VeraCrypt Hidden OS on EFI/GPT syestem (v1.0)
By Felis in addition to DJ Bonez manual, special thanks to kavsrf on sourceforge.net
1. Create 4 sequential partitions a. Outer_Start (outer volume to be mounted as ordinary volume, FS: any) b. H_ESP (EFI system partition for hidden OS, FS: FAT32) c. H_OS (partition for hidden OS, FS: NTFS) d. Out_End (outer volume to be mounted as hidden volume, FS: any) 2. Convert ESP type to recovery volume in decoy OS 3. Convert H_ESP type to make it ESP 4. Install hidden OS and VeraCrypt in H_OS 5. Start system encryption At this step you will create Rescue USB, dont forget to copy shellx64.efi to the USB (See Q&A section for details). System will reboot to test preboot authentication before encrypting. At this moment proceed to next step 6. Boot from rescue USB with EFI shell 7. Modify encryption range to include outer volumes EFI\VeraCrypt\DcsCfg.dcs -oshideprep -rnd 2 A list of partitions will be displayed (order is same as in Windows Disk Management) a. Start outer: number of Outer_Start b. End outer: number of Outer_End c. Wipe data? Yes for wiping outer volumes with random data d. Init outer headers? Yes e. Password? Fake_Password1 for mounting outer (outer start) as ordinary encrypted volume f. Select algorithm for encryption and hash of outer volumes (e.g. AES, XTS, SHA-512) g. Save outer? Yes h. Password? Fake_Password2 for mounting outer (outer end) as hidden volume i. Save outer? Yes j. Update main encryption header? Yes (use password for H_OS here) k. Encrypted GPT file name: gpt_enc l. Create one hidden volume? Yes m. Hidden GPT file name: gpt_hos 8. List disks and select number of authorization USB/partition EFI\VeraCrypt\DcsCfg.dcs -dl 9. Wipe security regions container of
Q&A section
Unsorted answers for some questions that may occur while installing and playing around with VeraCrypt. Just to save you some time and curiosity.
Q: How to convert ESP type to protect it? A: You can use diskpart to change partition type. Launch diskpart on decoy OS or on WinPE and select required disk and partition: diskpart list disk select disk
Q: How to edit config keys in VeraCrypt loader? A: There are two possible ways. Via VeraCrypt application itself. Go to Settings->System encryption->Edit boot loader configuration. Via mounting ESP partition and editing DcsProp. In command prompt execute: diskpart list disk select disk
Q: How to get list of logical disks in command prompt? A: w mic logicaldisk get name
Q: Why should I create more than one security region on authorization USB / partition? A: Number of SR initialized hides real number of OS installed. Also you can save header of decoy OS to SR, or create several hidden OS’s Q: Is there more information about DcsProp and it’s flags? A: Yes. There is a D csProp.example file which describes all possible flags. You can download it from here: link
Q: What is EFI shell and how to boot to it? A: You can get it from here: link for x64 Download the file, rename it to shellx64.efi and place it to rescue USB root. Don't forget that rescue USB must be formatted with FAT32.
Q: What else can I do in EFI shell? A: Read this: link
Q: I want to know more about EFI A: Here is a good longreed about EFI: link
Q: What can I do with DcsCfg.dcs? A: Here goes a manual on DcsCfg and it’s switches: link
Q: What is fs
Q: What is a Security Region (SR), is there any documentation on it? A: Security Regions were defined by VeraCrypt creators to support HOS and improve the concept of the volume encrypted header with keys. SR can contain configuration data (e.g. GPT). The structure of SR is: sector 1 - header wit keys (pwd encrypted) sector 2 - table of extra data (header key encrypted) sectors with GPT (header key encrypted) sectors with execute parameters (header key encrypted)
Q: Is it necessary to store SR at the beginning of the disk / USB stick? A: SR can be saved to any block device (disk or partition).
Q: Is there any tool for Windows to read/write directly to the disk bypassing filesystem? (e.g. to sector 62) A: You can use dd tool for Windows: link Please read manuals carefully, It’s fairly easy to destroy your data with dd.
Q: Does “Remove VeraCrypt loader from boot menu” option from rescue USB remove VC bootloader files from ESP? A: No. It only removes loader from menu.
Q: Does “-ps” flag from DcsCfg save entire GPT table from selected disk? A: No. It saves partitions only. You can not use it to backup entire GPT. (e.g. you will not be able to restore GPT on disk from file created by -ps after cleaning the disk)
Q: Any examples on how to use dd? A: Download dd.exe and place it into C:\ from elevated command prompt execute dd --list This will return you a list of Win32 volumes and available block devices (Fig. 1) It is important to run dd from elevated command prompt, eiser you won't see block devices. “Partition0” is always the entire disk.
To dump sector 61 to file s61.img on C:\temp execute dd if=\\?\Device\Harddisk0\Partition0 of=C:\temp\s61.img skip=61 count=1 bs=512 To write from file s62.img to disk use dd if=\\?\Device\Harddisk0\Partition0 of=C:\temp\s62.img seek=62 count=1 bs=512
Figure 1.
Q: Does the existence of authorisation USB (with SR) prove the existence of hidden OS in the system? A: TBD
Q: What is “svh_bak” file on rescue USB? A: It’s an exact copy of sector 62 from your system disk.
Q: Is it safe to carry rescue USB together with my encrypted PC? A: TBD Notes and Hints
Rescue USB improvement The USB can contain several tools: 1. DCS RE (rescue menu) 2. EFI Shell to boot from the USB and use DcsCfg tool. 3. Windows PE (preinstall environment) You will be able to test and mount HOS (apply gpt_enc, start veracrypt portable to mount, use FAR or any other tools to work with encrypted volumes) Windows PE can be generated via Windows ADK.
HEX and Dumps viewing/comparing/analysis To view and compare dumps from disk one may use Hex Editor Neo software which also has some statistical analysis features. It’s inexpensive and has a free version
Authorization USB formating To be able to use authorization USB also as a normal USB flash drive one can go two ways: 1. Create small partition at the end of the drive and store SR’s in it 2. Create main partition with offset and store SR’s at the beginning of the drive
In Windows explorer USB drive with offset before main partition will look like it contains some data even if it’s empty, which may be suspicious:
Windows does not allow to create more than one partition on removable USB flash drives (removable bit is typically always set in USB flash drives) so you will need additional software like BOOTICE or minitool partition wizard for the 1st scenario. Windows will not mount second partition so SR’s will be safe. Well maybe not in W indows 10 Insider Preview build 14965, which is told to be able to mount several partitions from removable disk. But with BOOTICE one may H ide partition with keys so it definitely won’t be automounted. In both scenarios primary partition may be formatted in any way and used as usual.