Disk Encryption program DiskCryptor fork with UEFI and Windows 10 support
A fork of the disk encryption program DiskCryptor for the Windows operating system is now available as a first beta version. The fork introduces support for UEFI/GPT and Microsoft's Windows 10 operating system.
I used DiskCryptor for quite some time back when the original version was still supported. You can check out my initial guide on encrypting partitions with DiskCryptor, and the tips article on getting the most out of it.
Development ended in 2014 and while the program did work fine for a while afterwards, it soon became apparent that this resulted in some features not being supported at all. The last version of DiskCryptor was released before the initial release of Windows 10, and that version did not support UEFI either.
Now comes the fork of the project and with it support for Windows 10 and UEFI. The first beta version of DiskCryptor 1.2 is now available on the developers GitHub page. Since it is a beta version, it is advised to create backups of important data before using the application. At best, it is advised to use it on test systems only until a stable version is released.
Here is the first new build of DiskCryptor since 2014 its a fork of the project and starting with version 1.2 It comes with a UEFI compatible boot-loader and various fixes to make it work with EFI installations on GPT disks.
Another issue that you will run into is that the current bootloader is not signed for secure boot which means that secure boot needs to be disabled to use it. Additionally, since the driver needed updating, it had to be signed and the developer had to useÂ a"leaked core signing certificate for that". The effect is that some antivirus services, e.g. from Microsoft, Avast, AVG, and TrendMicro, flag the application as potentially malicious.
I liked DiskCryptor a lot, even more so after the mysterious end of the encryption software TrueCrypt. I had to switch to a different program, VeraCrypt, after I ran into issues using DiskCryptor and the realization that development ended and that these issues would not be fixed.
The fork is in an early stage of development but the lead developer managed to address several issues, support for UEFI/GPT most important already. Some issues, concerning signing and secure boot need to be addressed before the first stable version is released.
Now You: do you encrypt your disks? (via Born)
Here are the changes in the first beta version:
- EFI bootloader
- Shim bootloader to achieve secure boot compatibility (https://habr.com/ru/post/446238/)
- Bootloader instalation routine for GPT partitions
- Integrated EFI bootloader instalation in the CLI
- Disk type display to bootloader instalation dialog
- Integrated EFI bootloader instalation in the GUI
- Project moved to Visual Studio 2017, using win 7 sdk for compatybility
- Error messages now provide an error string instead of a cryptic error code
- Enabled GUI high DPI awareness
- Fixed boot partitions not being properly detected
- Fixed driver uninstall not being able to delete dcrypt.sys
I don’t encrypt my disk (I don’t even have a user account password), but I use Truecrypt (yes, the old Truecrypt) to protect a number of files, including health-related and financial documents. (It’s probably not needed to encrypt them – nobody care for my donations and insurance.)
I have thought about switching to Veracrypt, but it’s not a priority issue. It’s not like the CIA is having a go at random people. Even if you had do deal with law enforcement– my hunch is that if you just use Linux and format a partition with ext4, they will be too dumb to read it. It would be certainly enough to prevent your wife/husband from reading your diary, if that’s an issue.
Encryption software is, however, very important, especially for certain professions like doctors, lawyers and political journalists (the few actual political journalists that deserve that label). Even protecting your personal pictures is a completely reasonable use, despite people seem to think OneDrive and Google Drive are great ways to back them up. (Google “face recognition sexuality” if you think so.)
I’ll just put this here:
Oldie but goodie:
USE VeraCrypt And stop talking about what you “FEEL”.
TrueCrypt 7.2 (first link) isn’t considered safe to use. Check out https://github.com/truecrypt/truecrypt or https://github.com/AuditProject/truecrypt-verified-mirror for TrueCrypt 7.1a instead.
Your hunch is correct, albeit anecdotally with a broken boot. Likewise your use of the good old 7.1a, impenetrable in modern field testing, randomness is very advantageous in this area.
“Itâ€™s not like the CIA is having a go at random people.”
*Exactly*. It’s the *NSA* and *GCHQ* that are having a go at random people. ;-)
Can you do a disk performance benchmark of encrypted vs unencrypted disk?
A good app
Encrypting boot drives with software is a hassle and it’s inelegant and slower.
I would just get a self-encrypting drive and apply the ATA password in BIOS/UEFI. Encryption in hardware is lightning fast and aside from entering the password at boot everything else is transparent so you never have to think about it. If someone were to take out that drive and slave it on another machine, the drive would just acknowledge that it exists but otherwise reject every read and write command until the password is entered, and since it’s self-encrypting you can’t just forcefully scan the platters or nand chips for raw data like you would do when someone forgot the password to a non-self-encrypting drive.
Sure aside from Intel many manufacturers initially botched their self-encryption implementation but that’s now patched through firmware updates. It’s just a shame there are not many easy-to-use programs which expose the ATA functions which have existed on drives for almost as long as hard drives have existed. Most operating systems should just be able to have the user input a HDD password when in the OS environment but alas there are not many ways to do this.
“Encrypting boot drives with software is a hassle and itâ€™s inelegant and slower.”
Maybe consider Upgrading to a CPU that isn’t from 2005 and has AES-NI…
“I would just get a self-encrypting drive and apply the ATA password in BIOS/UEFI.”
Your reading comprehension needs improvement. First sentence of my third paragraph says:
“Sure aside from Intel many manufacturers initially botched their self-encryption implementation but thatâ€™s now patched through firmware updates.”
just use bitlocker.
Bitlocker and Vera, depending on the situation.
Microsoft holds a key to Bitlocker, right? Or, am I mistaken?
The best about Diskcryptor is speed. veraCrypt, due to some legacy I/O (because of containers support) is very slow on new SSD drives. It can be 10x slower! DiskCryptor is only a bit slower than unencrypted.
I can’t believe there are not many people supporting DiskCryptor