veracrypt / VeraCrypt

Disk encryption with strong security based on TrueCrypt
https://www.veracrypt.fr
Other
6.88k stars 946 forks source link

1.19 (Windows) - Multi-boot greyed-out #112

Closed Diapolo closed 3 years ago

Diapolo commented 8 years ago

I wanted to setup a system encryption within Windows 8.1 by using VeraCrypt 1.19, but the option is greyed-out:

greyed-out

Setup is as follows: Windows 8.1 x64 in UEFI-Mode (Secure Boot enabled) on HDD1 Ubuntu 16.10 in UEFI-Mode on HDD2 with active and working LUKS-encryption UEFI-partition is on HDD1 Windows was installed before Linux, so bootloader is GRUB2

Is this an invalid system setup or what could I do?

Edit: Seems I'm not the only one suffering from this: https://sourceforge.net/p/veracrypt/discussion/technical/thread/b3355573/

Edit 2: Likely related... https://sourceforge.net/p/veracrypt/discussion/features/thread/e027880a/

Diapolo commented 8 years ago

@idrassi Mind taking a look :)?

rbe1733 commented 7 years ago

Hi,

I have the same problem on a Surface Pro 3. The multi-boot option is greyed.

Dual-boot Windows 10 and Fedora 24 with grub. Problem is the same with or without secure boot enabled.

I ran the test for encrypting the windows partition with secure boot disabled. Pre-boot password is ok but leads to Windows 10 boot and not grub (seems normal for single boot).

May you help ?

Kinds regards

Richard

amg1127 commented 7 years ago

Hi,

I also have this problem on an old Samsung laptop. My setup is:

My Linux partition has already been encrypted by LUKS. Now, I intend to have my Windows partition encrypted by Veracrypt, but the multi-boot option is disabled.

Diapolo commented 7 years ago

I really hope we get some attention, as that usage scenario seems common, when Linux and Windows are used, as Bitlocker is closed source and also seems to not be multi-boot capable. Feels bad that the Windows installation is unencrypted :-/.

rbe1733 commented 7 years ago

I succeeded in dual boot Windows 10 and Ubuntu 16.04 (with tigerite ppa kernel). Windows os disk is encrypted through Bitlocker and Linux with LUKS.

The TPM and secure boot control are both activated (no red Surface screen).

If you are interested in this scenario waiting Veracrypt patch, tell me. I will give you deeper information to do it.

Richard

Diapolo commented 7 years ago

@rbe1733 The problem I see is for my setup is that my board is missing a TPM and that I would need to use an USB stick as token. But it would be very nice if you could explain your setup to me :). Others could also benefit I guess, as long as VeraCrypt author doesn't react.

rbe1733 commented 7 years ago

@Diapolo I don't think missing a TPM is a problem to make it work.

Here are the steps to follow with empty disk đź‘Ť

1) Install Windows with advanced partitionning. On my SP3 256 GB SSD, i made a 90 GB partition. Windows installer (W10) created the 3 others partitions (one is hidden on disk manager but visible under Linux with gparted). As we have GPT, it's not a problem for the Linux installation.

2) Install Linux. For my SP3, i chose the best distribution which is Ubuntu 16.04. Not 16.10 because the kernel made by Peter Hunt (thanks to him) is working with 16.04. Here is the link (https://launchpad.net/~tigerite/+archive/ubuntu/kernel. If you have different hardware, you can choose any distribution that fits your needs. Ubuntu handles also very well UEFI Bios with secure boot control.

For Ubuntu 16.04 (might be the same for other distributions), you must prepare your partitions BEFORE installing the system. Do it in Linux live session then install. Here is the link of a good doc i followed (http://thesimplecomputer.info/full-disk-encryption-with-ubuntu

3) At this step, the grub loader is booting Linux with pre-boot authentification to unlock the LUKS partitions. It can boot Windows but it is still no secure.

4) Activate Bitlocker for Windows partition. First, you have to alter your local policy group before encrypting the partition. Follow the steps of http://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/. I recommend you to "Allow enhanced pins for statup" on policy group. It allows you to have better protection (letters, special character, ...) for the pin setting. After the disk encryption, reboot and check everything is ok.

I tried dislocker to mount bitlocker partition on Linux. Haven't succeeded in making it work yet but i was stucked with bitlocker preboot authentification on the next windows boot (too many bad passwords ...). Keep your bitlocker recover key close to you. If something goes wrong with Windows, boot in recovery shell and use command line manage-bde to recover partition.

Hope this helps.

Richard

Diapolo commented 7 years ago

@rbe1733 Thank you!

It seems I'm ready to try Bitlocker then, as long as we are not able to use VeraCrypt as THE open source option I'd LOVE to use instead :).

I've got a working Windows installation on SSD1 and a working and LUKS encrypted Ubuntu 16.10 installation on SSD2. As I said secure boot is enabled, and GRUB is able to load both OSes. As I've used Bitlocker before, my GPs are already setup for pin/stick based encryption.

Should work, even with 2 SSDs, right?

rbe1733 commented 7 years ago

@Diapolo Don't see why 2 SSD would cause any problem.

I also recommend you to run the bitlocker test before encryption. On W10 (don't know for W8.1), the bitlocker procedure will ask you for a check. This check reboots your computer, test the pin input and if ok, will crypt the disk after the login.

If it is not available on W8.1, don't mind. If anything goes wrong on the next reboot, you can boot on recovery mode after inputting the recovery key, open a command shell and use manage-bde to decrypt the disk.

Diapolo commented 7 years ago

@rbe1733 Bitlocker + LUKS and GRUB are playing well together! So as long as VeraCrypt is lacking multi-boot support, this at least makes me encrypted again ;).

WesBunton commented 7 years ago

I have the same issue. My setup:

  1. Installed Win 10 on internal SSD.
  2. Created root/swap/home partitions on same SSD.
  3. Installed Linux Mint on root partition.
  4. Rebooted into Win 10, installed VeraCrypt to secure the Windows partition, but I see this option is greyed out.
Typhlos commented 7 years ago

I have the same issue with Windows 8.1 and Fedora 26 both installed. I'm using the 1.21 version of VeraCrypt on Windows. I have an ssd and a hdd.

On the ssd as /dev/sdb or Disk 1 :

On the hdd as /dev/sda or Disk 0 :

Is their any fix or solution?

Thank you.

christianfl commented 7 years ago

I have the same problem on my fresh installed setup: Debian Stretch GNU/Linux encrypted with LUKS on /dev/sdb (UEFI-mode) and Windows 8.1 on /dev/sda (UEFI-mode). Option for multi boot is grayed out. So unfortunately I'm stuck with Bitlocker for Windows. If Windows is installed in Legacy/BIOS-mode the option is selectable and works.

mikewinddale commented 6 years ago

I have the same problem. I have a dual-boot system, Windows 10 Home plus Linux Mint Cinnamon 18.3 "Sylvia."

Veracrypt would not recognize the dual-boot, so I was able to encrypt only Windows. I was able to encrypt my Linux's Home folder using encryptfs, but this solution is clunky.

arteenfox commented 6 years ago

I have same problem. "Hidden", "Encrypt the whole drive" and "Multi-boot" options greyed-out. Freshly installed and updated Windows 10 Pro and Fedora 28, both in uefi mode ofc. Partitions (GPT partition table, HDD on SATA interface): 1, 2, 3 - Automaticly created by Windows 10, â„–2 is EFI partition (mounted to /boot/efi during Fedora installation) 4 - Windows 10 5 - 5GB NTFS partition for buffer between Windows and Linux systems 6 - Fedora's ext2 /boot partition 7 - Luks-encrypted swap partition 8 - Luks-encrypted ext4 / partition 9 - Luks-encrypted ext4 partition for data storage (/mnt/data) All changes that i made in Windows: Disabled hibernation Disabled Windows Defender (group policy) Registry tweak to use UTC hardware time Disabled SmartScreen (group policy) ASUS x553ma. This laptop don't have TPM module (bitlocker don't wanna work without tinkering) so maybe that's the problem? VeraCrypt version is 1.22

dbautistav commented 5 years ago

Veracrypt documentation about TPM:

The only thing that TPM is almost guaranteed to provide is a false sense of security (even the name itself, "Trusted Platform Module", is misleading and creates a false sense of security).

See "Some encryption programs use TPM to prevent attacks. Will VeraCrypt use it too? -No." in the FAQ.

LankyCyril commented 5 years ago

I did this a while back -- https://medium.com/@lankycyril/using-veracrypt-with-a-uefi-dual-boot-setup-27d1eacbf36b.

I'm pretty sure this is as secure as a single-boot UEFI system, but I would love to see critique.

amg1127 commented 5 years ago

I did this a while back -- https://medium.com/@lankycyril/using-veracrypt-with-a-uefi-dual-boot-setup-27d1eacbf36b.

I'm pretty sure this is as secure as a single-boot UEFI system, but I would love to see critique.

Thank you for sharing it. I just have followed your instructions and encrypted my dual-boot UEFI laptop computer without issues.

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] commented 3 years ago

This issue has been automatically closed because it has not had recent activity. This probably means that it is not reproducible or it has been fixed in a newer version. If it’s an enhancement and hasn’t been taken on for so long, then it seems no one has the time to implement this. Please reopen if you still encounter this issue with the latest stable version. You can also contribute directly by providing a pull request. Thank you!