VeraCrypt 1.2x, Windows 10 x64 v1809

If you want to work with Full Disk Encryption (FDE), plus pre-boot authentication and you don’t want to use Windows BitLocker for some reason, it is likely you will end up with VeraCrypt. Being an OpenSource tool based on the original TrueCrypt, it has been significantly improved over its predesessor and is widespread in the community.

However, there are some problems connected to VeraCrypt and UEFI / Windows 10’s update mechanism / bootloader handling.

Problems with VeraCrypt and Windows 10 bootloader

What you experience is, that the UEFI boot entry for VeraCrypt is gone. The following applies if you encrypted your whole system drive / partition using VeraCrypt. After an update of your mainboard BIOS, or after major Windows 10 updates, you may experience a boot-loop or bluescreen, where Windows 10 will try to “repair” your Windows 10 installation over and over, without succeeding. The error message is:

Automatic Repair couldn’t repair your PC
Press “Advanced options” to try other options to repair your PC or “Shut down” to turn off your PC

Root cause: UEFI + Windows 10

To enable VeraCrypt to pre-boot-authenticate your encrypted drive, it has to install an additional UEFI bootloader entry named “VeraCrypt BootLoader (DcsBoot)“. Windows however is able to modify UEFI bootloader entries, which can happen during major Windows updates, or when updating your mainboard’s BIOS. Once that happens, windows will be set as the primary boot option and try to boot itself up instead of VeraCrypt – from an encrypted drive/partition which it can’t read, resulting in a repair attempt from Windows 10. Entering the BIOS reveals, that there is no bootloader entry for VeraCrypt, because it has been removed by Windows 10 update or the UEFI BIOS update.

Solutions

I found a good wrap-up and description from Uli König in German, which is the source for what I am explaining here. [Update 3/9/2019: Uli’s blog has become unavailable]. As there are several approaches, I will briefly explain them. The good news is: there are good chances that you can put your rig back up to work without too much effort!

The situation is, that you can’t boot into Windows 10 anymore, as it overwrote the UEFI boot entry, while the bootloader file itself is still in place physically. In order to change the bootloader you would have to boot into Windows 10, which you can’t do – welcome to the boot-loop. Here’s the ways out of it.

Fix 1: Permanently decrypt the system drive using the VeraCrypt rescue disc

When you encrypted your system partition / drive, VeraCrypt repeatedly advised you to create a rescue disc file, which contains the bootloader and the partition header with the public key for decryption. Hopefully you did that.

  • You can easily create a bootable USB stick from that rescue-disc-file with e.g. Rufus,
  • then connect the bootable USB stick to one of the backside USB ports of your computer (if desktop),
  • then pressing F8 or F12 during BIOS POST to change the boot device to that USB stick.

After that, VeraCrypt will offer you an option to permanently decrypt the system drive, and after doing that, your Windows will just come back as it used to, after re-rolling some of the update changes which caused all this mess. After that, you can continue with updating your Windows 10 installation as intended, and after doing that, you can encrypt your system partition / drive once again.

Fix 2: Boot into WindowsPE / a rescue environment and edit the bootloader from the command line

If you have access to a bootable USB stick with a rescue environment on it (e.g. Windows PE), then you can use that USB stick to boot into that rescue system and use the command line to manually edit the boot entries. (Note: it MUST be WinPE based in order to use bcdedit.exe, which is a windows-exclusive tool).

  • Create a Windows PE rescue disc (1, 2, there are many options out there, just Google for it; it will cost some time, but it is rewarding in case a Win10 install goes bust),
  • then connect the bootable USB stick to one of the backside USB ports of your computer (if desktop),
  • then pressing F8 or F12 during BIOS POST to change the boot device to that USB stick.

Once you are there, go to the command line (cmd.exe) and type from there:

bcdedit /set {bootmgr} path \EFI\VERACRYPT\DCSBOOT.EFI

After doing so you can just re-boot the PC and it will present you with VeraCrypt’s standard password dialogue. Win10 will boot up straight after undoing some of the changes from the update attempt.

Prevent Windows 10 from changing the boot loader automatically

To prevent Windows 10 from messing around with the bootloader in the future, you can set an UEFI-Administrator-Password in your BIOS (which you should do). 1234 will do the job, as it is not security relevant. Some BIOSes do not offer that option though.