Full Disk Encryption Software Solutions

BestPCBuilder2017 · May 31, 2017

Looking for full disk encryption software that supports GPT/GUID and UEFI. I'm not interested in using BitLocker.

Best suggestions?

RadiatingLight · May 31, 2017

BITLOCKER!

27 minutes ago, NCIX Lampy said:

I'm not interested in using BitLocker.

oh wait NVM

dunno. why not bitlocker

kirashi · May 31, 2017

1 hour ago, NCIX Lampy said:

Looking for full disk encryption software that supports GPT/GUID and UEFI. I'm not interested in using BitLocker.

43 minutes ago, RadiatingLight said:

dunno. why not bitlocker

Probably because BitLocker is proprietary and only works with Windows, meaning there's absolutely ZERO way to recover on non-Windows OS's.

I'd recommend VeraCrypt, since it's one of the only well maintained open-source cross-platform disk encryption software around. https://www.veracrypt.fr/

I stress the point on being open-source, since encryption software is absolutely useless if closed-source because you have no way to verify that there's no hidden backdoor put in by the manufacturer, which means it should be assumed decrypted until proven otherwise.

BestPCBuilder2017 · May 31, 2017

11 hours ago, kirashi said:

Probably because BitLocker is proprietary and only works with Windows, meaning there's absolutely ZERO way to recover on non-Windows OS's.

I'd recommend VeraCrypt, since it's one of the only well maintained open-source cross-platform disk encryption software around. https://www.veracrypt.fr/

I stress the point on being open-source, since encryption software is absolutely useless if closed-source because you have no way to verify that there's no hidden backdoor put in by the manufacturer, which means it should be assumed decrypted until proven otherwise.

VeraCrypt doesn't support GPT/GUID for full disk encryption yet. I need a solution.

kirashi · May 31, 2017

6 hours ago, NCIX Lampy said:

VeraCrypt doesn't support GPT/GUID for full disk encryption yet. I need a solution.

You're right, apparently so because of how manufacturer's implement Microsoft's Secure Boot on consumer (and most business) hardware. le sigh

https://sourceforge.net/p/veracrypt/discussion/technical/thread/b0fb9daa/?limit=25&page=5#1f8d

If Secure Boot were implemented properly, you'd be able to code sign any EFI file you desire, and then add the keyfile/signatures to your BIOS so it would allow it to show up properly on your motherboard's Secure Boot enabled UEFI boot menu. This seems to be a problem caused by Microsoft's poorly implemented attempt at protecting the user from malicious EFI bootloader rootkits. Sure, it does apparently* protect the user from bootloader infections, but it also protects them from using whatever software they desire on their machine without adding your own PK key.

Good news is that on most systems you can change Secure Boot from Default to Custom mode and install your own keys. Manufacturer's and systems that do not allow this modification should be completely boycotted and avoided at all costs, as this amounts to a car dealership welding the hood of your car shut so you can't make repairs. But whether it's supported or not isn't the real issue here - it's the way custom keys are implemented.

According to the following article once you enable custom Secure Boot mode, the PK keys are unprotected and can be modified by elevated software running on the OS. This completely negates the effectiveness of running Secure Boot in non-default mode, since it means that software installed by the user can change the key, allowing the installation of malicious bootloader code. In essence, this means that your OS needs to be signed by Microsoft's private PK keys (never going to happen) in order to boot with the default Secure Boot keys installed at the factory (because all Secure Boot default keys are for the Windows 8/8.1/10 OS), which would keep your BIOS from being infected as easily.

The correct way to implement Secure Boot would have been to ONLY allow changes from within the BIOS itself. Period. No matter if it's running in Default or Custom mode. This way, users like us could still install our own PK keys without the fear that software in the OS could modify them, and thus be able to run our own signed bootloaders, such as VeraCrypt DCS or Grub2 properly in UEFI mode. another le sigh And this is why I don't want to support Microsoft's Corporate mentality, despite being tied to the platform for various work and personal reasons.

TL;DR: VeraCrypt's DCS bootloader won't work on GPT boot volumes because Microsoft's implementation of UEFI Secure Boot is one-sided.

For your sake though @NCIX Lampy, I really hope they do find a workaround, because we need more open-source projects moving forward.

*I say apparently because without the complete source code for Microsoft's UEFI Secure Boot and the Windows Bootloader, we have no way of verifying the integrity of what they claim as secure.