While encrypting system partition it is strongly recommended to: create a Windows 2 Go boot drive.

That will allow you to gain access to data in case of any emergency
(being unable to boot the system), and also allows for partition
encryption and decryption operations to be performed.

DiskCryptor Bootloader Options

DiskCryptor bootloader is used for booting OS from encrypted partition.

The bootloader has a number of options, allowing to determine its
behavior in different situations, for example:

  • Boot different encrypted OS, depending on password entered;
  • Boot unencrypted OS on entering incorrect password;
  • Change bootloader messages and set time limit for the
  • When placing the bootloader on external media, you have option of
    embedding a password into it, and to boot the system with
    authentication on a key's media;
  • You can even place the bootloader with embedded password on LAN, and
    to boot a park of machines automatically, without user intervention.

In this manual, configuring of bootloader with the console version of
DiskCryptor, is described. The bootloader options in the GUI version,
are the same. The bootloader configuration menu appears automatically on
a creation of external bootloader, and it also can be invoked by the
dccon -boot -config command (see Console version
for details).

All options are separated into section of functions performed.

# Options
1 Change logon options
2 Change incorrect password action
3 Use incorrect password action if no password entered (OFF)
4 Set booting method
5 Set bootauth keyboard layout
6 Save changes and exit

Logon options

# Options Description
1 On/Off "enter password" message (ON) Allows to switch off the display of the message, prompting for a password.
2 Change display password type (display "*") Allows to select the method of displaying a password on its input (display nothing, mask with asterisks or display password openly).
3 Change password prompt text (enter password: ) Allows you to change the authentication message.
4 Enable embedded keyfile (disabled) Allows to set embedded keyfile for pre-boot authentication. When embedded keyfile is present, it is being used in addition to supplied password, or instead of it, if prompt to supply a password is turned off.
5 Change authentication timeout (disabled) Allows to set the time limit for the authentication, and when it has been reached, default action, performed in case of the absence of a password, is executed.
6 Cancel timeout if any key pressed (OFF) Allows to cancel the counter limiting the time you have to input a password, by pressing any key.
7 Return to main menu

Incorrect password action

# Options Description
1 On/Off invalid password message (ON) Allows to turn off display of the message on entering incorrect password.
2 Invalid password action (retry authentication) Allows you to set the next action, following the input of incorrect password (see below).
3 Invalid password message (password incorrect) Allows to change the message displayed on entering incorrect password.
4 Return to main menu

Following the entry of incorrect password, the following actions
are available:

# Options Description
1 Halt system
2 Reboot system
3 Boot from active partition Try to boot OS from active partition of the 1st HDD.
4 Exit to BIOS After that BIOS may try to boot from different media.
5 Retry authentication

Incorrect password action if no password entered

This option sets the default action, executed in case of the absence of
password. When this option is turned on, then in case of a blank
password, the action set in the Incorrect password action, will be
executed. Otherwise, there will be attempt to boot the system without
password, according to the Booting method options. The default
actions is also used on authentication timeout.

Booting method

This option sets the OS booting method on successful authentication.

Authentication is considered to be successful, when it were possible to
mount at least one encrypted partition on any of the disks. The default
value of this option is set to load saved copy of MBR, which is similar
to the boot process from unencrypted disk. Changing of this option might
be needed for the creation of a multi-boot configuration and when
placing the bootloader on external media. The number of available
booting methods is dependent on the bootloader placing method.

The following is full list of all available booting methods:

# Options Description
1 Set "load boot disk MBR" Load saved copy of MBR, of the HDD, on which the loader resides.
2 Set "load first disk MBR" Load MBR from the 1st HDD, that has active partition.
3 Set "load OS from active partition" Boot from the active partition, of the HDD, on which the loader resides.
4 Set "boot from first partition with appropriate password" Boot from the first partition, password to which was accepted.
5 Set "boot from specified partition" see below

The 5th option - boot from specified partition needs the additional
explanation. On choosing this booting method, there will be a list
presented with mounted encrypted partitions, and you will be able to
choose a partition from which to boot. The search for this partition
will be carried out using disk_id of the functionary header of volume.
This is unique 32 bit partition descriptor. The descriptor is located in
the encrypted part of the header, and is accessible only after inputting
password, thus it is impossible to determine from which partition the
booting will be done, without knowing password.

Bootauth keyboard layout

This option allows to choose keyboard layout for entering password in
the bootloader. The following layouts are available: QWERTY, QWERTZ and

  • The QWERTY layout is fully in conformance with the standard English
    US layout.
  • QWERTZ and AZERTY layouts are supported in limited capacity, and
    only the followings sets of symbols are available: