Using VeraCrypt with a UEFI dual boot setup

Or how I learned to stop worrying and love the bootloader

There are many benefits to encryption and no real drawbacks. Sometimes it is mandated by your employer, which is the case with me as well. However, most companies use corporate tools that are compatible only with Windows and OSX/MacOS, which means that people running Linux and dual boot setups are on their own.

If you have a dual boot setup with a version of Windows that does not support full disk encryption, or if you just simply prefer open source solutions, there is really no competitor to VeraCrypt.
However, if your system is by any standards relatively modern, then you are booting with UEFI and not legacy BIOS – which means that VeraCrypt will gray out the multi boot option when you try to encrypt your Windows system partition. They just don’t have support for UEFI at the moment of writing.

So what now?

From here on, I will assume that the PC we are working on has Grub as the boot manager. I will also assume you have a full disk backup before proceeding. I am not responsible for loss of your data.

The solution is, surprisingly, fairly simple.
The only thing to keep in mind here is that there is an interplay of several boot managers and boot loaders when you are turning on your system. For an unprepared user, it may seem like they all want to do their own thing and couldn’t care less about each other. I managed to convince myself it is not the case.

  1. You can go ahead and encrypt your Windows system partition as if it was the only OS installed on your PC.
    Your UEFI boot manager will get a new entry called “VeraCrypt BootLoader (DcsBoot)” or something to this extent. Your mileage may vary, but most likely it will become the default one, which means that on boot you will bypass Grub, losing access to your other OSes.
  2. Don’t worry. From Windows, download and install Hasleo EasyUEFI and change the order of boot loaders.
    All you need to do is move your Grub loader back above the VeraCrypt loader. If you have Ubuntu, the Grub loader is probably called “ubuntu.” I cannot vouch for other distros or non-grub loaders, but in general the idea remains the same.
    I recommend using EasyUEFI and noting the file path for the VeraCrypt boot loader. This will come in handy in step 4.
    However, it is normally also possible to change the order of boot loaders from the BIOS/UEFI setup.
  3. Now, when you reboot, you should see your old and trusty boot menu.
    If you don’t, you might have to boot and run Boot-Repair.
    Once you have the menu, you will most likely be disappointed to find out that the “Windows” entry tries to load Windows directly off the encrypted partition, fails miserably, tries to repair it, and fails miserably again.
    This happens because the entry is pointing to the old Windows loader, bypassing the VeraCrypt loader completely.
    Thankfully, this is extremely easy to fix.
  4. Reboot into Linux and modify your Grub config.
    You will see that the Windows entry is pointing to the Windows EFI loader (likely \EFI\Microsoft\Boot\bootmgfw.efi). You should modify it to point to the VeraCrypt loader again. As reported by EasyUEFI (step 2), in my case, it is \EFI\VeraCrypt\DcsBoot.efi.

Ta da.

Now, on boot, you will be presented with your Grub menu, and the encryption will be resolved on the next step, whichever system you are booting from there.

For example, upon selecting Windows, you will be greeted with the VeraCrypt loader that prompts you for a passphrase.
You set up your Linux to also be encrypted, right?