Veracrypt Hidden OS on EFI/GPT Syestem (V1.0)
Total Page:16
File Type:pdf, Size:1020Kb
VeraCrypt Hidden OS on EFI/GPT syestem (v1.0) By Felis in addition to DJ Bonez manual, special thanks to kavsrf on sourceforge.net 1. Create 4 sequential partitions a. Outer_Start (outer volume to be mounted as ordinary volume, FS: any) b. H_ESP (EFI system partition for hidden OS, FS: FAT32) c. H_OS (partition for hidden OS, FS: NTFS) d. Out_End (outer volume to be mounted as hidden volume, FS: any) 2. Convert ESP type to recovery volume in decoy OS 3. Convert H_ESP type to make it ESP 4. Install hidden OS and VeraCrypt in H_OS 5. Start system encryption At this step you will create Rescue USB, dont forget to copy shellx64.efi to the USB (See Q&A section for details). System will reboot to test preboot authentication before encrypting. At this moment proceed to next step 6. Boot from rescue USB with EFI shell 7. Modify encryption range to include outer volumes EFI\VeraCrypt\DcsCfg.dcs -oshideprep -rnd 2 A list of partitions will be displayed (order is same as in Windows Disk Management) a. Start outer: number of Outer_Start b. End outer: number of Outer_End c. Wipe data? Yes for wiping outer volumes with random data d. Init outer headers? Yes e. Password? Fake_Password1 for mounting outer (outer start) as ordinary encrypted volume f. Select algorithm for encryption and hash of outer volumes (e.g. AES, XTS, SHA-512) g. Save outer? Yes h. Password? Fake_Password2 for mounting outer (outer end) as hidden volume i. Save outer? Yes j. Update main encryption header? Yes (use password for H_OS here) k. Encrypted GPT file name: gpt_enc l. Create one hidden volume? Yes m. Hidden GPT file name: gpt_hos 8. List disks and select number of authorization USB/partition EFI\VeraCrypt\DcsCfg.dcs -dl 9. Wipe security regions container of <N> possible security regions on authorization USB/partition <usbN> EFI\VeraCrypt\DcsCfg.dcs -srw <N> -ds <usbN> -rnd 2 10. Mark USB <usbN> as security regions container for <N> possible security regions EFI\VeraCrypt\DcsCfg.dcs -srm <N> -ds <usbN> 11. Encrypt GPT with hidden OS password before adding to security region (use -rnd to generate salt) EFI\VeraCrypt\DcsCfg.dcs -pf gpt_enc -aa -pe -ps -rnd 2 12. Add GPT to security region <N> on authorization USB <usbN> EFI\VeraCrypt\DcsCfg.dcs -pf gpt_enc -sra <N> -ds <usbN> 13. Boot H_OS and finish system encryption After system encryption windows will fail to boot again and will ask for repairing options if you will try to reboot, it’s ok! Just proceed to next step. 14. Boot from rescue USB with EFI shell 15. Update GPT table to hide H_OS and H_ESP on disk driveN. It may be a good Idea to make a GPT backup before this step. EFI\VeraCrypt\DcsCfg.dcs -pf gpt_hos -ds <driveN> -pa 16. If VeraCrypt boot loader is missing from boot menu, boot from rescue USB and “Restore VeraCrypt loader to boot menu” 17. If failing to boot into decoy OS, boot from decoy OS rescue USB and “Restore OS header keys” to disk 18. Convert ESP of decoy OS from recovery type to EFI 19. To be able to boot into decoy OS when authorization USB is installed boot from rescue USB with EFI shell. If you don't need this option skip steps 20-24, then you will only be able to boot to hidden os when authorization USB is installed. Before next steps make sure you can boot into decoy OS. If not - try “Restore OS header keys” to disk 20. Save GPT from system disk <N> to file “gpt_decoy” EFI\VeraCrypt\DcsCfg.dcs -pf gpt_decoy -ds <N> -ps 21. Remove GPT info from gpt_decoy EFI\VeraCrypt\DcsCfg.dcs -pf gpt_decoy - pz -ps 22. Encrypt gpt_decoy with decoy OS password (use -rnd to generate salt) EFI\VeraCrypt\DcsCfg.dcs -pf gpt_decoy -aa -pe -ps -rnd 2 23. Add gpt_decoy to security region <N> on authorization USB/partition <M> (Use different SR number than it was for hidden OS) EFI\VeraCrypt\DcsCfg.dcs -pf gpt_decoy -sra <N> -ds <M> 24. Edit DcsProp config keys in VeraCrypt loader on ESP SecRegionSearch=1 to search for authorization USB/partition marked with keys DcsBootForce=1 to boot even if authorization USB/partition was not found 25. Restart and test encryption by different ways a. No authorization USB + password of decoy OS → boot decoy OS b. No authorization USB + password of hidden OS → authorization error c. Authorization USB + password of decoy OS → boot decoy OS d. Authorization USB + password of hidden OS → boot hidden OS 26. From decoy OS launch VeraCrypt and mount outer volume using Fake_Password1 (from step 7.e) to letter <L> 27. Quick format mounted volume with exFAT (Don’t format outer partition on disk! Also be sure to use quick format not to damage the hidden data. Formatting with NTFS will damage hidden data).From elevated command prompt execute Format <L>: /FS:exFAT /Q 28. Place some decoy files to <L>. (Don’t place more files than outer_start size, to avoid overwriting H_ESP and H_OS data!) 29. Dismount outer volume. 30. Mount outer volume using Fake_Password2 (from step 7.h) to letter <L> 31. Format using any FS, place decoy files and dismount. Q&A section Unsorted answers for some questions that may occur while installing and playing around with VeraCrypt. Just to save you some time and curiosity. Q: How to convert ESP type to protect it? A: You can use diskpart to change partition type. Launch diskpart on decoy OS or on WinPE and select required disk and partition: diskpart list disk select disk <N> list partition select partition <M> to change partition type to “recovery” use: set id="DE94BBA4-06D1-4D40-A16A-BFD50179D6AC" to change partition type to “ESP” use: set id="C12A7328-F81F-11D2-BA4B-00A0C93EC93B" to know more about partition types in GUID read: https://en.wikipedia.org/wiki/GUID_Partition_Table Q: How to edit config keys in VeraCrypt loader? A: There are two possible ways. Via VeraCrypt application itself. Go to Settings->System encryption->Edit boot loader configuration. Via mounting ESP partition and editing DcsProp. In command prompt execute: diskpart list disk select disk <N> list partition select partition <M> assign letter=<L> exit This will mount ESP with letter <L>. But usually explorer.exe will not have permission to edit this partition so you will have to restart it with administrative privileges: from elevated (run as admin) command prompt run: taskkill /im explorer.exe /f explorer.exe Now just open explorer and go to <L>:/EFI/VeraCrypt and open DcsProp Q: How to get list of logical disks in command prompt? A: w mic logicaldisk get name Q: Why should I create more than one security region on authorization USB / partition? A: Number of SR initialized hides real number of OS installed. Also you can save header of decoy OS to SR, or create several hidden OS’s Q: Is there more information about DcsProp and it’s flags? A: Yes. There is a D csProp.example file which describes all possible flags. You can download it from here: link Q: What is EFI shell and how to boot to it? A: You can get it from here: link for x64 Download the file, rename it to shellx64.efi and place it to rescue USB root. Don't forget that rescue USB must be formatted with FAT32. Q: What else can I do in EFI shell? A: Read this: link Q: I want to know more about EFI A: Here is a good longreed about EFI: link Q: What can I do with DcsCfg.dcs? A: Here goes a manual on DcsCfg and it’s switches: link Q: What is fs<N> in EFI shell? A: FAT32 formatted block devices, or/and CD-ROM, Floppy disk etc. Q: What is a Security Region (SR), is there any documentation on it? A: Security Regions were defined by VeraCrypt creators to support HOS and improve the concept of the volume encrypted header with keys. SR can contain configuration data (e.g. GPT). The structure of SR is: sector 1 - header wit keys (pwd encrypted) sector 2 - table of extra data (header key encrypted) sectors with GPT (header key encrypted) sectors with execute parameters (header key encrypted) Q: Is it necessary to store SR at the beginning of the disk / USB stick? A: SR can be saved to any block device (disk or partition). Q: Is there any tool for Windows to read/write directly to the disk bypassing filesystem? (e.g. to sector 62) A: You can use dd tool for Windows: link Please read manuals carefully, It’s fairly easy to destroy your data with dd. Q: Does “Remove VeraCrypt loader from boot menu” option from rescue USB remove VC bootloader files from ESP? A: No. It only removes loader from menu. Q: Does “-ps” flag from DcsCfg save entire GPT table from selected disk? A: No. It saves partitions only. You can not use it to backup entire GPT. (e.g. you will not be able to restore GPT on disk from file created by -ps after cleaning the disk) Q: Any examples on how to use dd? A: Download dd.exe and place it into C:\ from elevated command prompt execute dd --list This will return you a list of Win32 volumes and available block devices (Fig. 1) It is important to run dd from elevated command prompt, eiser you won't see block devices. “Partition0” is always the entire disk. To dump sector 61 to file s61.img on C:\temp execute dd if=\\?\Device\Harddisk0\Partition0 of=C:\temp\s61.img skip=61 count=1 bs=512 To write from file s62.img to disk use dd if=\\?\Device\Harddisk0\Partition0 of=C:\temp\s62.img seek=62 count=1 bs=512 Figure 1.