0

I'd like to setup my laptop where one HDD has two copies of Windows 7, one encrypted and the other unencrypted. The VeraCrypt bootloader will say "Press ESC To Boot;" entering the correct password should boot the encrypted OS, and pressing ESC should boot the unencrypted.

Although I've found this situation mentioned in many places, I've only been able to achieve this behavior by installing each copy of Windows on its own separate HDD; no matter what I try, it doesn't seem to work on one HDD.

Let's start by laying out the disk like this:

Partition 0) Win7 System Partition (100mb)
Partition 1) Encrypted Win7
Partition 2) Unencrypted Win7

Initially, everything is unencrypted. We then go through the VC Encrypt System Partition/Drive wizard to encrypt Partition 1. After it completes, the situation is:

  • If you set Partition 0 as Active: Whether you enter the password or press ESC at the VC bootloader, you're subsequently presented by the Windows boot menu, where you need to select between the two OSs. If you pressed ESC, only the unencrypted one will work, otherwise either will work.
  • If you set Partition 1 as Active: Entering the VC password will boot the encrypted OS, but pressing ESC says "no bootable partition found."
  • If you set Partition 2 as Active: Whether you press ESC or enter the password, it always boots the unencrypted OS.

These 3 behaviors are logical, I just can't figure out how to actually achieve the behavior I'm after. My expectation was that there'd be a way for the VeraCrypt Boot Manager (which is what's invoked after you press ESC) to select between OSs installed on the other partitions, yet it seems to ignore anything that isn't the Active partition.

Note that even the VeraCrypt wizard itself makes it sound like what I'm trying to do should be possible (see here: "...you will only need to press the Esc key to start the unencrypted system (if there are multiple unencrypted systems, you will also need to choose which system to start in the VeraCrypt boot manager menu.)").

This answer also makes it sound like it should be possible. Is there perhaps something I'm doing wrong, some reason why the VC bootloader won't find any of the other bootable partitions on the drive - just the Active one?

Improve this question

1 Answer 1

Reset to default
2

Finally figured out a workable solution.

I wiped the 100mb Win7 system partition, & replaced it up with grub4dos. grub4dos does the same job as the Win7 boot menu - but it can be written in a way that doesn't require any user interaction:

#Don't show this menu to the user
timeout 0

#First try to load the encrypted OS.  If that fails...
default 0

#...Fallback on the unencrypted
fallback 1

#Main OS
title 1
root (hd0,1)
chainloader /bootmgr

#Decoy OS
title 2
root (hd0,2)
chainloader /bootmgr

So what happens is, the VeraCrypt bootloader appears. Whether you type your password or press ESC, it will load the grub menu & try to boot the encrypted OS.

*If you typed your password, the encrypted OS will be available and will successfully boot.

*If you pressed ESC, the encrypted OS will fail to boot and grub will fallback on the unencrypted.

So to the user, everything is invisible & automatic, and it essentially behaves the same as the two-disk situation :)

Improve this answer
2
  • This is really cool. If you find the time while it's still fresh in your mind, please expand your answer with step by step. I'm starting with a Veracrypt encrypted system drive (C: that has Win 7) and I'd love to get to where you are. Also, 1 question: if you type an incorrect password in the VeraCrypt bootloader, what happens?
    – BeetleJuice
    Commented Jun 17, 2016 at 7:19
  • If you type the wrong password it will just stop (standard VeraCrypt behavior; also described in the link in my question).
    – J23
    Commented Jun 21, 2016 at 5:30

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .