LibreCrypt: An Open-Source transparent encryption program for PCs. With this software, you can create one or more "containers" on your PC - which appear as disks, anything written to these disks is automatically encrypted before being stored on your hard drive.
Driver signing and LibreCrypt
LibreCrypt: Open-Source disk encryption for Windows
Important: LibreCrypt Portable will not work on Windows Vista and later, 64 bit versions without a extra step before use.
The following steps are done automatically when installing LibreCrypt, so are only necessary for running LibreCrypt without installation (ie LibreCrypt portable)
Please follow these instructions, if you do not do this you will get an error dialog saying "Windows requires a digitally signed driver" when starting LibreCrypt in portable mode
* Either
+ Start LibreCrypt, click 'No' on the prompt to start t portable drivers, and 'OK' on the warning dialog about not having any loaded drivers.
+ Click the Tools->"Allow Test-signed drivers" menu item.
* Or
+ Click the "Start" button on the Windows taskbar, type "CMD" in the search box, and then press <CTRL+SHIFT+ENTER> (this will open a DOS box as administrator)
+ In the command prompt window which appears, type:
bcdedit.exe /set TESTSIGNING ON
Then,
Reboot the PC
After rebooting the words "Test Mode" appear in the four corners of the Desktop. Please see below for details on removing this.
The rest of this document is for information only, and for manual installation.
Additional Information for x64 Windows Vista and later
This section applies to LibreCrypt when run under the 64 bit (x64) version of Windows Vista, Windows 7 or later. This section does not apply to 64 bit PCs running a 32 bit version of Windows.
In order to protect its revenue streams generated by DRM protected content, Microsoft saw fit to require all drivers running under the 64 bit (x64) version of Windows Vista and Windows 7 and 8 be digitally signed by Microsoft's root certificate.
Understandably, this presents a major problem for the overwhelming majority of free software projects which make use of kernel mode drivers which, for obvious reasons, don't such a have a digital certificate (read: haven't paid Microsoft, or one of their resellers, for such a certificate) to sign their drivers with.
For the same reason, LibreCrypt's drivers are not currently signed with a Microsoft certificate.
Fortunately, there are a number of methods of loading unsigned drivers under Windows x64, without having to pay for a digital certificate, and these are summarised below.
As a consequence, it is possible to use LibreCrypt under Windows x64 by using the methods shown as be successful below.
A more long term solution (Microsoft signing) is being investigated.
Summary of Different Methods
Below is a table summarising the different methods of configuring Windows Vista x64/Windows 7 x64 to allow it to run LibreCrypt.
For most users, Method 3: TESTSIGNING ON is recommended
Method
Results
"Test Mode"on wallpaper
Junk messages shown on manual start
Recommended?
1. NOINTEGRITYCHECKS ON
Ineffective
No
Yes
No
2. DDISABLE_INTEGRITY_CHECKS
May work
No
Yes
3. TESTSIGNING ON
Works
Yes
No
Yes
4. <F8> while booting
Works
No
Yes
5. ReadyDriver Plus
Works
No
Yes
6. EasyBCD
May work
No
Yes
No
7. Signing with a Microsoft certificate
Works
No
No
"Test Mode" on wallpaper
The method with "Yes" marked in this column indicates that the words "Test Mode" will be shown in each of the four corners of the desktop wallpaper. This is largely a cosmetic issue, and can be resolved using the directions indicated in the description of this method. Junk messages shown on manual start Those methods with "Yes" marked in this column indicate that MS Windows will pop up a message stating: "Windows requires a digitally signed driver" for each and every driver loaded - even though the drivers are digitally signed (albeit using self-certification).
If the drivers are started automatically on booting, these messages will not appear.
However, if the FreeOTFE drivers are started from the GUI (e.g. by starting portable mode). Since LibreCrypt's flexible architecture employs multiple drivers, this is hardly ideal as the user gets peppered with junk messages telling them what they're doing - as if they didn't already know!
The number of these messages shown can be minimised by removing all unused hash and cypher drivers.
Method 1: NOINTEGRITYCHECKS ON Instructions
Open an elevated command prompt by either
Clicking the "Start" button on the Windows taskbar, type CMD in the search box, and then press <CTRL+SHIFT+ENTER> to run CMD with administrator privileges), or
Locating "cmd.exe" under C:\Windows\System32 in Windows Explorer, right-clicking on this executable and selecting "Run as Administrator" from the context menu.
Click "continue" or enter the administrator's password as appropriate and click "OK", when asked for permission to continue.
In the command prompt window which appears, type:
bcdedit.exe /set nointegritychecks ON
Reboot the PC
Method 2: DDISABLE_INTEGRITY_CHECKS Instructions:
Open an elevated command prompt by either:
Clicking the "Start" button on the Windows taskbar, type CMD in the search box, and then press <CTRL+SHIFT+ENTER> to run CMD with administrator privileges), or
Locating "cmd.exe" under C:\Windows\System32 in Windows Explorer, right-clicking on this executable and selecting "Run as Administrator" from the context menu.
Click "continue" or enter the administrator's password as appropriate and click "OK", when asked for permission to continue.
In the command prompt window which appears, type:
bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS
(Note: That's "DDISABLE", with two Ds, for "Driver Disable")
Reboot the PC
This method will work, however installing Windows Vista x64 Service Pack 1 (SP1), or any of the following Windows Vista "hotfixes" will cause this method to cease working:
- KB932596: Update to improve Kernel Patch Protection
- KB938194: An update is available that improves the compatibility and reliability of Windows Vista
- KB938979: An update is available that improves the performance and reliability of Windows Vista
- KB941649: An update is available that improves the compatibility, reliability, and stability of Windows Vista
- KB943078: MS07-066: Vulnerability in the Windows kernel could allow elevation of privilege
- KB943899: An update that improves the performance, responsiveness, and reliability of Windows Vista is available
Uninstalling the above should allow this method to work again, though is hardly ideal.
Note: This list of hotfixes was compiled from information taken from the following WWW sites:
- Unable to Disable Integrity Checks Cause Drivers Not Found in 64-bit Vista (x64)
- Disable Vista Driver Signing not working - Resolved!
- Howto: Disabling Driver Signing in Windows Vista 64 bit
Method 3: TESTSIGNING ON Instructions:
Open an elevated command prompt by either:
Clicking the "Start" button on the Windows taskbar, type CMD in the search box, and then press <CTRL+SHIFT+ENTER> (to run CMD with administrator privileges), or
Locating "cmd.exe" under C:\Windows\System32 in Windows Explorer, right-clicking on this executable and selecting "Run as Administrator" from the context menu.
Click "continue" or enter the administrator's password as appropriate and click "OK", when asked for permission to continue.
In the command prompt window which appears, type:
bcdedit.exe /set TESTSIGNING ON
Reboot the PC
This method is probably the best solution, and allows LibreCrypt to run correctly. However, it does have a trivial side effect: The words "Test Mode" are shown in the four corners of the Desktop wallpaper after rebooting.
Although only a cosmetic issue, the words "Test Mode" may be removed from your background by using one the following methods:
Using Windows DreamScene (which allows videos to be shown as an animated desktop "wallpaper", instead of a static image) will prevent the "Test Mode" watermark being shown. DreamScene is available with "Ultimate" edition of Windows Vista/Windows 7, other animated desktops are available for other editions (e.g. Home or Business).
Setting the background to a solid colour with RGB values of (250,250,250) will make the watermark invisible.
None of these have been tested or are approved by LibreCrypt.
Method 4: <F8> while booting Instructions:
Reboot the PC
At the start of the boot sequence, press <F8>
When prompted, select the "Disable Driver Signature Enforcement" option and press <ENTER>
Note: This method is not persistent, and its effect will cease the next time the PC is rebooted, unless this procedure is carried out again while rebooting. However, the "ReadyDriver Plus" method described below may be used to carry it out automatically.
Method 5: ReadyDriver Plus
"ReadyDriver Plus" is a piece of boot loader software which automatically carries out the "<F8> while booting" method of enabling driver loading.
Instructions:
Download a copy of "ReadyDriver Plus" (v1.1 or later) from Citadel Industries
Install the software
Reboot the PC
Method 6: EasyBCD Instructions
Download a copy of "EasyBCD" (v1.7 or later; tested with v1.7.2) from NeoSmart Technologies
Install the software
Run EasyBCD
Click the "Advanced Options" button
Check the "Allow unsigned driver installation on Vista 64-Bit Edition" checkbox
Click "Apply Settings"
Reboot the PC
Although NeoSmart Technologies implemented some functionality to allow the use of "unsigned" drivers under Windows Vista x64, testing shows this appears limited to setting DDISABLE_INTEGRITY_CHECKS (see method above) via a pretty GUI - despite their change log claims to "Allow 100% of unsigned drivers to run on Vista 64-Bit Edition". Support for this functionality was effectively dropped in August 2008
Because of this, it is recommended that Method 2: DDISABLE_INTEGRITY_CHECKS be employed, rather than EasyBCD; since it offers no significant advantages.
Method 7: Signing with a Microsoft certificate
This method requires signing the FreeOTFE drivers with a Microsoft certificate, as opposed to the self certified signature currently used in the release.
There are currently two ways of signing the FreeOTFE drivers:
Find someone with a digital certificate, and ask them to sign the release (not ideal).
Find someone prepared to finance buying a digital certificate (circa 450 EUR for three years?!!) which could be used. The latter would probably be the best long term solution; offers of help would be gratefully received - please get in contact!