boot / mount TrueCrypt / VeraCrypt system drive automatically w/o user intervention?
Currently I use Linux to do full disk encryption and have it setup where I can ssh into the box to remotely unlock the machine during boot, as it is a headless server. Since this doesn't seem possible with Windows, I plan on using my existing boot implementation using Linux's LUKS/dmcrypt boot sequence, but then use 'kexec' to chainload a Veracrypt Windows system partition, similar to what is discussed here:
https://superuser.com/questions/451035/does-a-windows-7-system-volume-encryption-tool-exist-that-allows-remote-unlockin/
Since I already have everything locked down using the Linux LUKS/dmcrypt boot sequence, I want to be able to load the Veracrypt Windows system partition without user intervention. Is there any way to acheive this, either by using a blank password somehow, hard coding or piping the password into the Veracrypt bootloader, or using a resuce disk image to accomplish that?
windows encryption truecrypt luks veracrypt
add a comment |
Currently I use Linux to do full disk encryption and have it setup where I can ssh into the box to remotely unlock the machine during boot, as it is a headless server. Since this doesn't seem possible with Windows, I plan on using my existing boot implementation using Linux's LUKS/dmcrypt boot sequence, but then use 'kexec' to chainload a Veracrypt Windows system partition, similar to what is discussed here:
https://superuser.com/questions/451035/does-a-windows-7-system-volume-encryption-tool-exist-that-allows-remote-unlockin/
Since I already have everything locked down using the Linux LUKS/dmcrypt boot sequence, I want to be able to load the Veracrypt Windows system partition without user intervention. Is there any way to acheive this, either by using a blank password somehow, hard coding or piping the password into the Veracrypt bootloader, or using a resuce disk image to accomplish that?
windows encryption truecrypt luks veracrypt
through the use of a keyfile. plus not entirely pointless depending on what your goals are. if you're merely trying to avoid prying eyes from seeing files in the clear if someone were to steal your computer, than this at the very least would discourage that
– onlinespending
May 13 '16 at 17:59
yes, it does. you can use an empty passphrase and keyfile, though it appears there is a restriction for system partitions. I may just have to use Bitlocker since that appears I can do unattended boot with the use of a keyfile. Don't be so fixated on the mention of a blank password when that's not the heart of the question, nor was it ever intended to be a solution without the use of a keyfile.
– onlinespending
May 13 '16 at 18:10
the idea is that the keyfile would be stored remotely or on a usb drive. and yes, Bitlocker does allow you to do this. They even allow you to only store the key in the TPM
– onlinespending
May 13 '16 at 18:17
add a comment |
Currently I use Linux to do full disk encryption and have it setup where I can ssh into the box to remotely unlock the machine during boot, as it is a headless server. Since this doesn't seem possible with Windows, I plan on using my existing boot implementation using Linux's LUKS/dmcrypt boot sequence, but then use 'kexec' to chainload a Veracrypt Windows system partition, similar to what is discussed here:
https://superuser.com/questions/451035/does-a-windows-7-system-volume-encryption-tool-exist-that-allows-remote-unlockin/
Since I already have everything locked down using the Linux LUKS/dmcrypt boot sequence, I want to be able to load the Veracrypt Windows system partition without user intervention. Is there any way to acheive this, either by using a blank password somehow, hard coding or piping the password into the Veracrypt bootloader, or using a resuce disk image to accomplish that?
windows encryption truecrypt luks veracrypt
Currently I use Linux to do full disk encryption and have it setup where I can ssh into the box to remotely unlock the machine during boot, as it is a headless server. Since this doesn't seem possible with Windows, I plan on using my existing boot implementation using Linux's LUKS/dmcrypt boot sequence, but then use 'kexec' to chainload a Veracrypt Windows system partition, similar to what is discussed here:
https://superuser.com/questions/451035/does-a-windows-7-system-volume-encryption-tool-exist-that-allows-remote-unlockin/
Since I already have everything locked down using the Linux LUKS/dmcrypt boot sequence, I want to be able to load the Veracrypt Windows system partition without user intervention. Is there any way to acheive this, either by using a blank password somehow, hard coding or piping the password into the Veracrypt bootloader, or using a resuce disk image to accomplish that?
windows encryption truecrypt luks veracrypt
windows encryption truecrypt luks veracrypt
edited Mar 20 '17 at 10:17
Community♦
1
1
asked May 13 '16 at 17:39
onlinespendingonlinespending
1083
1083
through the use of a keyfile. plus not entirely pointless depending on what your goals are. if you're merely trying to avoid prying eyes from seeing files in the clear if someone were to steal your computer, than this at the very least would discourage that
– onlinespending
May 13 '16 at 17:59
yes, it does. you can use an empty passphrase and keyfile, though it appears there is a restriction for system partitions. I may just have to use Bitlocker since that appears I can do unattended boot with the use of a keyfile. Don't be so fixated on the mention of a blank password when that's not the heart of the question, nor was it ever intended to be a solution without the use of a keyfile.
– onlinespending
May 13 '16 at 18:10
the idea is that the keyfile would be stored remotely or on a usb drive. and yes, Bitlocker does allow you to do this. They even allow you to only store the key in the TPM
– onlinespending
May 13 '16 at 18:17
add a comment |
through the use of a keyfile. plus not entirely pointless depending on what your goals are. if you're merely trying to avoid prying eyes from seeing files in the clear if someone were to steal your computer, than this at the very least would discourage that
– onlinespending
May 13 '16 at 17:59
yes, it does. you can use an empty passphrase and keyfile, though it appears there is a restriction for system partitions. I may just have to use Bitlocker since that appears I can do unattended boot with the use of a keyfile. Don't be so fixated on the mention of a blank password when that's not the heart of the question, nor was it ever intended to be a solution without the use of a keyfile.
– onlinespending
May 13 '16 at 18:10
the idea is that the keyfile would be stored remotely or on a usb drive. and yes, Bitlocker does allow you to do this. They even allow you to only store the key in the TPM
– onlinespending
May 13 '16 at 18:17
through the use of a keyfile. plus not entirely pointless depending on what your goals are. if you're merely trying to avoid prying eyes from seeing files in the clear if someone were to steal your computer, than this at the very least would discourage that
– onlinespending
May 13 '16 at 17:59
through the use of a keyfile. plus not entirely pointless depending on what your goals are. if you're merely trying to avoid prying eyes from seeing files in the clear if someone were to steal your computer, than this at the very least would discourage that
– onlinespending
May 13 '16 at 17:59
yes, it does. you can use an empty passphrase and keyfile, though it appears there is a restriction for system partitions. I may just have to use Bitlocker since that appears I can do unattended boot with the use of a keyfile. Don't be so fixated on the mention of a blank password when that's not the heart of the question, nor was it ever intended to be a solution without the use of a keyfile.
– onlinespending
May 13 '16 at 18:10
yes, it does. you can use an empty passphrase and keyfile, though it appears there is a restriction for system partitions. I may just have to use Bitlocker since that appears I can do unattended boot with the use of a keyfile. Don't be so fixated on the mention of a blank password when that's not the heart of the question, nor was it ever intended to be a solution without the use of a keyfile.
– onlinespending
May 13 '16 at 18:10
the idea is that the keyfile would be stored remotely or on a usb drive. and yes, Bitlocker does allow you to do this. They even allow you to only store the key in the TPM
– onlinespending
May 13 '16 at 18:17
the idea is that the keyfile would be stored remotely or on a usb drive. and yes, Bitlocker does allow you to do this. They even allow you to only store the key in the TPM
– onlinespending
May 13 '16 at 18:17
add a comment |
1 Answer
1
active
oldest
votes
Unfortunately not. Looked hard into subject, but there's no way to have the most desirable scenarios working:
- pre-boot authentization via keyfile (of course! who doesn't love feeling safe just by removing USB drive?)
- have mixed auth for system or non-system drives, while start them all at boot
Let us know if anything changed in 2019.
You can do this if you use BitLocker to encrypt the Windows partition and create another partition that mimics a USB drive that will hold the key file, which is one way to boot-up a encrypted Windows system. Basically you do a secure boot through Linux, which then copies the Windows Bitlocker keyfile from an encrypted location in the Linux file system to the "USB drive" partition. Then you have Linux reboot directly to Windows which now looks for the keyfile in that "USB drive" (say D: or whatever you used when installing Windows). Once you boot Windows you do a secure erase of the keyfile
– onlinespending
Jan 10 at 0:18
but this is not for daily use? Keep unlocking and deleting the keyfile.
– user533385
Jan 11 at 12:13
I bitlocked the Win partition and using one key on USB flash and another Data partition is veracrypted and uses another USB flashdrive to unlock. However veracrypt startup is very much delayed (long time after logon), causing more troubles, it's such a shame they cannot use keyfile at boot, passwords are annoying and unsecure (you can throw away USB flashdrive but cannot burn your braincells holding the password). Bitlocker, on the other side, is untrustworthy. So not perfect solution since Win drive still contains tons of traces.
– user533385
Jan 11 at 12:22
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1076613%2fboot-mount-truecrypt-veracrypt-system-drive-automatically-w-o-user-intervent%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Unfortunately not. Looked hard into subject, but there's no way to have the most desirable scenarios working:
- pre-boot authentization via keyfile (of course! who doesn't love feeling safe just by removing USB drive?)
- have mixed auth for system or non-system drives, while start them all at boot
Let us know if anything changed in 2019.
You can do this if you use BitLocker to encrypt the Windows partition and create another partition that mimics a USB drive that will hold the key file, which is one way to boot-up a encrypted Windows system. Basically you do a secure boot through Linux, which then copies the Windows Bitlocker keyfile from an encrypted location in the Linux file system to the "USB drive" partition. Then you have Linux reboot directly to Windows which now looks for the keyfile in that "USB drive" (say D: or whatever you used when installing Windows). Once you boot Windows you do a secure erase of the keyfile
– onlinespending
Jan 10 at 0:18
but this is not for daily use? Keep unlocking and deleting the keyfile.
– user533385
Jan 11 at 12:13
I bitlocked the Win partition and using one key on USB flash and another Data partition is veracrypted and uses another USB flashdrive to unlock. However veracrypt startup is very much delayed (long time after logon), causing more troubles, it's such a shame they cannot use keyfile at boot, passwords are annoying and unsecure (you can throw away USB flashdrive but cannot burn your braincells holding the password). Bitlocker, on the other side, is untrustworthy. So not perfect solution since Win drive still contains tons of traces.
– user533385
Jan 11 at 12:22
add a comment |
Unfortunately not. Looked hard into subject, but there's no way to have the most desirable scenarios working:
- pre-boot authentization via keyfile (of course! who doesn't love feeling safe just by removing USB drive?)
- have mixed auth for system or non-system drives, while start them all at boot
Let us know if anything changed in 2019.
You can do this if you use BitLocker to encrypt the Windows partition and create another partition that mimics a USB drive that will hold the key file, which is one way to boot-up a encrypted Windows system. Basically you do a secure boot through Linux, which then copies the Windows Bitlocker keyfile from an encrypted location in the Linux file system to the "USB drive" partition. Then you have Linux reboot directly to Windows which now looks for the keyfile in that "USB drive" (say D: or whatever you used when installing Windows). Once you boot Windows you do a secure erase of the keyfile
– onlinespending
Jan 10 at 0:18
but this is not for daily use? Keep unlocking and deleting the keyfile.
– user533385
Jan 11 at 12:13
I bitlocked the Win partition and using one key on USB flash and another Data partition is veracrypted and uses another USB flashdrive to unlock. However veracrypt startup is very much delayed (long time after logon), causing more troubles, it's such a shame they cannot use keyfile at boot, passwords are annoying and unsecure (you can throw away USB flashdrive but cannot burn your braincells holding the password). Bitlocker, on the other side, is untrustworthy. So not perfect solution since Win drive still contains tons of traces.
– user533385
Jan 11 at 12:22
add a comment |
Unfortunately not. Looked hard into subject, but there's no way to have the most desirable scenarios working:
- pre-boot authentization via keyfile (of course! who doesn't love feeling safe just by removing USB drive?)
- have mixed auth for system or non-system drives, while start them all at boot
Let us know if anything changed in 2019.
Unfortunately not. Looked hard into subject, but there's no way to have the most desirable scenarios working:
- pre-boot authentization via keyfile (of course! who doesn't love feeling safe just by removing USB drive?)
- have mixed auth for system or non-system drives, while start them all at boot
Let us know if anything changed in 2019.
answered Jan 6 at 0:30
user533385user533385
12
12
You can do this if you use BitLocker to encrypt the Windows partition and create another partition that mimics a USB drive that will hold the key file, which is one way to boot-up a encrypted Windows system. Basically you do a secure boot through Linux, which then copies the Windows Bitlocker keyfile from an encrypted location in the Linux file system to the "USB drive" partition. Then you have Linux reboot directly to Windows which now looks for the keyfile in that "USB drive" (say D: or whatever you used when installing Windows). Once you boot Windows you do a secure erase of the keyfile
– onlinespending
Jan 10 at 0:18
but this is not for daily use? Keep unlocking and deleting the keyfile.
– user533385
Jan 11 at 12:13
I bitlocked the Win partition and using one key on USB flash and another Data partition is veracrypted and uses another USB flashdrive to unlock. However veracrypt startup is very much delayed (long time after logon), causing more troubles, it's such a shame they cannot use keyfile at boot, passwords are annoying and unsecure (you can throw away USB flashdrive but cannot burn your braincells holding the password). Bitlocker, on the other side, is untrustworthy. So not perfect solution since Win drive still contains tons of traces.
– user533385
Jan 11 at 12:22
add a comment |
You can do this if you use BitLocker to encrypt the Windows partition and create another partition that mimics a USB drive that will hold the key file, which is one way to boot-up a encrypted Windows system. Basically you do a secure boot through Linux, which then copies the Windows Bitlocker keyfile from an encrypted location in the Linux file system to the "USB drive" partition. Then you have Linux reboot directly to Windows which now looks for the keyfile in that "USB drive" (say D: or whatever you used when installing Windows). Once you boot Windows you do a secure erase of the keyfile
– onlinespending
Jan 10 at 0:18
but this is not for daily use? Keep unlocking and deleting the keyfile.
– user533385
Jan 11 at 12:13
I bitlocked the Win partition and using one key on USB flash and another Data partition is veracrypted and uses another USB flashdrive to unlock. However veracrypt startup is very much delayed (long time after logon), causing more troubles, it's such a shame they cannot use keyfile at boot, passwords are annoying and unsecure (you can throw away USB flashdrive but cannot burn your braincells holding the password). Bitlocker, on the other side, is untrustworthy. So not perfect solution since Win drive still contains tons of traces.
– user533385
Jan 11 at 12:22
You can do this if you use BitLocker to encrypt the Windows partition and create another partition that mimics a USB drive that will hold the key file, which is one way to boot-up a encrypted Windows system. Basically you do a secure boot through Linux, which then copies the Windows Bitlocker keyfile from an encrypted location in the Linux file system to the "USB drive" partition. Then you have Linux reboot directly to Windows which now looks for the keyfile in that "USB drive" (say D: or whatever you used when installing Windows). Once you boot Windows you do a secure erase of the keyfile
– onlinespending
Jan 10 at 0:18
You can do this if you use BitLocker to encrypt the Windows partition and create another partition that mimics a USB drive that will hold the key file, which is one way to boot-up a encrypted Windows system. Basically you do a secure boot through Linux, which then copies the Windows Bitlocker keyfile from an encrypted location in the Linux file system to the "USB drive" partition. Then you have Linux reboot directly to Windows which now looks for the keyfile in that "USB drive" (say D: or whatever you used when installing Windows). Once you boot Windows you do a secure erase of the keyfile
– onlinespending
Jan 10 at 0:18
but this is not for daily use? Keep unlocking and deleting the keyfile.
– user533385
Jan 11 at 12:13
but this is not for daily use? Keep unlocking and deleting the keyfile.
– user533385
Jan 11 at 12:13
I bitlocked the Win partition and using one key on USB flash and another Data partition is veracrypted and uses another USB flashdrive to unlock. However veracrypt startup is very much delayed (long time after logon), causing more troubles, it's such a shame they cannot use keyfile at boot, passwords are annoying and unsecure (you can throw away USB flashdrive but cannot burn your braincells holding the password). Bitlocker, on the other side, is untrustworthy. So not perfect solution since Win drive still contains tons of traces.
– user533385
Jan 11 at 12:22
I bitlocked the Win partition and using one key on USB flash and another Data partition is veracrypted and uses another USB flashdrive to unlock. However veracrypt startup is very much delayed (long time after logon), causing more troubles, it's such a shame they cannot use keyfile at boot, passwords are annoying and unsecure (you can throw away USB flashdrive but cannot burn your braincells holding the password). Bitlocker, on the other side, is untrustworthy. So not perfect solution since Win drive still contains tons of traces.
– user533385
Jan 11 at 12:22
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1076613%2fboot-mount-truecrypt-veracrypt-system-drive-automatically-w-o-user-intervent%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
through the use of a keyfile. plus not entirely pointless depending on what your goals are. if you're merely trying to avoid prying eyes from seeing files in the clear if someone were to steal your computer, than this at the very least would discourage that
– onlinespending
May 13 '16 at 17:59
yes, it does. you can use an empty passphrase and keyfile, though it appears there is a restriction for system partitions. I may just have to use Bitlocker since that appears I can do unattended boot with the use of a keyfile. Don't be so fixated on the mention of a blank password when that's not the heart of the question, nor was it ever intended to be a solution without the use of a keyfile.
– onlinespending
May 13 '16 at 18:10
the idea is that the keyfile would be stored remotely or on a usb drive. and yes, Bitlocker does allow you to do this. They even allow you to only store the key in the TPM
– onlinespending
May 13 '16 at 18:17