VeraCrypt keeps changing my bootloader order

[damjes]

Hi,

I made dual-boot full system encryption setup on EFI. Windows is encrypted using VeraCrypt, everything works, EFI and stuff. On other system I configured Arch GNU/Linux, which is LVM on LUKS, also requires password during boot, even automounts Windows partition. I also use EFI and systemd-boot to load this OS.

Everything works except small annoying feature.

My desired configuration is to have systemd-boot as default bootloader. And it works. I can choose Arch and boot it or "chainload" VeraCrypt and it also works like a charm. But, when I boot Windows and turn off my computer, after next start that darn VeraCrypt boots. When I wanna boot Arch, I need to go to EFI settings, turn off VeraCrypt bootloader manually and make sure that systemd-boot is default. Darn! Disabling VeraCrypt bootloader also doesn't help – it just keeps reappear.

I tried to find some docs, but EFI case is nonexistient. Everything works awesome, but documentation doesn't say a word about full system encryption on EFI. I thought it is only for BIOS and learned I was mistaken on 3rd party website.

Your tool is awesome, I am very grateful and stuff, but I have two requests :)

• please add/describe option, how I can disable this annoying feature or choose my own bootloader of choice
• please add description in your docs, that VeraCrypt full system encryption is supported on EFI.

I can quote:

System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the VeraCrypt Boot Loader, which resides in the first track of the boot drive and on the VeraCrypt Rescue Disk (see below).

Seems to me like "no, EFI is not supported, we created this tool before EFI".

Thanks for your hard work
Damjes

[idrassi]

@damjes Thank you for sharing your experience and for your important remarks.

First of all, there is a new feature that was added in 1.24 to solve issues on
some machines where the BIOS would remove our entry in boot menu and/or
remove VeraCrypt bootloader from disk. Now, before every shutdown or
reboot, we ensure that VeraCrypt boot configuration is preserved
otherwise we set it again.

But we have added a registry key that allows disabling this mechanism:
using Windows RegEdit, browse to the key
"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VeraCryptSystemFavorites\",
you will find a REG_DWORD value named "VeraCryptSystemFavoritesConfig",
double click on it, set its value to 1 and click OK. After that,
VeraCrypt will not check or fix any change in the boot configuration or
bootloader files content.

Does this fix your issue?

Concerning the documentation, it is indeed lacking EFI mentions. We were waiting for EFI support to be mature and after that we lack time to document it and its many features, especially the various options offered by DcsProp configuration file.

I will try to work in the documentation part in the coming weeks to give more information to users about it. It will also help for bringing testers to new undocumented features of EFI bootloader like graphic mode that supports touch screens for password entry without physical keyboard.

[damjes]

Thanks for fast response. Yes, this hack should resolve my problem :)