Desktop shit

Win10 & Veracrypt & systemd-boot

There are some things seemingly nobody does. For example, …

  • double-booting Win10 and Linux
  • on an UEFI System
  • while the Win10 Partition is encrypted using VeraCrypt.

Yes, it’s a complex scenario, but since MS in all of his (money-grabbing) wisdom does not include BitLocker in Win10 Home, this is a necessary precaution. I’ll not go over the installation of both systems (pretty straightforward, and Arch Linux has – as always – a nice Wiki entry about it).

Unfortunately, Win10 likes to break its own boot manager on updates, which is very scary (“Your Windows partition is damaged”), and super annoying, but I think I got the solution now.

So, the Linux-based (of course) solution for Windows 10 and VeraCrypt is:

# esp partition - /loader/entries/winvera.conf
title Windows 10 VeraCrypt
efi /EFI/VeraCrypt/DcsBoot.efi

This is in fact all you need to do. Now, if Windows fucks up its own boot loader, it seems systemd-boot just ignores everything, loads the correct VeraCrypt bootloader (as it is supposed to be), and all is well.

It can happen though that Windows places its own boot manager back in front of systemd-boot again, so it’s used as the default one. Then use one of the methods described here, and you should be fine. (This did not happen to me, it always used the correct boot manager but fucked up Windows boot)

5 replies on “Win10 & Veracrypt & systemd-boot”

Great tips! Unfortunately, your article didn’t solve my PC’s problem. After days of trying to make this work on a dual boot LUKS-encrypted PopOS 20.10 and Veracrypt-encrypted Windows 10 installed on separate drives, I assume this only works when both OSes are installed on the same drive. Because, when trying to boot into Windows, after entering the Veracrypt password, I get this error: “Authorization failed. Wrong password, PIM or hash.” I think the Veracrypt bootloader expects the Windows system partition to be on the same drive. Is there any way to setup the Veracrypt bootloader to load Windows from a different drive? I really haven’t found any other solutions or discussions on this topic. Please let me know, I appreciate any help I can get. Thanks!

nope, the error message is very clear – wrong password. maybe you have an issue with the keyboard layout? in germany it’s usually a switch between y/z, and most of the speical chars are on different locations on the keyboard. remember when the PC starts it’s in “english keyboard” mode. (en-us layout, usually). also the PIM is usually just pressing ENTER if you didn’t define one.

Thanks for your reply! Wish that was the issue, but I am using a standard qwerty en-us keyboard. As far as I managed to gather info from related topics on the web, it seems like there is a problem with PIM (I didn’t define one), as it is being generated randomly upon each boot, and it looks like it expects to do its “job” only by correlating with the Veracrypt-encrypted partition, which it obviously cannot find on the linux drive. But, when the Veracrypt bootloader from the windows drive is selected as first boot option in bios, everything works as expected. Weird, right? Some people seem to have had success by installing GRUB, but that defeats the purpose, as I really like the simplicity and boot speed of systemd. And it doesn’t help that so few distros are using systemd-boot… it’s impossible to find info or tutorials on specific use-cases like this. So far the only obvious way to have dual-boot with this configuration is to spam the F8 key when the bios is loading, and manually select which drive to boot from. But if you can think of any other suggestion that might help, by all means, fire away! I’m really looking forward to what you have to add on this, seeing as you’re one of the very few actually working with a setup similar to mine. Cheers 🙂

this _is_ weird. I really don’t know what is causing your erorrs. what strikes me as especially weird is that you say “the PIM is generated randomly upon each boot” – which defeats the purpose of the PIM, right? it’s a “personal iterations multiplier”, which can’t be random, cause then you can’t decrypt any more.

also having the OSes on different disks should be easier, not harder. I can send you my boot loader config if you’re interested, if it helps you I’m glad to do it. just tell me if this is your real email address, then I’ll go ahead and just do it.

I didn’t specify a PIM upon encrypting my Windows system, and as far as I could gather from online sources, PIM is generated automatically at every boot in this case. Thus, it seems to me that it can’t do that when the encrypted Windows partition is on a different drive than Veracrypt’s boot files. I might be wrong or maybe I don’t fully comprehend how it works, or what is the advantage of using a PIM. Or even if it’s necessary, seing as in LUKS there isn’t something similar. Sadly, information on this dual-boot setup is scarce to almost non-existent. It would be great if you could send your bootloader config, I would very much like to compare with the configs from my previous failed attempts. Yes, the e-mail address in my comment is correct. And thanks for your time! Much appreciated 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *