boot / mount TrueCrypt / VeraCrypt system drive automatically w/o user intervention?

1

Currently I use Linux to do full disk encryption and have it setup where I can ssh into the box to remotely unlock the machine during boot, as it is a headless server. Since this doesn't seem possible with Windows, I plan on using my existing boot implementation using Linux's LUKS/dmcrypt boot sequence, but then use 'kexec' to chainload a Veracrypt Windows system partition, similar to what is discussed here:

https://superuser.com/questions/451035/does-a-windows-7-system-volume-encryption-tool-exist-that-allows-remote-unlockin/

Since I already have everything locked down using the Linux LUKS/dmcrypt boot sequence, I want to be able to load the Veracrypt Windows system partition without user intervention. Is there any way to acheive this, either by using a blank password somehow, hard coding or piping the password into the Veracrypt bootloader, or using a resuce disk image to accomplish that?

onlinespending

Posted 2016-05-13T17:39:55.033

Reputation: 113

through the use of a keyfile. plus not entirely pointless depending on what your goals are. if you're merely trying to avoid prying eyes from seeing files in the clear if someone were to steal your computer, than this at the very least would discourage that – onlinespending – 2016-05-13T17:59:13.977

yes, it does. you can use an empty passphrase and keyfile, though it appears there is a restriction for system partitions. I may just have to use Bitlocker since that appears I can do unattended boot with the use of a keyfile. Don't be so fixated on the mention of a blank password when that's not the heart of the question, nor was it ever intended to be a solution without the use of a keyfile. – onlinespending – 2016-05-13T18:10:32.037

the idea is that the keyfile would be stored remotely or on a usb drive. and yes, Bitlocker does allow you to do this. They even allow you to only store the key in the TPM – onlinespending – 2016-05-13T18:17:25.180

Answers

0

Unfortunately not. Looked hard into subject, but there's no way to have the most desirable scenarios working: - pre-boot authentization via keyfile (of course! who doesn't love feeling safe just by removing USB drive?) - have mixed auth for system or non-system drives, while start them all at boot Let us know if anything changed in 2019.

user533385

Posted 2016-05-13T17:39:55.033

Reputation: 11

You can do this if you use BitLocker to encrypt the Windows partition and create another partition that mimics a USB drive that will hold the key file, which is one way to boot-up a encrypted Windows system. Basically you do a secure boot through Linux, which then copies the Windows Bitlocker keyfile from an encrypted location in the Linux file system to the "USB drive" partition. Then you have Linux reboot directly to Windows which now looks for the keyfile in that "USB drive" (say D: or whatever you used when installing Windows). Once you boot Windows you do a secure erase of the keyfile – onlinespending – 2019-01-10T00:18:46.663

but this is not for daily use? Keep unlocking and deleting the keyfile. – user533385 – 2019-01-11T12:13:39.530

I bitlocked the Win partition and using one key on USB flash and another Data partition is veracrypted and uses another USB flashdrive to unlock. However veracrypt startup is very much delayed (long time after logon), causing more troubles, it's such a shame they cannot use keyfile at boot, passwords are annoying and unsecure (you can throw away USB flashdrive but cannot burn your braincells holding the password). Bitlocker, on the other side, is untrustworthy. So not perfect solution since Win drive still contains tons of traces. – user533385 – 2019-01-11T12:22:10.770

Asked: 2016-05-13T17:39:55.033

Viewed: 1 330 times

Active: 2019-01-06T00:30:30.093