ContextQMD
Back to Veracrypt

VeraCrypt Rescue Disk

doc/html/en/VeraCrypt Rescue Disk.html

latest9.6 KB
Original Source

Documentation System Encryption VeraCrypt Rescue Disk

VeraCrypt Rescue Disk

During the process of preparing the encryption of a system partition/drive, VeraCrypt requires that you create a so-called VeraCrypt Rescue Disk (USB disk in EFI boot mode, CD/DVD in MBR legacy boot mode), which serves the following purposes:

  • If the VeraCrypt Boot Loader screen does not appear after you start your computer (or if Windows does not boot), the VeraCrypt Boot Loader may be damaged. The VeraCrypt Rescue Disk allows you restore it and thus to regain access to your encrypted system and data (however, note that you will still have to enter the correct password then). For EFI boot mode, select Restore VeraCrypt loader binaries to system disk in the Rescue Disk screen. For MBR legacy boot mode, select instead Repair Options > Restore VeraCrypt Boot Loader. Then press 'Y' to confirm the action, remove the Rescue Disk from your USB port or CD/DVD drive and restart your computer.
  • If the VeraCrypt Boot Loader is frequently damaged (for example, by inappropriately designed activation software) or if you do not want the VeraCrypt boot loader to reside on the hard drive (for example, if you want to use an alternative boot loader/manager for other operating systems), you can boot directly from the VeraCrypt Rescue Disk (as it contains the VeraCrypt boot loader too) without restoring the boot loader to the hard drive. For EFI boot mode, just insert your Rescue Disk into a USB port, boot your computer on it and then select Boot VeraCrypt loader from rescue disk on the Rescue Disk screen. For MBR legacy boot mode, you need to insert the Rescue Disk in your CD/DVD drive and then enter your password in the Rescue Disk screen.
  • If you repeatedly enter the correct password but VeraCrypt says that the password is incorrect, it is possible that the master key or other critical data are damaged. The VeraCrypt Rescue Disk allows you to restore them and thus to regain access to your encrypted system and data (however, note that you will still have to enter the correct password then). For EFI boot mode, select Restore OS header keys in the Rescue Disk screen. For MBR legacy boot mode, select instead Repair Options > Restore VeraCrypt Boot Loader. Then enter your password, press 'Y' to confirm the action, remove the Rescue Disk from the USB port or CD/DVD drive, and restart your computer.

Note: This feature cannot be used to restore the header of a hidden volume within which a hidden operating system resides (see the section Hidden Operating System). To restore such a volume header, click Select Device, select the partition behind the decoy system partition, click OK, select Tools > Restore Volume Header and then follow the instructions.

WARNING: By restoring key data using a VeraCrypt Rescue Disk, you also restore the password that was valid when the VeraCrypt Rescue Disk was created. Therefore, whenever you change the password, you should destroy your VeraCrypt Rescue Disk and create a new one (select System -> Create Rescue Disk). Otherwise, if an attacker knows your old password (for example, captured by a keystroke logger) and if he then finds your old VeraCrypt Rescue Disk, he could use it to restore the key data (the master key encrypted with the old password) and thus decrypt your system partition/drive

  • If Windows is damaged and cannot start after typing the correct password on VeraCrypt password prompt, the VeraCrypt Rescue Disk allows you to permanently decrypt the partition/drive before Windows starts. For EFI boot, select Decrypt OS in the Rescue Disk screen. For MBR legacy boot mode, select instead Repair Options > Permanently decrypt system partition/drive. Enter the correct password and wait until decryption is complete. Then you can e.g. boot your MS Windows setup CD/DVD to repair your Windows installation. Note that this feature cannot be used to decrypt a hidden volume within which a hidden operating system resides (see the section Hidden Operating System).

Note: Alternatively, if Windows is damaged (cannot start) and you need to repair it (or access files on it), you can avoid decrypting the system partition/drive by following these steps: If you have multiple operating systems installed on your computer, boot the one that does not require pre-boot authentication. If you do not have multiple operating systems installed on your computer, you can boot a WinPE or BartPE CD/DVD or a Linux Live CD/DVD/USB. You can also connect your system drive as a secondary or external drive to another computer and then boot the operating system installed on the computer. After you boot a system, run VeraCrypt, click Select Device, select the affected system partition, click OK , select System > Mount Without Pre-Boot Authentication, enter your pre-boot-authentication password and click OK. The partition will be mounted as a regular VeraCrypt volume (data will be on-the-fly decrypted/encrypted in RAM on access, as usual).

  • In case of MBR legacy boot mode, your VeraCrypt Rescue Disk contains a backup of the original content of the first drive track (made before the VeraCrypt Boot Loader was written to it) and allows you to restore it if necessary. The first track typically contains a system loader or boot manager. In the Rescue Disk screen, select Repair Options > Restore original system loader.

Note that even if you lose your VeraCrypt Rescue Disk and an attacker finds it, he or she will not be able to decrypt the system partition or drive without the correct password.

To boot a VeraCrypt Rescue Disk, insert it into a USB port or your CD/DVD drive depending on its type and restart your computer. If the VeraCrypt Rescue Disk screen does not appear (or in case of MBR legacy boot mode if you do not see the 'Repair Options' item in the 'Keyboard Controls' section of the screen), it is possible that your BIOS is configured to attempt to boot from hard drives before USB drivers and CD/DVD drives. If that is the case, restart your computer, press F2 or Delete (as soon as you see a BIOS start-up screen), and wait until a BIOS configuration screen appears. If no BIOS configuration screen appears, restart (reset) the computer again and start pressing F2 or Delete repeatedly as soon as you restart (reset) the computer. When a BIOS configuration screen appears, configure your BIOS to boot from the USB drive and CD/DVD drive first (for information on how to do so, please refer to the documentation for your BIOS/motherboard or contact your computer vendor's technical support team for assistance). Then restart your computer. The VeraCrypt Rescue Disk screen should appear now. Note: In the case of MBR legacy boot mode, you can select 'Repair Options' on the VeraCrypt Rescue Disk screen by pressing F8 on your keyboard.

If your VeraCrypt Rescue Disk is damaged, you can create a new one by selecting System > Create Rescue Disk. To find out whether your VeraCrypt Rescue Disk is damaged, insert it into a USB port (or into your CD/DVD drive in case of MBR legacy boot mode) and select System > Verify Rescue Disk.

VeraCrypt Rescue Disk for MBR legacy boot mode on USB Stick

It is also possible to create a VeraCrypt Rescue Disk for MBR legacy boot mode on a USB drive, in case your machine does not have a CD/DVD drive. Please note that you must ensure that the data on the USB stick is not overwritten! If you lose the USB drive or your data is damaged, you will not be able to recover your system in case of a problem!

To create a bootable VeraCrypt Rescue USB drive you have to create a bootable USB drive which bootloader runs up the iso image. Solutions like Unetbootin, which try to copy the data inside the iso image to the usb drive do not work yet. On Windows please follow the steps below:

  • Download the required files from the official SourceForge repository of VeraCrypt: https://sourceforge.net/projects/veracrypt/files/Contributions/VeraCryptUsbRescueDisk.zip

  • Insert a USB drive.

  • Format the USB drive with FAT16 oder FAT32:

    • Launch usb_format.exe as an administrator (right click "Run as Administrator").
    • Select your USB drive in the Device list.
    • Choose FAT as filesystem and check "Quick Format". Click Start.

  • Create a bootloader which can start up an iso image:

    • Launch grubinst_gui.exe.
    • Check "Disk" and then select your USB drive in the list.
    • Click the "Refresh" button in front of "Part List" and then choose "Whole disk (MBR)".
    • Leave all other options unchanged and then click "Install".
    • You should see an console window that reads "The MBR/BS has been successfully installed. Press &ltENTER> to continue ..."
    • Close the tool.

  • Copy the file "grldr" to your USB drive at the root (e.g. if the drive letter is I:, you should have I:\grldr). This file loads Grub4Dos.

  • Copy the file "menu.lst" to your USB drive at the root (e.g. if the drive letter is I:, you should have I:\menu.lst). This file configures the shown menu and its options.

  • Copy the rescue disk file "VeraCrypt Rescue Disk.iso" to the USB drive at the root and rename it "veracrypt.iso". Another possibility is to change the link in the "menu.lst" file.