Releases: DiskCryptor/DiskCryptor
Build v1.4.1 Beta
DiskCryptor version 1.4.1 introduces a number of significant improvements to the EFI bootloader, Secure Boot integration, and command-line tooling. This release continues the ongoing effort to modernize DiskCryptor’s pre-boot environment and to improve compatibility with current firmware, storage, and platform configurations.
The command-line tool dccon has been extended with new functionality for EFI-based deployments. Two new commands, -mkefipxe and -mkefiiso, allow the creation of EFI-bootable PXE images and ISO files directly from DiskCryptor tooling, simplifying network boot and installation workflows. In addition, a new -efi menu has been introduced, providing the ability to list, query, and modify EFI variables from within DiskCryptor, consolidating EFI-related functionality in a single, consistent interface. As part of this reorganization, the existing -sb_info functionality has been moved from the -boot menu to the new -efi menu, where it more logically belongs.
Secure Boot support has been further expanded. A new -mok menu has been added to manage the Machine Owner Key (MOK) list used by the Secure Boot shim, closely mirroring the behavior and feature set of the Linux mokutil tool. This enables direct inspection and management of MOK entries without leaving the DiskCryptor environment. In parallel, an ARM64 shim loader has been added, extending Secure Boot support to ARM64 systems and improving DiskCryptor’s viability on modern non-x86 platforms.
On the storage side, the EFI bootloader now includes native support for 4K sector disks. This improves compatibility with modern storage devices that expose 4Kn sector layouts and avoids reliance on 512-byte sector emulation. Several boot- and Secure-Boot-related issues have also been addressed. A spurious Secure Boot warning that could appear when encrypting non-boot volumes has been fixed, and the bootloader has been corrected to properly handle encrypted partitions that were created using a format operation rather than the encrypt workflow.
Overall, this release focuses on strengthening DiskCryptor’s EFI and Secure Boot capabilities, improving hardware compatibility, and providing more powerful and coherent tooling for advanced deployment scenarios.
Build v1.4 Beta
DiskCryptor 1.4.0 is a major release focused on modern platform support, boot infrastructure improvements, and long-term maintainability. This version updates the core driver toolchain to Visual Studio 2022 and aligns the EFI bootloader with the current edk2-stable202511 baseline, ensuring compatibility with modern Windows, UEFI firmware, and contemporary build environments. Legacy 32-bit operating system support has been removed, while ARM64 support has been added to the driver and introduced experimentally for the DCS EFI bootloader, significantly broadening the range of supported hardware.
A key architectural change in this release is the separation of the EFI bootloader files from the main binary. EFI components are now distributed as architecture-specific DcsPkg_[ARCH] packages, either provided as ZIP archives or consumed directly from an existing folder. This makes the boot chain more transparent, easier to audit, and simpler to integrate into custom deployment workflows. Boot data handoff between the EFI bootloader and the driver has also been improved, increasing robustness during early boot.
Secure Boot is now explicitly supported as an optional configuration. DiskCryptor can be used in Secure Boot environments via a separate Secure Boot package that leverages a Debian shim and MOK Key. The software actively verifies whether the bootloader is properly signed and will prevent setup if Secure Boot is enabled but an unsigned loader is detected. This design keeps the default installation path straightforward while offering a standards-compliant Secure Boot solution for users and environments that require it. Additional tooling has been added to inspect Secure Boot state and configuration, and bootloader management from the GUI has been refined, including reliable EFI installation behavior and safer handling of boot manager replacement and restoration.
This release also substantially expands deployment and recovery options. The EFI bootloader can now generate fully bootable EFI ISO images, enabling optical media or virtual media boot without external tooling. PXE boot support has been added, allowing DiskCryptor to be used in network-booted scenarios such as data centers, labs, and automated recovery environments. Offline installation and removal support has been extended to mounted WinPE and install images, making it possible to integrate DiskCryptor directly into deployment pipelines.
Several long-standing issues have been resolved, including a regression affecting MBR encryption in earlier versions. New maintenance commands have been added for managing Microsoft bootloader replacement states, and unused first-boot EFI behavior has been removed to streamline startup.
Overall, DiskCryptor 1.4.0 represents a significant step forward, modernizing the codebase, improving boot and deployment flexibility, and introducing optional Secure Boot support without compromising transparency or control.
Build v1.3 Signed Beta
This build resolves issues with Core Isolation and brings full windows 11 compatibility.
The driver is digitally signed to be accepted by windows without any workarounds.
The UEFI bootloader is NOT signed for secure boot, if you want to use DC with Secure Boot, you will need to setup your own keys and sign it yourself or use a shim loader. We are working on getting a secure boot signature from MS...
We have signed the installer and all files with a EV Code signing certificate to avoid issues with false positives which are very common for unsigned releases.
Unfortunately some AV vendors due to past abuse of the software decide to just outright flag any disk cryptor release as a potentially unwanted software.
Please note that with build 1.3 the procedure to encrypt the system partition has been changed, when trying to encrypt a system partition DC will require a reboot to confirm the boot loader and driver work correctly, after the reboot you will need the start DC again to actually start the encryption of your system partition.
This additional step has been added to make the process fail safe, and eliminate the possibility of abusing the driver for malicious purposes.
You can review the latest Virus Total results for the installer at: https://www.virustotal.com/gui/file/4c0eeb6b6734492df074ce0fe3b4ccc1223e70f7b2fcb55738f41d774e393ec3
Like with all previous builds the binaries are provided as is, without any guarantees, a catastrophic failure is always an option, keep a backup on hand and proceed at your own risk.
You can support the project through donations, any help will be greatly appreciated.
Full Changelog for build 1.3.0
Added
- Added safe system volume encryption (boot loader is tested before anything gets encrypted)
- Added ability to recover MBR when it was damaged by a partitioning or backup/recovery tool
Fixed
- Fixed issue with Core Isolation on windows 10/11
Build v1.3 Beta
This build resolves issues with Core Isolation and brings full windows 11 compatibility.
The driver is digitally signed to be accepted by windows without any workarounds.
The UEFI bootloader is NOT signed for secure boot, if you want to use DC with Secure Boot, you will need to setup your own keys and sign it yourself or use a shim loader.
We are working on getting a secure boot signature from MS but that has a bit to much testing and formalities to be fast, hence we decided to release this build as is and schedule a SB signature for an upcoming build in due time.
EDIT 28.10.2023 re uploaded installer, fixed issue #86
The setup or the other non driver files are not digitally signed, hence when downloading the setup may be blocked and or wrongfully flagged. Here is the VT result for the setup as is: https://www.virustotal.com/gui/file/6864aad30d3b6547f1028368b36f6332078e317c65746fbc10c5855b293a6336
The SHA256 hash of the authentic build is: 6864aad30d3b6547f1028368b36f6332078e317c65746fbc10c5855b293a6336
Please note that with this build the procedure to encrypt the system partition has been changed, when trying to encrypt a system partition DC will require a reboot to confirm the boot loader and driver work correctly, after the reboot you will need the start DC again to actually start the encryption of your system partition.
This additional step has ben added to make the process safer.
Like with all previous builds the binaries are provided as is, without any guarantees, a catastrophic failure is always an option, keep a backup on hand and proceed at your own risk.
You can support the project through donations, any help will be greatly appreciated.
Full Changelog for build 1.3.0
Added
- Added safe system volume encryption (boot loader is tested before anything gets encrypted)
- Added ability to recover MBR when it was damaged by a partitioning or backup/recovery tool
Fixed
- Fixed issue with Core Isolation on windows 10/11
Build v1.2 Beta 3
Here is the next new build of DiskCryptor it improves the usability and provides support for windows 10 feature upgrades.
The boot loader is not signed for secure boot, so for now, to use it, disabling secure boot is required.
The tool is able to use a signed shim Bootloader from Red Hat and install it, however for now the required files are not included in the installation package, as its a more fiddly installation and given the release is a beta it sounded reasonable to try to minimize potential issues.
- This is a beta build so keep a backup and a Windows 2 Go drive on hand just in case.- This is a beta build it is not compatible with windows 11 before installing you need to disable VBS/Core Isolation->Memory integrity.
As the volume format did not change between 1.1 and 1.2 releases you can use a old 1.1 version for your Windows 2 Go drive, although then the installation/removal of the UEFI boot loader wont be available.
27.04.2020 - 1.2.2/848.118.202
Added
- Add compatibility with Windows 10 feature upgrade procedure using ReflectDrivers mechanism
- Added additional EFI loader messages to the UI
- Added option to enable EFI picture password from UI
- Added remaining message charakters display
Changed
- Improved UEFI loader CLI password entry
- Restructured bootloader config GUI
Build v1.2 Beta 2
Here is the next new build of DiskCryptor it fixes some issues and adds some features, but mostly important it improves the boot performance a great lot.
The boot loader is not signed for secure boot, so for now, to use it, disabling secure boot is required.
The tool is able to use a signed shim Bootloader from Red Hat and install it, however for now the required files are not included in the installation package, as its a more fiddly installation and given the release is a beta it sounded reasonable to try to minimize potential issues.
The Disk Cryptor driver needed to be updated, and since the ReactOS foundation no longer offer a driver signing service, I head to use a leaked code signing certificate I found laying around the Internets. This means some anti malware applications may wrongfully flag it as potentially dangerous.
- This is a beta build so keep a backup and a Windows 2 Go drive on hand just in case.As the volume format did not change between 1.1 and 1.2 releases you can use a old 1.1 version for your Windows 2 Go drive, although then the installation/removal of the UEFI boot loader wont be available.
14.03.2020 - 1.2.848.118.201
Added
- Added option to mount volumes in read only mode
- Switched to using "fast" crypto implementation for the x64 UEFI bootloader
- Added Hardware Crypto support to the x64 UEFI bootloader
Changed
- Wipe Mode disabled on SSD drivers (as on those its pointless and may damage the ssd)
Fixed
- Fixed issues updating the driver on Windows 10
- Fixed some EFI config values not getting properly loaded by the API library
Build v1.2 Beta 1
Here is the first new build of DiskCryptor since 2014 its a fork of the project and starting with version 1.2
It comes with a UEFI compatible boot-loader and various fixes to make it work with EFI installations on GPT disks.
The boot loader is not signed for secure boot, so for now, to use it, disabling secure boot is required.
The tool is able to use a signed shim Bootloader from Red Hat and install it, however for now the required files are not included in the installation package, as its a more fiddly installation and given the release is a beta it sounded reasonable to try to minimize potential issues.
The Disk Cryptor driver needed to be slightly updated, and since the ReactOS foundation no longer offer driver signing service, I head to use a leaked code signing certificate I found laying around the Internets.
This means some anti malware applications flag it as potentially dangerous: https://www.virustotal.com/gui/file/e1c66a42d6c922ee379e2cab18323b7f31dfe53bf1200dc34b3e218a744b9feb/detection
- This is a beta build so keep a backup and a Windows 2 Go drive on hand just in case.As the volume format did not change between 1.1 and 1.2 releases you can use a old 1.1 version for your Windows 2 Go drive, although then the installation/removal of the UEFI boot loader wont be available.
29.01.2020 - 1.2.846.118.200
Added
- EFI bootloader
- Shim bootloader to achieve secure boot compatibility (https://habr.com/ru/post/446238/)
- Bootloader instalation routine for GPT partitions
- Integrated EFI bootloader instalation in the CLI
- Disk type display to bootloader instalation dialog
- Integrated EFI bootloader instalation in the GUI
Changed
- Project moved to Visual Studio 2017, using win 7 sdk for compatybility
- Error messages now provide an error string instead of a cryptic error code
Fixed
- Enabled GUI high DPI awareness
- Fixed boot partitions not being properly detected
- Fixed driver uninstall not being able to delete dcrypt.sys
The last version officially released by ntldr
This is the last version of DiskCryptor as releaed by its original author ntldr in 2016
Installation
To install the program:
Download installer or .zip package
Run
dcrypt_setup.exe (installer) or
dcrypt.exe or dccon -install console command (archive)
You would be prompted to install DiskCryptor's driver and Reboot your system.
After the reboot you can start to use the program.
The update of the program to a newer version could be performed in the same way (dccon -update console command).
Removal
To completely remove the program:
Use
Uninstaller,
Program menu or
Run console command dccon -remove
Please note, that if your system partition is encrypted it is required to decrypt it first in order to uninstall the driver.
Delete all program files
Reboot your system