VeryCrypt on machine that is UEFI boot

DavidY said:

But Device Encryption isn't Bitlocker (albeit the underlying encryption is the same, Bitlocker gives you more control) so if you have Win10 Pro, you don't need an MS Account to use Bitlocker.

Thank you for this. So on Windows 10 Pro I can turn Bitlocker on without needing to be logged into a MSA?

I would want to keep a backup of the key somewhere and I am thinking I will do this on a usb drive. Is it possible to keep it on a USB drive in a way that makes that drive an 'unlock key' for the device?

Can you explain the difference between Bitlocker and 'Device Encryption' (the latter presumably is still a Microsoft thing?) I have never understood that there were two sorts of encryption on a Windows o/s and the distinction.

Or have I misunderstood your post?

kevvyb said:

Thank you for this. So on Windows 10 Pro I can turn Bitlocker on without needing to be logged into a MSA?

Yes - that's how I use it on my Win10 Pro laptop.

kevvyb said:

I would want to keep a backup of the key somewhere and I am thinking I will do this on a usb drive. Is it possible to keep it on a USB drive in a way that makes that drive an 'unlock key' for the device?

Here is a tutorial on how to switch on Bitlocker in various ways, including using a USB key to unlock.
BitLocker - Turn On or Off for Operating System Drive in Windows 10

Personally I would also keep other backups of the keys in addition to the USB key - the dialogs which come up allow you to print out a copy for instance. Also I'd take a backup image of the disk before I started encrypting, just in case...

kevvyb said:

Can you explain the difference between Bitlocker and 'Device Encryption' (the latter presumably is still a Microsoft thing?) I have never understood that there were two sorts of encryption on a Windows o/s and the distinction.

Or have I misunderstood your post?

I believe that under the skin, the actual encryption is the same. But for Bitlocker there are more options on how you can manage that encryption.

If a device has Device Encryption, you can switch it on or off, and backup your keys, but there isn't much more control than that.

Some people will be running encrypted devices and won't even know it, because it runs silently when someone first logs in with an MSA with admin rights, assuming the device meets the specification and is booted with Secure Boot. I think the option about unlocking with a USB key may not be available, for example, presumably because Device Encryption runs without user interaction.

I think that the reason Device Encryption automatically backs up keys to the MSA is because it's running silently, so the intention is that rather than relying on people keeping a backup manually, there's an automatically-created backup for if things go wrong. (Although if people close, or lose access to, their MSA, they may have a problem...)

With the extra control in Bitlocker you have the option to backup keys to an MSA, but you have to select it - it's not automatic.

mrgeek said:

I have UEFI on an HP laptop that 2 yrs old and have used TrueCrypt 7.1a from Day One which I carried over from many yrs prior on other computers. Note: I use for created partitions, not the entire drive, like you propose. Let me know your results. Good Luck

Good solution for Windows up to version 7. I love it too.

mrgeek said:

I have UEFI on an HP laptop that 2 yrs old and have used TrueCrypt 7.1a from Day One which I carried over from many yrs prior on other computers. Note: I use for created partitions, not the entire drive, like you propose. Let me know your results. Good Luck

Given up with VeraCrypt as have received no response from forums.

Something to do with UEFI boot was meant to have been fixed in 1.19 as far as I can see. I think there are still problems.

They are saying that with the latest release of VeraCrypt 1.23 they support UEFI boot encryption if I understand correctly:

VeraCrypt - Free Open source disk encryption with strong security for the Paranoid

1.23 (September 12^th, 2018):

• Windows:
  
  • VeraCrypt is now compatible with default EFI SecureBoot configuration for system encryption.
  • Fix EFI system encryption issues on some machines (e.g. HP, Acer).
  • Support EFI system encryption on Windows LTSB.
  • Add compatibility of system encryption with Windows 10 upgrade using ReflectDrivers mechanism
  • Make EFI Rescue Disk decrypt partition correctly when Windows Repair overwrites first partition sector.
  • Add Driver option in the UI to explicitly allow Windows 8.1 and Windows 10 defragmenter to see VeraCrypt encrypted disks.
  • Add internal verification of binaries embedded signature to protect against some types to tampering attacks.
  • Fix Secure Desktop not working for favorites set to mount at logon on Windows 10 under some circumstances.
  • when Secure Desktop is enabled, use it for Mount Options dialog if it is displayed before password dialog.
  • when extracting files in Setup or Portable mode, decompress zip files docs.zip and Languages.zip in order to have ready to use configuration.
  • Display a balloon tip warning message when text pasted to password field is longer than maximum length and so it will be truncated.
  • Implement language selection mechanism at the start of the installer to make easier for international users.
  • Add check on size of file container during creation to ensure it's smaller than available free disk space.
  • Fix buttons at the bottom not shown when user sets a large system font under Window 7.
  • Fix compatibility issues with some disk drivers that don't support IOCTL_DISK_GET_DRIVE_GEOMETRY_EX ioctl.

I have an UEFI Windows 10 machine and I use BCDBoot / bcdedit to update the firmware entries in the device’s NVRAM.
I have multiple disks with multiple operating systems, I used bcdedit to designate the primary boot drive and the secondary (which is actually a clone of the primary boot disk).
I installed latest version of VC on the secondary boot drive, thinking that VC would not modify the firmware entires in the NVRAM. The entries that are displayed when the machine is turned on, giving you a chance to select which disk you will boot off. It goes to the primary boot by default or you can scroll down to make another selection.
After the install of VeraCrypt on the second boot drive (non-primary) I rebooted and to my surprise, the firmware entires disappeared, and then the prompt for the password appeared. How is that possible if I never told it to do anything with the primary boot drive or the firmware entires? If I want to encrypt drive C:, I never want to encrypt for example drive X.
Apparently VeraCrypt cannot deal with multiple bootable disks in the machine.
Worse, the password would not be accepted. Since it was a test of encryption and none was actually performed, I was able to go back but this gives me sufficient concern, I dont want to lose the multiple entry capability, I want to chose which disk I boot into.

Thanks for all replies. Gave up on veracrypt and relented on use of Bitlocker even though it will have a backdoor for MS use. I still use Truecrypt on all my external hard drives.