Veracrypt - permanently decrypt a working system drive from another computer and discard the bootloader?

windows encryption truecrypt veracrypt

I was able to do this in the end by following this procedure:

First you need a bootable Veracrypt rescue disk but this can be created from any unrelated computer running a Veracrypt-encrypted system disk:

  1. Boot a different computer which has a Veracrypt-encrypted system drive (annoying but necessary, apparently, since Veracrypt doesn't supply the rescue ISO as a download anywhere for some reason).

  2. Launch Veracrypt and choose System -> Create Rescue Disk and save it somewhere.

  3. Use Veracrypt's tool called VeraCryptUsbRescueDisk.zip to format a bootable USB drive. Alternatively you can probably use Rufus or something to do this.

  4. Place the EFI folder from your generated rescue disk on to that bootable USB drive.

  5. Boot the USB drive on your original computer with the encrypted disk attached (the one which you want to permanently decrypt).

    Note: I recommend you unplug all other disks from the system to make this process easier, although the program will apparently work just fine as long as you don't have more than one Veracrypt-encrypted disk plugged in with the same password. In that case I guess it would probably try to decrypt the wrong disk, or all the disks with that password.

  6. Choose the d decrypt option and enter your encrypted disk's password.

  7. The decryptor will find the disk matching the password and decrypt it permanently.

    Note: In my case it had a ridiculously long ETA (8 days) but it finished within an hour. Just watch the progress percentage.

It's interesting to see lots of people saying "this isn't possible", but it worked.

From my very limited knowledge of Veracrypt, I believe there is confusion arising from the fact that I was able to use a rescue disk created from one system to decrypt a system disk encrypted on a different system.

The reason it worked in this case - I think - is because I didn't need to restore the master key or the headers of the encrypted disk. So it didn't matter that the rescue disk was created on a completely different system - I knew the password, the disk wasn't damaged or corrupt - all I wanted to do was decrypt it permanently with the password. I guess the rescue environment allows you to do this whereas the GUI version doesn't.

Some suggestions for any Veracrypt devs reading this:

  1. Maybe offer a downloadable generic version / ISO of the rescue disk (without disk-specific embedded master keys) so that people in my situation can use the rescue environment to achieve stuff the GUI version can't achieve?

  2. Enable the GUI to permanently decrypt an encrypted system disk from a foreign system via in-place decryption?

Cheers


I think that for an encrypted system disk, you need the Veracrypt boot loader to unlock the system encryption on that drive.

You may try to boot from that drive and remove the encryption, although this could take some time depending on the drive size.

If this doesn't work for you, then saving the data and reformatting the disk is the only solution.

Related

Why does my XP take forever to show the shutdown window?
How to uninstall applications when the system is missing uninstall meta data?
Get side scroll area back on laptop trackpad
Ubuntu: how to get audio to work in both Spotify (under Wine) and Flash (in Firefox)?
How to adjust Aspect Ratio in Windows Media Center
which SATA port maps to which /dev entry?
Why does the behavior of Backspace change in vim with SSH?
git-receive-pack : command not found
Convert VMware VM to Virtual PC in Windows 7
Windows Remote Desktop - mstsc - options and switches
Subscribing to Podcasts in Windows Media Player
Bypass hibernate on boot on Ubuntu