Permalink
Find file
Fetching contributors…
Cannot retrieve contributors at this time
176 lines (132 sloc) 13.2 KB

LibreCrypt: An Open-Source transparent encryption program for PCs. With this software, you can create one or more "containers" on your PC - which appear as disks, anything written to these disks is automatically encrypted before being stored on your hard drive.

Driver signing and LibreCrypt

LibreCrypt logo LibreCrypt: Open-Source disk encryption for Windows


The latest version of this document can be found at the LibreCrypt project site

Instructions

Important: LibreCrypt Portable will not work on Windows Vista and later, 64 bit versions without a extra step before use. The following steps are done automatically when installing LibreCrypt, so are only necessary for running LibreCrypt without installation (ie LibreCrypt portable)

Please follow these instructions, if you do not do this you will get an error dialog saying "Windows requires a digitally signed driver" when starting LibreCrypt in portable mode

  • Either
    • Start LibreCrypt, click 'No' on the prompt to start t portable drivers, and 'OK' on the warning dialog about not having any loaded drivers.
    • Click the Tools->"Allow Test-signed drivers" menu item.
  • Or

    • Click the "Start" button on the Windows taskbar, type "CMD" in the search box, and then press <CTRL+SHIFT+ENTER> (this will open a DOS box as administrator)
    • In the command prompt window which appears, type:

          bcdedit.exe /set TESTSIGNING ON 
      

Then,

  • Reboot the PC
  • After rebooting the words "Test Mode" appear in the four corners of the Desktop. Please see below for details on removing this.
    The rest of this document is for information only, and for manual installation.

Additional Information for x64 Windows Vista and later

This section applies to LibreCrypt when run under the 64 bit (x64) version of Windows Vista, Windows 7 or later. This section does not apply to 64 bit PCs running a 32 bit version of Windows.
In order to protect its revenue streams generated by DRM protected content, Microsoft saw fit to require all drivers running under the 64 bit (x64) version of Windows Vista and Windows 7 and 8 be digitally signed by Microsoft's root certificate.

Understandably, this presents a major problem for the overwhelming majority of free software projects which make use of kernel mode drivers which, for obvious reasons, don't such a have a digital certificate (read: haven't paid Microsoft, or one of their resellers, for such a certificate) to sign their drivers with.

For the same reason, LibreCrypt's drivers are not currently signed with a Microsoft certificate.

Fortunately, there are a number of methods of loading unsigned drivers under Windows x64, without having to pay for a digital certificate, and these are summarised below.

As a consequence, it is possible to use LibreCrypt under Windows x64 by using the methods shown as be successful below.

A more long term solution (Microsoft signing) is being investigated.

Summary of Different Methods

Below is a table summarising the different methods of configuring Windows Vista x64/Windows 7 x64 to allow it to run LibreCrypt.
For most users, Method 3: TESTSIGNING ON is recommended


Method Results "Test Mode"on wallpaper Junk messages shown on manual start Recommended?
1. NOINTEGRITYCHECKS ON IneffectiveNo YesNo
2. DDISABLE_INTEGRITY_CHECKS May work No Yes
3. TESTSIGNING ON Works YesNo Yes
4. <F8> while booting Works No Yes
5. ReadyDriver Plus Works No Yes
6. EasyBCD May work No YesNo
7. Signing with a Microsoft certificate Works No No

"Test Mode" on wallpaper

The method with "Yes" marked in this column indicates that the words "Test Mode" will be shown in each of the four corners of the desktop wallpaper. This is largely a cosmetic issue, and can be resolved using the directions indicated in the description of this method. Junk messages shown on manual start Those methods with "Yes" marked in this column indicate that MS Windows will pop up a message stating: "Windows requires a digitally signed driver" for each and every driver loaded - even though the drivers are digitally signed (albeit using self-certification). If the drivers are started automatically on booting, these messages will not appear. However, if the FreeOTFE drivers are started from the GUI (e.g. by starting portable mode). Since LibreCrypt's flexible architecture employs multiple drivers, this is hardly ideal as the user gets peppered with junk messages telling them what they're doing - as if they didn't already know! The number of these messages shown can be minimised by removing all unused hash and cypher drivers.

Method 1: NOINTEGRITYCHECKS ON Instructions

  • Open an elevated command prompt by either
    • Clicking the "Start" button on the Windows taskbar, type CMD in the search box, and then press <CTRL+SHIFT+ENTER> to run CMD with administrator privileges), or
    • Locating "cmd.exe" under C:\Windows\System32 in Windows Explorer, right-clicking on this executable and selecting "Run as Administrator" from the context menu. Click "continue" or enter the administrator's password as appropriate and click "OK", when asked for permission to continue.
  • In the command prompt window which appears, type:

    bcdedit.exe /set nointegritychecks ON
    
  • Reboot the PC

Method 2: DDISABLE_INTEGRITY_CHECKS Instructions:

  • Open an elevated command prompt by either:
    • Clicking the "Start" button on the Windows taskbar, type CMD in the search box, and then press <CTRL+SHIFT+ENTER> to run CMD with administrator privileges), or
    • Locating "cmd.exe" under C:\Windows\System32 in Windows Explorer, right-clicking on this executable and selecting "Run as Administrator" from the context menu. Click "continue" or enter the administrator's password as appropriate and click "OK", when asked for permission to continue.
  • In the command prompt window which appears, type:

    bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS
    (Note: That's "DDISABLE", with two Ds, for "Driver Disable") 
    
  • Reboot the PC

This method will work, however installing Windows Vista x64 Service Pack 1 (SP1), or any of the following Windows Vista "hotfixes" will cause this method to cease working:

  • KB932596: Update to improve Kernel Patch Protection
  • KB938194: An update is available that improves the compatibility and reliability of Windows Vista
  • KB938979: An update is available that improves the performance and reliability of Windows Vista
  • KB941649: An update is available that improves the compatibility, reliability, and stability of Windows Vista
  • KB943078: MS07-066: Vulnerability in the Windows kernel could allow elevation of privilege
  • KB943899: An update that improves the performance, responsiveness, and reliability of Windows Vista is available

Uninstalling the above should allow this method to work again, though is hardly ideal. Note: This list of hotfixes was compiled from information taken from the following WWW sites:

  • Unable to Disable Integrity Checks Cause Drivers Not Found in 64-bit Vista (x64)
  • Disable Vista Driver Signing not working - Resolved!
  • Howto: Disabling Driver Signing in Windows Vista 64 bit

Method 3: TESTSIGNING ON Instructions:

  • Open an elevated command prompt by either:
    • Clicking the "Start" button on the Windows taskbar, type CMD in the search box, and then press <CTRL+SHIFT+ENTER> (to run CMD with administrator privileges), or
    • Locating "cmd.exe" under C:\Windows\System32 in Windows Explorer, right-clicking on this executable and selecting "Run as Administrator" from the context menu. Click "continue" or enter the administrator's password as appropriate and click "OK", when asked for permission to continue.
  • In the command prompt window which appears, type:

    bcdedit.exe /set TESTSIGNING ON

  • Reboot the PC

This method is probably the best solution, and allows LibreCrypt to run correctly. However, it does have a trivial side effect: The words "Test Mode" are shown in the four corners of the Desktop wallpaper after rebooting.

Although only a cosmetic issue, the words "Test Mode" may be removed from your background by using one the following methods:

Method 4: <F8> while booting Instructions:

  • Reboot the PC
  • At the start of the boot sequence, press <F8>
  • When prompted, select the "Disable Driver Signature Enforcement" option and press <ENTER>
    Note: This method is not persistent, and its effect will cease the next time the PC is rebooted, unless this procedure is carried out again while rebooting. However, the "ReadyDriver Plus" method described below may be used to carry it out automatically.

Method 5: ReadyDriver Plus

"ReadyDriver Plus" is a piece of boot loader software which automatically carries out the "<F8> while booting" method of enabling driver loading. Instructions:

  • Download a copy of "ReadyDriver Plus" (v1.1 or later) from Citadel Industries
  • Install the software
  • Reboot the PC

Method 6: EasyBCD Instructions

  • Download a copy of "EasyBCD" (v1.7 or later; tested with v1.7.2) from NeoSmart Technologies
  • Install the software
  • Run EasyBCD
  • Click the "Advanced Options" button
  • Check the "Allow unsigned driver installation on Vista 64-Bit Edition" checkbox
  • Click "Apply Settings"
  • Reboot the PC

Although NeoSmart Technologies implemented some functionality to allow the use of "unsigned" drivers under Windows Vista x64, testing shows this appears limited to setting DDISABLE_INTEGRITY_CHECKS (see method above) via a pretty GUI - despite their change log claims to "Allow 100% of unsigned drivers to run on Vista 64-Bit Edition". Support for this functionality was effectively dropped in August 2008 Because of this, it is recommended that Method 2: DDISABLE_INTEGRITY_CHECKS be employed, rather than EasyBCD; since it offers no significant advantages.

Method 7: Signing with a Microsoft certificate

This method requires signing the FreeOTFE drivers with a Microsoft certificate, as opposed to the self certified signature currently used in the release. There are currently two ways of signing the FreeOTFE drivers:

  • Find someone with a digital certificate, and ask them to sign the release (not ideal).
  • Find someone prepared to finance buying a digital certificate (circa 450 EUR for three years?!!) which could be used. The latter would probably be the best long term solution; offers of help would be gratefully received - please get in contact!