VeraCrypt, EFI bootloader, password picture

The VeraCrypt project was audited, but unfortunately the results did not include an overview of the new project features. This article will describe some of the additions.



Many of VeraCrypt's features are currently available only from text configuration. An example is a password picture.







If your Windows computer or tablet has a touchscreen, you can try setting up a touch-dots login. To do this, you will need to check the accessibility of the touchscreen from EFI.



The DcsProp configuration file is located on the EFI boot partition. Changes can be made during the bootloader compatibility testing phase and after the disk is encrypted.



To access the DcsProp configuration from the Windows console with administrator rights, you need to run:

mountvol o: /s
notepad o:\efi\veracrypt\DcsProp

      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

In addition, you will need to copy your picture, in bmp format, to disk o: \ EFI \ Veracrypt \ login.bmp (the example is selected because it contains many noticeable parts - people, horses, stones, trees, weapons, etc.) ...



DcsProp setting (comments to parameters in the text):

<?xml version="1.0" encoding="utf-8"?>
<VeraCrypt>
	<configuration>
		<!-- PasswordType 0 - text 1 - picture -->
		<config key="PasswordType">1</config>
		<config key="PasswordMsg">Enter password:</config>
		<config key="PasswordPicture">EFI\Veracrypt\login.bmp</config>

		<!-- PimRqt 0 - use paramter 1 - request from user-->
		<config key="PimMsg">Pim:</config>
		<config key="Pim">0</config>
		<config key="PimRqt">0</config>

		<!-- AuthorizeVisible 0/1 - show/hide chars  -->
		<config key="AuthorizeVisible">0</config>
		<!-- AuthorizeMarkTouch 0/1 - show/hide touch area  -->
		<config key="AuthorizeMarkTouch">0</config>

		<!-- AuthorizeRetry - number of retry  -->
		<config key="AuthorizeRetry">10</config>

		<!-- GraphDevice  -1 autodetect; -2 ignore; <n> number in list of devices (use DcsCfg.dcs -gl)-->
		<config key="GraphDevice">-1</config>
		<!-- GraphMode -1 default (to test DcsCfg -gm <N>)-->
		<config key="GraphMode">-1</config>

		<!-- TouchDevice -1 autodetect; -2 ignore; <N> number in list of devices (use DcsCfg -tl and to test DcsCfg -tt <N>)-->
		<config key="TouchDevice">-1</config>

		<!-- TouchSimulate to use keyboard keys to move cursor-->
		<config key="TouchSimulate">1</config>

		<!-- Beep -->
		<config key="Beep">1</config>
		<config key="BeepDuration">200</config>
  </configuration>
</VeraCrypt>

      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

You can view the new password and change it from VeraCrypt in Windows.



Approx. After rebooting and entering the password from the keyboard, you can press F2 to change the password. Then enter the password by touching the picture and confirm. This requires a random number generator to generate new salt. Unfortunately, the auditors have asked to turn off the built-in generator by default. To enable, you need a bootloader version with TPM support or an enabled generator.



Special keys:

F2 - password change

F4 - input sound

F5 - view password input

F11 - slow down cursor movement with arrows

F12 - speed up cursor movement with arrows

In the next article I will describe the configuration of conditional authorization according to the scenario: if a USB flash drive is connected, then ask for a password and after successful authorization boot Windows, if there is no flash drive, then boot Linux.