Hello,
I am reporting what looks like an incomplete or broken EFI hidden OS flow on VeraCrypt 1.26 / DCS.
I am using the manual EFI/GPT hidden OS method. H_OS system encryption completed successfully, but DcsCfg.dcs -rnd 2 -oshideprep never reached the GPT filename stage and created no GPT files (gpt_enc, gpt_hos, gpt_hidden, gpt_hid).
I stopped before doing any more writes because I do not want to damage the disk further if this is a bug/regression or if I missed a required step.
Environment
VeraCrypt: 1.26
Architecture: x86-64
Windows: Windows 11 Home x64
Boot mode: UEFI/GPT
Secure Boot: temporarily disabled only to boot a custom UEFI shell USB
Internal disk: Kingston NVMe
BitLocker / Device Encryption: fully disabled and all internal volumes fully decrypted before VeraCrypt system encryption
Disk layout
Internal NVMe partitions:
original protected ESP, 100 MB
MSR, 128 MB
old visible Windows, 240 GB
OUTER_A, 131 GB
H_ESP, 260 MB EFI
H_OS, 390 GB
OUTER_B, 148 GB
Recovery, 800 MB
Recovery/OEM, 19 GB
H_OS is installed on partition 6, using partition 5 as EFI.
What succeeded before -oshideprep
H_OS install succeeded
H_OS booted
VeraCrypt system partition encryption on H_OS succeeded
VeraCrypt pretest succeeded
DcsBoot boot entry worked
Full Rescuezilla snapshot was taken after H_OS encryption and before -oshideprep
UEFI shell
The normal VC rescue menu did not provide an EFI shell, so I created a separate FAT32 UEFI shell USB and copied the whole \EFI\VeraCrypt\ folder onto it.
In shell:
DcsCfg.dcs -dl d
showed:
disk 0 = USB
disk 2 = internal NVMe
-oshideprep behavior
Running plain:
DcsCfg.dcs -oshideprep
failed with:
No randoms
Running:
DcsCfg.dcs -rnd 2 -oshideprep
got past that failure.
I then chose:
Disk = 2
Start outer = 4
End outer = 7
Observed prompts/answers:
Sectors [781025280, 781557759], Wipe data?
answered y
this matches partition 5 (H_ESP)
Sectors [1911521280, 1913159679], Wipe data?
answered n
this matches partition 8 (800 MB Recovery), not an outer partition
Init outer headers?
answered y
Selected:
AES
XTS
SHA-512
Entered first outer password
Save outer? -> y
Entered second outer password
Save outer? -> y
Update main encryption header? -> y
entered the real H_OS password
received Success
After that, output was:
Success
Start 400157573120 length 419430400000
VolumeSize 419430400000
HiddenVolumeSize 0
flags 0x1
Encrypted already
Then it returned to shell prompt.
Expected but missing
I expected the next stage to ask for GPT filenames, e.g.:
encrypted GPT filename (gpt_enc)
hidden GPT filename (gpt_hos, gpt_hidden, or similar)
But I never saw any such prompts.
Also, no GPT files were created anywhere I could find:
not on USB root
not in \EFI\VeraCrypt
not on any mapped fsX: filesystem
I checked for:
gpt_enc
gpt_hos
gpt_hidden
gpt_hid
All absent.
Trying read-only checks such as:
dcscfg.dcs -pf gpt_enc -pl
dcscfg.dcs -pf gpt_hos -pl
dcscfg.dcs -pf gpt_hidden -pl
dcscfg.dcs -pf gpt_hid -pl
returns:
load: not found
Current partition check
After the above, running:
dcscfg.dcs -ds 2 -pl
still shows the ordinary partition layout, not an obvious hidden/merged GPT state.
Questions:
On VC 1.26, after successful -rnd 2 -oshideprep, should GPT filename prompts always appear?
Is HiddenVolumeSize 0 expected here?
Could answering n to the wipe prompt for the 800 MB Recovery partition prevent GPT file generation?
Does the recovery partition layout interfere with EFI hidden OS on current DCS?
Does argument order matter?
DcsCfg.dcs -rnd 2 -oshideprep
versus
DcsCfg.dcs -oshideprep -rnd 2
Are there any additional flags/steps on current 1.26 that are not reflected in older docs/forum posts?
Is rerunning -oshideprep appropriate here, or is restore from the pre--oshideprep disk image the only safe recovery?
Any clarification on the expected successful post--oshideprep behavior for 1.26 would be very helpful.
Thanks a lot!
Hello,
I am reporting what looks like an incomplete or broken EFI hidden OS flow on VeraCrypt 1.26 / DCS.
I am using the manual EFI/GPT hidden OS method. H_OS system encryption completed successfully, but DcsCfg.dcs -rnd 2 -oshideprep never reached the GPT filename stage and created no GPT files (gpt_enc, gpt_hos, gpt_hidden, gpt_hid).
I stopped before doing any more writes because I do not want to damage the disk further if this is a bug/regression or if I missed a required step.
Environment
VeraCrypt: 1.26
Architecture: x86-64
Windows: Windows 11 Home x64
Boot mode: UEFI/GPT
Secure Boot: temporarily disabled only to boot a custom UEFI shell USB
Internal disk: Kingston NVMe
BitLocker / Device Encryption: fully disabled and all internal volumes fully decrypted before VeraCrypt system encryption
Disk layout
Internal NVMe partitions:
original protected ESP, 100 MB
MSR, 128 MB
old visible Windows, 240 GB
OUTER_A, 131 GB
H_ESP, 260 MB EFI
H_OS, 390 GB
OUTER_B, 148 GB
Recovery, 800 MB
Recovery/OEM, 19 GB
H_OS is installed on partition 6, using partition 5 as EFI.
What succeeded before -oshideprep
H_OS install succeeded
H_OS booted
VeraCrypt system partition encryption on H_OS succeeded
VeraCrypt pretest succeeded
DcsBoot boot entry worked
Full Rescuezilla snapshot was taken after H_OS encryption and before -oshideprep
UEFI shell
The normal VC rescue menu did not provide an EFI shell, so I created a separate FAT32 UEFI shell USB and copied the whole \EFI\VeraCrypt\ folder onto it.
In shell:
DcsCfg.dcs -dl d
showed:
disk 0 = USB
disk 2 = internal NVMe
-oshideprep behavior
Running plain:
DcsCfg.dcs -oshideprep
failed with:
No randoms
Running:
DcsCfg.dcs -rnd 2 -oshideprep
got past that failure.
I then chose:
Disk = 2
Start outer = 4
End outer = 7
Observed prompts/answers:
Sectors [781025280, 781557759], Wipe data?
answered y
this matches partition 5 (H_ESP)
Sectors [1911521280, 1913159679], Wipe data?
answered n
this matches partition 8 (800 MB Recovery), not an outer partition
Init outer headers?
answered y
Selected:
AES
XTS
SHA-512
Entered first outer password
Save outer? -> y
Entered second outer password
Save outer? -> y
Update main encryption header? -> y
entered the real H_OS password
received Success
After that, output was:
Success
Start 400157573120 length 419430400000
VolumeSize 419430400000
HiddenVolumeSize 0
flags 0x1
Encrypted already
Then it returned to shell prompt.
Expected but missing
I expected the next stage to ask for GPT filenames, e.g.:
encrypted GPT filename (gpt_enc)
hidden GPT filename (gpt_hos, gpt_hidden, or similar)
But I never saw any such prompts.
Also, no GPT files were created anywhere I could find:
not on USB root
not in \EFI\VeraCrypt
not on any mapped fsX: filesystem
I checked for:
gpt_enc
gpt_hos
gpt_hidden
gpt_hid
All absent.
Trying read-only checks such as:
dcscfg.dcs -pf gpt_enc -pl
dcscfg.dcs -pf gpt_hos -pl
dcscfg.dcs -pf gpt_hidden -pl
dcscfg.dcs -pf gpt_hid -pl
returns:
load: not found
Current partition check
After the above, running:
dcscfg.dcs -ds 2 -pl
still shows the ordinary partition layout, not an obvious hidden/merged GPT state.
Questions:
On VC 1.26, after successful -rnd 2 -oshideprep, should GPT filename prompts always appear?
Is HiddenVolumeSize 0 expected here?
Could answering n to the wipe prompt for the 800 MB Recovery partition prevent GPT file generation?
Does the recovery partition layout interfere with EFI hidden OS on current DCS?
Does argument order matter?
DcsCfg.dcs -rnd 2 -oshideprep
versus
DcsCfg.dcs -oshideprep -rnd 2
Are there any additional flags/steps on current 1.26 that are not reflected in older docs/forum posts?
Is rerunning -oshideprep appropriate here, or is restore from the pre--oshideprep disk image the only safe recovery?
Any clarification on the expected successful post--oshideprep behavior for 1.26 would be very helpful.
Thanks a lot!