControlSet001\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
If you see the value for Class on the right panel is Volume then you're on the correct path. Double-click on LowerFilters then add a new line at the beginning and type in dcrypt. Do not remove any existing lines.
WARNING: the value is different for boot.wim / install.wim and different between Windows versions, this is why we need to edit it manually. Do NOT include this in the dc.reg file.
Click on DC under HKEY_LOCAL_MACHINE, then head to menu bar and click on File - Unload Hive...
Close Registry Editor to avoid unmounting failure.
Back to the PowerShell window, copy the necessary files with the following commands:
Then we save the changes we've made to the wim and unmount it:
dism /unmount-wim /mountdir:c:\mount /commit
We've finished integrating DiskCryptor into boot.wim, now we need to do the same to install.wim in order for Windows to boot successfully if we choose to encrypt the system partition before installing.
Find the correct index in install.wim and mount it
dism /get-wiminfo /wimfile:install.wim
The command returns:
Index : 4
Name : Windows 7 ULTIMATE
Description : Windows 7 ULTIMATE
Look for the correct index for the edition of Windows you're about to install, in this guide I'll use Windows 7 Ultimate, so we mount install.wim with index set to 4:
We don't need to copy any program files, as they can be restored by running the installer after we install Windows.
Then we save the changes we've made to the wim and unmount it:
dism /unmount-wim /mountdir:c:\mount /commit
This would take some time, be patient.
Now we've finished modifying boot.wim and install.wim, you can replace the same files on the USB drive.
Remember to copy the DiskCryptor installer to the USB drive as well if you want to have access to the GUI after installing Windows.
Encrypt system partition before installing Windows
WARNING: following this guide will wipe your disk.
To install Windows directly on an encrypted partition, we need the following steps:
Create the desired partition layout manually
For this, I recommend using DiskPart that came with Windows.
Boot your computer with the modified Windows install USB, wait for Windows Setup to load, hit ⇧ Shift + F10 to open a Command Prompt window.
Type in diskpart then hit enter, wait for DiskPart to load (showing DISKPART >) then enter the following command:
list disk
This will list all the disk detected. If you have only the internal hard drive and the USB drive connected, you can easily tell which one is which by the capacity, usually the internal drive where you'll be installing Windows onto would be the first one, which is Disk 0 (the index starts with 0).
WARNING: if you can't tell which one simply by its capacity, I highly recommend you power off the computer, remove any other drives, then start over.
Select the drive you're about to install Windows on by its index:
select disk 0
WARNING: if you're not sure if this is the desired disk, use command list partition and check if the partition layout is NOT your secondary drive. This is your last chance!
To wipe the disk, use command:
clean
Now we have cleaned the disk, you have two options here: BIOS (Legacy) / MBR or UEFI / GPT. Unless you have to use UEFI, I recommend you go with MBR, which will have a much simpler partition layout.
BIOS / MBR:
If you only want one partition that fill the entire drive, it's very easy:
create partition primary
format fs=ntfs quick
If you want more partitions, say maybe you want a separate data partition or you plan to do multiboot (I won't explain how to use DiskCryptor for multiboot in this guide, maybe I'll write a guide on how to leverage the "First partition with appropriate password" booting method of the DiskCryptor bootloader someday):
create partition primary size=102401
(shown as 100.00GB in Windows explorer, if you use 102400 you'll see it shown as 99.99GB which I hate to see.)
format fs=ntfs quick label=windows
(I recommend you to assign a label here when having multiple partitions.)
create partition primary
(Without size parameter, it will take the remaining spaces.)
format fs=ntfs quick
Don't close this window yet, we'll need it later.
UEFI / GPT:
For windows to boot with UEFI / GPT, you need at least 3 partitions: the EFI System Partition (ESP), The Microsoft Reserved Partition (MSR), and the partition to install Windows on.
We need to first convert the disk to GPT scheme, and create the partitions using the following commands:
convert gpt
create partition efi size=100
format fs=fat32 quick
create partition msr size=16
create partition primary
format fs=ntfs quick label=Windows
Don't close this window yet, we'll need it later.
Encrypt the system partition
Hit ⇧ Shift + F10 again to open another Command Prompt window, type in dcrpyt and hit enter, (you can just type in dcr and hit ⇥ Tab which will auto complete to "dcrypt.exe") this will open the DiskCryptor GUI.
If you're using an HDD, and you want to fill the entire partition with random data (if you have written some unencrypted data on it that you want to get rid of), simply encrypt the system partition.
WARNING: do NOT use the "format" feature, the bootloader doesn't support that.
If you're using a SSD or you want to save some time, you can shrink the partition first, encrypt the small partition, then extend it back. This is completely safe and fully supported by DiskCryptor. The reason we create a large partition then shrink it, rather than create a small partition in the first place is to prevent NTFS MFT fragmentation.
Switch back to the DiskPart window, and use the following command:
list partition
This will show all the partitions on the disk, for MBR the first partition is what we want (unlike disk, the partition index starts with 1)
select partition 1
Now shrink the partition, use command:
shrink
Return to the DiskCryptor window (if you can't see it, use Alt + ⇥ Tab ) and encrypt the system partition. The system partition may still be shown as the original size before shrinking, but as soon as the encryption begin it would show the shrank size.
After DiskCryptor finish encrypting the partition, return to DiskPart window and extend the partition back to desired size using command:
extend
Now you can close the DiskPart window as it's no longer needed. Return to the DiskCryptor window, on the menu bar click on Tools - Config bootloader, select the disk, but don't click on the "Install Loader" button yet.
Even if we install the bootloader now, Windows Setup would overwrite it anyway. Leave this window at this state and proceed.
Install Windows with Windows Setup
As soon as you click on the "Install Now" button, the DiskCryptor window may disappear. Don't worry, it's still running. You can switch to it with Alt + ⇥ Tab .
Just install Windows using Windows Setup normally, when asked which type of install, select custom and install Windows to the partition we've encrypted.
Wait for Windows setup to finish its job and told you it would reboot in 10 seconds, switch back to the DiskCryptor window using Alt + ⇥ Tab and click on the "Install Loader" button. If you missed this timeframe and your system rebooted, you can fix it by boot the computer with the USB drive again, then run DiskCryptor and install the bootloader.
Finish setup Windows, there won't be any difference from an unencrypted setup. You can choose to run the DiskCryptor installer to restore the program files.
(This isn't an issue, but I'm having trouble accessing my forum account, so I decided to just post it here.)
How to integrate DiskCryptor into Windows installation media
It is possible to run DiskCryptor from Windows setup, from there you can encrypt the system partition before installing Windows to it, which saves time and ensures no unencrypted data is ever written to the disk.
Disclaimer: this guide is written by me, an average DiskCryptor user, who isn't related to the original author ntldr or the current maintainer DavidXanatos. As such, this guide lacks some technical details and may contain errors, please do point out any errors you find.
This guide is based on the information on the original DiskCryptor wiki (down now, you can access it from the Internet Archive. Do note: the wiki is very old, doesn't even reflect the last version released by ntldr.
Preparation
To follow this guide, you need a USB drive (at least 8 GB) to hold the Windows installation files.
Also, you'll need access to a system, preferably the same version as which you're about to integrate DiskCryptor into. I recommend you do this in a fresh installed virtual machine to avoid any problem, we'll need to install DiskCryptor onto this system to get the files and registry entries needed.
This guide has been tested with Windows 7 SP1 and Windows 10 LTSC 2021 (21H2).
Basic usage of Dism
We'll use Dism (which is included in Windows) to manipulate the
boot.wimandinstall.wimfrom the Windows installation media.This tool is very powerful, but we only need the following 3 basic commands:
dism /get-wiminfo /wimfile:boot.wimThis command will list the content of the wim file, so we know which index to use when mounting the wim.
dism /mount-wim /wimfile:boot.wim /index:2 /mountdir:c:\mountThis command will mount the wim into a (empty) NTFS folder, will have to create the folder in advance.
dism /unmount-wim /mountdir:c:\mount /commitThis command saves the changes we made to the mounted image and unmount it.
Step-by-step guide
First, install DiskCryptor. You don't need to reboot, as we can already get the registry and files we need at this stage.
Open Registry Editor (regedit.exe), find
dcryptunderHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\, right click on it and select Export, save the exported content asdc.reg.Right click on
dc.regand choose Edit, remove the section "Enum" if any, and replace "SYSTEM" with "DC", you should get something like this:The above registry is the default values after installing DiskCryptor 1.1.846.118 on Windows 7 SP1. At the time of writing, version 1.1.846.118 is the latest stable release by ntldr, which doesn't have UEFI support. If you have to use UEFI, choose the latest beta release by DavidXanatos instead.
Create two folders:
c:\wimandc:\mount. Copyboot.wimandinstall.wimfrom the Windows Installation media toc:\wimand leavec:\mountempty.Open PowerShell with Admin privilege, run the following commands:
The last command would return something like this:
The index for Windows Setup is what we're looking for, in this case it's 2.
boot.wimwith the following commanddism /mount-wim /wimfile:boot.wim /index:2 /mountdir:c:\mountWait for mounting to finish, then proceed.
HKEY_LOCAL_MACHINE, then head to menu bar and click on File - Load Hive...Load
C:\mount\Windows\System32\config\SYSTEMand typeDCwhen prompt for a name.Then you'll find a new key
DCunderHKEY_LOCAL_MACHINE, this is where we begin to edit the registry.First, import
dc.regcreated in step 3. Check ifHKEY_LOCAL_MACHINE\DC\ControlSet001\services\dcryptis successfully imported.Then, head to
HKEY_LOCAL_MACHINE\DC\ControlSet001\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}If you see the value for
Classon the right panel isVolumethen you're on the correct path. Double-click onLowerFiltersthen add a new line at the beginning and type indcrypt. Do not remove any existing lines.WARNING: the value is different for boot.wim / install.wim and different between Windows versions, this is why we need to edit it manually. Do NOT include this in the
dc.regfile.DCunderHKEY_LOCAL_MACHINE, then head to menu bar and click on File - Unload Hive...Close Registry Editor to avoid unmounting failure.
Then we save the changes we've made to the wim and unmount it:
dism /unmount-wim /mountdir:c:\mount /commitWe've finished integrating DiskCryptor into
boot.wim, now we need to do the same toinstall.wimin order for Windows to boot successfully if we choose to encrypt the system partition before installing.install.wimand mount itdism /get-wiminfo /wimfile:install.wimThe command returns:
Look for the correct index for the edition of Windows you're about to install, in this guide I'll use Windows 7 Ultimate, so we mount install.wim with index set to 4:
dism /mount-wim /wimfile:install.wim /index:4 /mountdir:C:\mountAgain, we open Registry Editor, load
C:\mount\Windows\System32\config\SYSTEMasDCand importdc.reg.Then we need to manually fill a few values in:
HKEY_LOCAL_MACHINE\DC\ControlSet001\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}Volume- adddcryptas the first line ofLowerFilterslike before, do not remove any existing values.WARNING: the existing values are different from Windows 7 to Windows 10, thus why we need to manually edit this list.
HKEY_LOCAL_MACHINE\DC\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}You'll find a lot of keys starting with "4D36E", just look for the first one which is
CDROM.Add a new
REG_MULTI_SZ(right click - New - "Multi-String Value") namedUpperFilters, type indcryptand end with an empty line.HKEY_LOCAL_MACHINE\DC\ControlSet001\Control\CrashControlAdd
dcrypt.sysas the first line ofDumpFilters, do not remove any existing values.copy C:\Windows\System32\drivers\dcrypt.sys C:\mount\Windows\System32\drivers\We don't need to copy any program files, as they can be restored by running the installer after we install Windows.
Then we save the changes we've made to the wim and unmount it:
dism /unmount-wim /mountdir:c:\mount /commitThis would take some time, be patient.
boot.wimandinstall.wim, you can replace the same files on the USB drive.Remember to copy the DiskCryptor installer to the USB drive as well if you want to have access to the GUI after installing Windows.
Encrypt system partition before installing Windows
WARNING: following this guide will wipe your disk.
To install Windows directly on an encrypted partition, we need the following steps:
For this, I recommend using DiskPart that came with Windows.
Boot your computer with the modified Windows install USB, wait for Windows Setup to load, hit ⇧ Shift + F10 to open a Command Prompt window.
Type in
diskpartthen hit enter, wait for DiskPart to load (showingDISKPART >) then enter the following command:list diskThis will list all the disk detected. If you have only the internal hard drive and the USB drive connected, you can easily tell which one is which by the capacity, usually the internal drive where you'll be installing Windows onto would be the first one, which is Disk 0 (the index starts with 0).
WARNING: if you can't tell which one simply by its capacity, I highly recommend you power off the computer, remove any other drives, then start over.
Select the drive you're about to install Windows on by its index:
select disk 0WARNING: if you're not sure if this is the desired disk, use command
list partitionand check if the partition layout is NOT your secondary drive. This is your last chance!To wipe the disk, use command:
cleanNow we have cleaned the disk, you have two options here: BIOS (Legacy) / MBR or UEFI / GPT. Unless you have to use UEFI, I recommend you go with MBR, which will have a much simpler partition layout.
BIOS / MBR:
If you only want one partition that fill the entire drive, it's very easy:
If you want more partitions, say maybe you want a separate data partition or you plan to do multiboot (I won't explain how to use DiskCryptor for multiboot in this guide, maybe I'll write a guide on how to leverage the "First partition with appropriate password" booting method of the DiskCryptor bootloader someday):
Don't close this window yet, we'll need it later.
UEFI / GPT:
For windows to boot with UEFI / GPT, you need at least 3 partitions: the EFI System Partition (ESP), The Microsoft Reserved Partition (MSR), and the partition to install Windows on.
We need to first convert the disk to GPT scheme, and create the partitions using the following commands:
Don't close this window yet, we'll need it later.
Hit ⇧ Shift + F10 again to open another Command Prompt window, type in
dcrpytand hit enter, (you can just type indcrand hit ⇥ Tab which will auto complete to "dcrypt.exe") this will open the DiskCryptor GUI.If you're using an HDD, and you want to fill the entire partition with random data (if you have written some unencrypted data on it that you want to get rid of), simply encrypt the system partition.
WARNING: do NOT use the "format" feature, the bootloader doesn't support that.
If you're using a SSD or you want to save some time, you can shrink the partition first, encrypt the small partition, then extend it back. This is completely safe and fully supported by DiskCryptor. The reason we create a large partition then shrink it, rather than create a small partition in the first place is to prevent NTFS MFT fragmentation.
Switch back to the DiskPart window, and use the following command:
list partitionThis will show all the partitions on the disk, for MBR the first partition is what we want (unlike disk, the partition index starts with 1)
select partition 1Now shrink the partition, use command:
shrinkReturn to the DiskCryptor window (if you can't see it, use Alt + ⇥ Tab ) and encrypt the system partition. The system partition may still be shown as the original size before shrinking, but as soon as the encryption begin it would show the shrank size.
After DiskCryptor finish encrypting the partition, return to DiskPart window and extend the partition back to desired size using command:
extendNow you can close the DiskPart window as it's no longer needed. Return to the DiskCryptor window, on the menu bar click on Tools - Config bootloader, select the disk, but don't click on the "Install Loader" button yet.
Even if we install the bootloader now, Windows Setup would overwrite it anyway. Leave this window at this state and proceed.
As soon as you click on the "Install Now" button, the DiskCryptor window may disappear. Don't worry, it's still running. You can switch to it with Alt + ⇥ Tab .
Just install Windows using Windows Setup normally, when asked which type of install, select custom and install Windows to the partition we've encrypted.
Wait for Windows setup to finish its job and told you it would reboot in 10 seconds, switch back to the DiskCryptor window using Alt + ⇥ Tab and click on the "Install Loader" button. If you missed this timeframe and your system rebooted, you can fix it by boot the computer with the USB drive again, then run DiskCryptor and install the bootloader.
Finish setup Windows, there won't be any difference from an unencrypted setup. You can choose to run the DiskCryptor installer to restore the program files.