While encrypting system partition it is strongly recommended to: create a Windows 2 Go boot drive.

That will allow you to gain access to data in case of any emergency (being unable to boot the system), and also allows for partition encryption and decryption operations to be performed.

DiskCryptor Bootloader Options

DiskCryptor bootloader is used for booting OS from encrypted partition.

The bootloader has a number of options, allowing to determine its behavior in different situations, for example:

  • Boot different encrypted OS, depending on password entered;
  • Boot unencrypted OS on entering incorrect password;
  • Change bootloader messages and set time limit for the authentication;
  • When placing the bootloader on external media, you have option of embedding a password into it, and to boot the system with authentication on a key\'s media;
  • You can even place the bootloader with embedded password on LAN, and to boot a park of machines automatically, without user intervention.

In this manual, configuring of bootloader with the console version of DiskCryptor, is described. The bootloader options in the GUI version, are the same. The bootloader configuration menu appears automatically on a creation of external bootloader, and it also can be invoked by the dccon -boot -config command (see Console version commands for details).

All options are separated into section of functions performed.

# Options
1 Change logon options
2 Change incorrect password action
3 Use incorrect password action if no password entered (OFF)
4 Set booting method
5 Set bootauth keyboard layout
6 Save changes and exit

Logon options

# Options Description
1 On/Off "enter password" message (ON) Allows to switch off the display of the message, prompting for a password.
2 Change display password type (display "*") Allows to select the method of displaying a password on its input (display nothing, mask with asterisks or display password openly).
3 Change password prompt text (enter password: ) Allows you to change the authentication message.
4 Enable embedded keyfile (disabled) Allows to set embedded keyfile for pre-boot authentication. When embedded keyfile is present, it is being used in addition to supplied password, or instead of it, if prompt to supply a password is turned off.
5 Change authentication timeout (disabled) Allows to set the time limit for the authentication, and when it has been reached, default action, performed in case of the absence of a password, is executed.
6 Cancel timeout if any key pressed (OFF) Allows to cancel the counter limiting the time you have to input a password, by pressing any key.
7 Return to main menu

Incorrect password action

# Options Description
1 On/Off invalid password message (ON) Allows to turn off display of the message on entering incorrect password.
2 Invalid password action (retry authentication) Allows you to set the next action, following the input of incorrect password (see below).
3 Invalid password message (password incorrect) Allows to change the message displayed on entering incorrect password.
4 Return to main menu

Following the entry of incorrect password, the following actionsare available:

# Options Description
1 Halt system
2 Reboot system
3 Boot from active partition Try to boot OS from active partition of the 1st HDD.
4 Exit to BIOS After that BIOS may try to boot from different media.
5 Retry authentication

Incorrect password action if no password entered

This option sets the default action, executed in case of the absence of password. When this option is turned on, then in case of a blank password, the action set in the Incorrect password action, will be executed. Otherwise, there will be attempt to boot the system without password, according to the Booting method options. The default actions is also used on authentication timeout.

Booting method

This option sets the OS booting method on successful authentication.

Authentication is considered to be successful, when it were possible to mount at least one encrypted partition on any of the disks. The default value of this option is set to load saved copy of MBR, which is similar to the boot process from unencrypted disk. Changing of this option might be needed for the creation of a multi-boot configuration and when placing the bootloader on external media. The number of available booting methods is dependent on the bootloader placing method.

The following is full list of all available booting methods:

# Options Description
1 Set "load boot disk MBR" Load saved copy of MBR, of the HDD, on which the loader resides.
2 Set "load first disk MBR" Load MBR from the 1st HDD, that has active partition.
3 Set "load OS from active partition" Boot from the active partition, of the HDD, on which the loader resides.
4 Set "boot from first partition with appropriate password" Boot from the first partition, password to which was accepted.
5 Set "boot from specified partition" see below

The 5th option - boot from specified partition needs the additional explanation. On choosing this booting method, there will be a list presented with mounted encrypted partitions, and you will be able to choose a partition from which to boot. The search for this partition will be carried out using disk_id of the functionary header of volume. This is unique 32 bit partition descriptor. The descriptor is located in the encrypted part of the header, and is accessible only after inputting password, thus it is impossible to determine from which partition the booting will be done, without knowing password.

Bootauth keyboard layout

This option allows to choose keyboard layout for entering password in the bootloader. The following layouts are available: QWERTY, QWERTZ and AZERTY.

  • The QWERTY layout is fully in conformance with the standard English US layout.
  • QWERTZ and AZERTY layouts are supported in limited capacity, and only the followings sets of symbols are available: [a-z][A-Z][0-9].