Quantcast
Channel: Windows 10 Update 1511 fails with DiskCryptor whole disk encryption - Super User
Viewing all articles
Browse latest Browse all 4

Answer by Laura for Windows 10 Update 1511 fails with DiskCryptor whole disk encryption

$
0
0

I had found another issue with DiscCryptor and GPT disk.

I have multiple Windows 32 Bits (all Home versions from Vista to 10) on the same GPT disk (the only one present, it is a laptop with BIOS only, no U-EFI); yes and yes, it is BIOS only and disk is GPT with more than 4 primary partitions, all partitions are GPT, except one small 8MiB RAW GrubBIOS for Grub2 core.img... and yes, yes, Windows 32 Bits; remember Windows does not boot from any disk that is not MBR, i do not like Hybrid GPT+MBR, i prefer Grub2+MemDisk+VHD small files (32MiB or less).

My disk is 100% GPT, has one GPT NTFS partition for each Windows for the system (where WINDOWS folder is, but NT60 boot code & BCD is not in there), it also has an extra NTFS partition for Grub2 & MemDisk & VHD files (else that 32 Bits windows will not be able to be booted from a GPT disk, aka 32 bits on BIOS + GPT disk); that VHD files are fixed size (just to let memdisk emulate them on ram) and internally have a MBR disk with only one 32MiB NTFS partition where there is the NT60 boot code and the BCD for that specific Windows; one VHD per Windows.

This is a sample (all windows are 32Bits and Home versions, no Pro, no Enterprise, no Server, 100% legal stuff) on the GPT disk i do tests on:

  • 1st sector = Grub2 boot code + GPT protective
  • GPT1 = 8MiB RAW GrubBIOS (where Grub2 put core.img in RAW)
  • GPT2 = 1GiB NTFS for Grub2 files + MemDisk + VHD files
  • GPT3 = NTFS for 32Bits Windows Vista SP2 system (Windows folder, etc)
  • GPT4 = NTFS for 32Bits Windows 7 SP1 system (Windows folder, etc)
  • GPT5 = NTFS for 32Bits Windows 8 system (Windows folder, etc)
  • GPT6 = NTFS for 32Bits Windows 8.1 system (Windows folder, etc)
  • GPT7 = NTFS for 32Bits Windows 10 system (Windows folder, etc)
  • GPT ... and so on ...

Each VHD is arround 32MiB virtual MBR Disk, like this:

  • 1st sector = Nt60 boot code + MBR partition table
  • MBR.1 = Primary NTFS 32MiB (where BCD stuff is)
  • MBR.2 = -empty-
  • MBR.3 = -empty-
  • MBR.4 = -empty-

One VHD file per each windows (to isolate bootloaders & BCD).

If i want to put all that on a MBR (it is limited to 3 primary + 1 Extended) i can only put 3 Windows (Grub2 can be on a Logical inside the extended), that 3 primary ones will be the ones that have each BCD stuff (isolating BCDs of each windows)... if i allow all Windows BCD on the same partition i can put as many Windows as i want, but all of them will share the BCD, so the boot menu will be the one presented by windows, they will not be isolated, a fail on one of them touching such BCD will ruin the boot of all the rest, etc., not to mention i also want Encryption.

With that GPT + Grub2 + MemDisk + VHD files i get wat i want (except encyption), 100% isolate each Windows from the rest of Windows.

I want a BIOS and not U-EFI for three main reasons:

  1. I want 100% of the HDD (except first sector, GPT table and second copy of the GPT table at end of the disk) to be encrypted... still working on how to encrypt that partition i use for Grub2 + MemDisk + VHD files... i had considered creating one extra partition for each VHD file... so that one will be encrypted as the System is and then Grub2 one with LUKs (using modules parameter when doing grub2-install).
  2. My laptop has no U-EFI, it is BIOS only
  3. My HDD is bigger than 2TiB (MBR only allow up to 2TiB be used, the rest is lost)

Going back to the problem with DiskCryptor, if i encrypt the booted Windows GPT partition (where WINDOWS folder is), put the boot code on the other Virtual MBR disk (that is inside the VHD file), after booting it asks for password but it allways shows the error of 'invalid password'.

But if i do not encrypt the booted Windows GPT partition (where WINDOWS folder is), and i only encrypt the partition where BCD is (the one inside the virtual MBR disk that is inside the VHD file), at boot it asks for the password and if correct one, it boots windows perfectly (except it does not automount the virtual disk partition of the BCD, i must mount it manually... must see if i get it to automount), but Windows works great.

And if i encrypt both of them (with the same password), then Windows bootmbr loads but it tells winload.exe can not be found in a blu background with white text graphical screen.

When i only encrypt the MBR part, the not automount may be caused because VHD file is not connected early enough... maybe caching password and running DisckCryptor at logon can solve that since VHD connect is done in a task schedule before logon... i must test that if i have time.

Seems like having "System reserved" or what ever you want to call it (where NT60 boot code & BCD stuff is) on a different disk is not supported by DiskCryptor, or at least not if Windows 32Bits is on GPT partition (where WINDOWS folder is).... since having that Virtual MBR encrypted works well, but having GPT partition encrypted cause different kind of errors!

I will re-try a lot more options, like creating a ISO and booting with that, etc.

Thanks i have multiply Windows, i booted with another one, install DiskCryptor, rebooted and try to mount the GPT one, it mounts OK, so i decrypt it, and fix the big problem of not been able to boot thar one, till i find a solution i will do more test on a VirtualBOX machine, prior to lead with my Laptop again... i wish DiskCryptor would have warned me before doing it... but at least i know what i am doing and i know booting form the other windows i can decrypt, also i have Clone BackUp, etc.

Maybe i miss something! Maybe i do not fully understand how to Boot or where to put DiskCryptor bootloader, how to configure it, etc.

Please have in mind i want more than 4 different Windows Home 32 Bits on the same GPT disk, i want them 100% isolated, including boot codes, BCD and such stuff... that make no other option... GPT in mandatory ... i also want them encrypted with different passwords, not only the system (where Windows folder is), also the boot partition (where BCD is), encryption Grub2 is easy for me to do so to not make thing complex i use it not encrypted till i find a working solution.

I thought protecting the boot partition (where BCD is) would be much more dificoult than system (where WINDOWS folder is) it self, but i found just the oposite.

I must test, test and test... may be i found a way.

Yes, in case someone is thinking about them, i had tried TrueCrypt and VeraCrypt, both have greater problems, TrueCrypt does not allow GPT system encription and VeraCrypt assumes GPT disk are only for U-EFI so it fails when trying to backup U-EFI stuff, no matter if i put a EFI partition, since machine has no EFI vars (BIOS only, no U-EFI) it fails.

The boot (without encryption) goes this way, Power on, BIOS run, BIOS read disk first sector, find a Grub2 bootloader code, run it, read RAW GrubBIOS (core.img) and run it, Grub2 do its stuff (read grub.cfg file) and show the menu, i choose what system i want to boot, Grub2 then loads memdisk and put in the virtual hard disk the corresponding VHD image and jumpt to it, the code on the MBR of that is run (NT60 code), then bootmgr is loaded and runs, then winload.exe, etc... normal windows boot... then my Schedule task is launched on SYSTEM account, that same VHD is connected, now the BCD is able to be accessed, logon prompt appear, i choose user, etc... normal windows continue... desktop apears.

All boot is done from the same HDD, it is on GPT style, the trick is that prior to boot windows i mount (with Grub2 + memdisk + VHD file) a Virtual MBR disk where the nt60 boot code & BCD are, that way Windows is really booting from what it knows, a MBR disk, but it is a virtual one stored in a file, stored in a GPT partition, the other good trick is thanks to Grub2 that allows to boot from GPT disk on a BIOS only PC.

Hope someone can reproduce my boot procedure and test DiskCryptor. Also hope some day VeraCrypt will not asume GPT = U-EFI.

To create the VHD i used DiskPart from windows; it can also be created, mounted, accessed, etc. after booting from the Windows Install Media and going to a console (Shif+F10 after select language) and using DiskPart.

Thanks DiskCryptor i am a little bit near to what i want, but still not there, just a little step more... boot Windows!

Next part will be mounting DiskCryptor from a SystemRescueCD (a Linux Live distro), but that will be a really hard story it able possible.


Viewing all articles
Browse latest Browse all 4

Trending Articles