VeraCrypt icon indicating copy to clipboard operation
VeraCrypt copied to clipboard

Published 20 hours ago verified publisher icon veracrypt

Possibility to Completely Disable All Pre-boot Messages in EFI Mode

Open gashtal opened this issue 2 years ago • 0 comments

Back in the days, Veracrypt had the functionality to completely replace the boot screen messages with a single message, to throw off unsuspecting adversaries when system encryption was used. Currently, even after modifying the Boot Loader Configuration file when system encryption is used in EFI mode, it is still not possible to achieve the same behavior. So far, I have not been able to disable the "stars" that is printed in place of the PIM value, nor the "success" message that is printed and the code that comes after it when the password is correct. Below is my current config file:

<?xml version="1.0" encoding="utf-8"?>
<VeraCrypt>
	<configuration>
		<config key="PasswordType">0</config>
		<config key="PasswordMsg">message</config>
		<config key="PasswordPicture">login.bmp</config>
		<config key="HashMsg">(0) TEST ALL (1) SHA512 (2) WHIRLPOOL (3) SHA256 (4) RIPEMD160 (5) STREEBOG
Hash: </config>
		<config key="Hash">1</config>
		<config key="HashRqt">0</config>
		<config key="PimMsg"></config>
		<config key="Pim">0</config>
		<config key="PimRqt">1</config>
		<config key="AuthorizeProgress">0</config>
		<config key="AuthorizeVisible">0</config>
		<config key="AuthorizeRetry">10</config>
		<config key="DcsBmlLockFlags">0</config>
		<config key="DcsBmlDriver">0</config>
		<config key="ActionSuccess"></config>
		<config key="AuthStartMsg"></config>
		<config key="AuthErrorMsg"></config>
	</configuration>
</VeraCrypt>

Desired behavior

To throw off adversaries that could easily figure out from the boot screen that the machine is encrypted with veracrypt, it should be possible to limit the boot menu message to just one custom message, regardless of whether custom PIM is enabled or not, or whether the correct password is entered or not.

Without custom PIM enabled, the message will be printed on the screen, then the user will enter the password and press enter. If the password is correct, no other messages are printed and the machine will boot. If the password is incorrect, the same message as above is printed and Veracrypt bootloader will wait for the password again.

With custom PIM enabled, the message will be printed on the screen, then the user will enter the password and press enter. Then the same message will be printed again, the user will now enter the custom PIM and press enter. Once again, if the password and PIM are correct, no other messages are printed and the machine will boot. If the password or PIM is incorrect, the same message as above is printed again and Veracrypt bootloader will wait for the password again.

Your Environment

Please tell us more about your environment

VeraCrypt version: 1.25.9

Operating system and version: Windows 10 21H1

System type: 64-bit

gashtal avatar Jul 18 '22 02:07 gashtal