VeraCrypt - Full Disk Encryption (UEFI, GUID, Multi-boot)?

Just wondering if VeraCrypt can be used for full disk encryption with UEFI, GUID, and multi-booting all at once/same system. I think I heard something a while ago about some type of limitation with secure boot, but I wasn’t sure if that was true or not or that applied for a situation like this.

I’m not familiar with veracrypt. From what I read there’s some fuckery you have to do with partitions, but here’s a link to someone that has done it apparently.

Trying to get it working with a triple boot of OS X/macOS, Windows, and Fedora/Ubuntu, but I’m not having luck. In Windows, it keeps saying that it needs atleast 32 KB of space at the very beginning of the drive. Even when I have the drive formatted, and 200MB of space set aside temporarily (as EXT4 file system) at the very first partition that I plan to delete later so that the 32 KB can be used there, OS X/macOS won’t format the partition next to it set aside for OS X/macOS.

In OS X/macOS, the options aren’t the same as the ones in Windows, and I can’t seem to get it to work from there either.

After reading it, it appears that it’s not full disk encryption. It just encrypts the Windows partition and assumes you’ve encrypted the Linux partition as well.

Yes, VeraCrypt only encrypts the Windows partition. And its quite logical that a full disk encryption is actually impossible for OS disks, well i mean its possible, but then how is your UEFI supposed to start your OS, without being able to get to the bootloader of the OS?

Linux youll have to encrypt with LUKS for instance. It can encrypt the entire Linux partition pretty much, but

  • You need to create a seperate partition for the folder /boot
  • Your boot loader (maybe grub2?) should be on its own partition as well
  • In place encryption on an existing system is not that easy (VeraCrypt can do that, but on Linux you cannot do it, at least not easily), Thats the reason why only my /home folder is encrypted right now as i did not account for this.

So install Linux first (make sure you do not boot the installer in legacy mode, or you’re not going to make an UEFI installation) => encrypt it while installing and leave place for windows and probably place for a shared storage as windows cannot read ext4 => install windows => encrypt windows => fix your grub2 entry for windows => basically done. Is kinda how you should go about this.

Cannot help you with the mac part at all though, but from the looks of it it does have simple inbuilt encryption program called FileVault, witch appears to encrypt your data in place.

If you need it (cause it was kinda hard to distinguish between outdated and valid grub2-guides/configs). This is the entry i added to load windows with. Though you cannot load

menuentry 'Windows 10 VeraCrypt (/dev/nvme0n1p2)' --class windows --class os $menuentry_id_option 'osprober-efi-7468-84F2' {
	insmod part_gpt
	insmod fat
	search --no-floppy --fs-uuid --set=root 7468-84F2
	chainloader /EFI/VeraCrypt/DcsBoot.efi
}

All you should have to change is set the UUID to the one of your EFI partition on it and edit the Text to your liking. The path to DcsBoot.efi should be the same for you too, but otherwise you can (on my notebook at least) see where it is from the UEFI.

1 Like

Alternatively what you can also do thats kind of full disk encryption is some SSDs or HDDs have inbuilt encryption thats basically in most cases always on anyways, just the controller saves the password it uses to decrypt until you set one, then it would presumeably encrypt the password with your password.
Your system and ssd may or may not support this. My Dell XPS does, but i opted for the software route with open sourced things to encrypt my stuff and know what its using to do that. Has the downside however that aes encryption only runs at 5.9gbit/s (for me), so gone is any increase you might have gotten with an nvme ssd over ordinary sata once.

Well thats my understanding from this, i didnt yet try the encryption features of hard drives themselves. So i might be wrong about something here.

1 Like

You seem like the individual that just wants to hear themselves talk

Wow, that´s some savage reply right there…

Idk man I just did do the same thing you wanna do like literally a week ago (minus the mac part) when I got my (actual) notebook to replace my Chromebook (toy).

So, if you don´t want my attempted help, then yeah sure I’m out.

Good luck.