FreeOTFE logo FreeOTFE
Free disk encryption software for PCs and PDAs
(PDA version of WWW site)

Additional Information for Windows Vista x64 and Windows 7 x64 Users Only

PC version only This section applies to the PC version of FreeOTFE, when run under the 64 bit (x64) version of Windows Vista and Windows 7 only.

This section does not apply to 64 bit PCs running the 32 bit version of Windows Vista or Windows 7, or when running the x64 version of Windows XP.

In order to protect its revenue streams generated by DRM protected content, Microsoft saw fit to require all drivers running under the 64 bit (x64) version of Windows Vista and Windows 7 be digitally signed by Microsoft's root certificate.

Understandably, this presents a major problem for the overwhelming majority of free software projects which make use of kernel mode drivers which, for obvious reasons, don't such a have a digital certificate (read: haven't paid Microsoft, or one of their resellers, for such a certificate) to sign their drivers with.

For the same reason, FreeOTFE's drivers are not currently signed with a Microsoft certificate.

Fortunately, there are a number of methods of loading unsigned drivers under Windows Vista x64/Windows 7 x64, without having to pay for a digital certificate, and these are summarised below.

As a consequence, it is possible to use FreeOTFE under Vista x64/Windows 7 x64 by using the methods shown as be successful below

A more long term solution (Microsoft signing) is being investigated.


Summary of Different Methods

Below is a table summarising the different methods of configuring Windows Vista x64/Windows 7 x64 to allow it to run FreeOTFE.

For most users, Method 3: TESTSIGNING ON is recommended

Method Results "Test Mode"
on wallpaper
Junk messages
shown on manual start
Recommended?
1. NOINTEGRITYCHECKS ON Ineffective No Yes No
2. DDISABLE_INTEGRITY_CHECKS May work No Yes  
3. TESTSIGNING ON Works Yes No Yes
4. <F8> while booting Works No Yes  
5. ReadyDriver Plus Works No Yes  
6. EasyBCD May work No Yes No
7. Signing with a Microsoft certificate Works No No  

"Test Mode" on wallpaper

The method with "Yes" marked in this column indicates that the words "Test Mode" will be shown in each of the four corners of the desktop wallpaper. This is largely a cosmetic issue, and can be resolved using the directions indicated in the description of this method.

Junk messages shown on manual start

Those methods with "Yes" marked in this column indicate that MS Windows will pop up a message stating: "Windows requires a digitally signed driver" for each and every driver loaded - even though the drivers are digitally signed (albeit using self-certification).

If the drivers are started automatically on booting, these messages will not appear.

However, if the FreeOTFE drivers are started from the GUI (e.g. by starting portable mode). Since FreeOTFE's flexible architecture employs multiple drivers, this is hardly ideal as the user gets peppered with junk messages telling them what they're doing - as if they didn't already know!

The number of these messages shown can be minimised by removing all unused hash and cypher drivers.


Method 1: NOINTEGRITYCHECKS ON

Instructions:
  1. Open an elevated command prompt by either:
    • Clicking the "Start" button on the Windows taskbar, type CMD in the search box, and then press <CTRL+SHIFT+ENTER> to run CMD with administrator privileges), or
    • Locating "cmd.exe" under C:\Windows\System32 in Windows Explorer, rightclicking on this executable and selecting "Run as Administrator" from the context menu
  2. Click "continue" or enter the administrator's password as appropriate and click "OK", when asked for permission to continue.
  3. In the command prompt window which appears, type:
    bcdedit.exe /set nointegritychecks ON
    
  4. Reboot the PC


Method 2: DDISABLE_INTEGRITY_CHECKS

Instructions:
  1. Open an elevated command prompt by either:
    • Clicking the "Start" button on the Windows taskbar, type CMD in the search box, and then press <CTRL+SHIFT+ENTER> to run CMD with administrator privileges), or
    • Locating "cmd.exe" under C:\Windows\System32 in Windows Explorer, rightclicking on this executable and selecting "Run as Administrator" from the context menu
  2. Click "continue" or enter the administrator's password as appropriate and click "OK", when asked for permission to continue.
  3. In the command prompt window which appears, type:
    bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS
    
    (Note: That's "DDISABLE", with two Ds, for "Driver Disable")
  4. Reboot the PC

This method will work, however installing Windows Vista x64 Service Pack 1 (SP1), or any of the following Windows Vista "hotfixes" will cause this method to cease working:

Uninstalling the above should allow this method to work again, though is hardly ideal.

Note: This list of hotfixes was compiled from information taken from the following WWW sites:



Method 3: TESTSIGNING ON

Instructions:
  1. Open an elevated command prompt by either:
    • Clicking the "Start" button on the Windows taskbar, type CMD in the search box, and then press <CTRL+SHIFT+ENTER> to run CMD with administrator privileges), or
    • Locating "cmd.exe" under C:\Windows\System32 in Windows Explorer, rightclicking on this executable and selecting "Run as Administrator" from the context menu
  2. Click "continue" or enter the administrator's password as appropriate and click "OK", when asked for permission to continue.
  3. In the command prompt window which appears, type:
    bcdedit.exe /set TESTSIGNING ON
    
  4. Reboot the PC

This method is probably the best solution, and allows FreeOTFE to run correctly. However, it does have a trivial side effect: The words "Test Mode" are shown in the four corners of the Desktop wallpaper after rebooting.

Although only a cosmetic issue, the words "Test Mode" may be removed from your background by using one the following methods:

Alternatively, using Windows DreamScene (which allows videos to be shown as an animated desktop "wallpaper", instead of a static image) will prevent the "Test Mode" watermark being shown. DreamScene is intended for use with "Ultimate" edition of Windows Vista/Windows 7, though other animated desktop solutions are available for users with other editions (e.g. Home or Business).


Method 4: <F8> while booting

Instructions:
  1. Reboot the PC
  2. At the start of the boot sequence, press <F8>
  3. When prompted, select the "Disable Driver Signature Enforcement" option and press <ENTER>

Note: This method is not persistent, and its effect will cease the next time the PC is rebooted, unless this procedure is carried out again while rebooting. However, the "ReadyDriver Plus" method described below may be used to carry it out automatically.


Method 5: ReadyDriver Plus

"ReadyDriver Plus" is a piece of boot loader software which automatically carries out the "<F8> while booting" method of enabling driver loading.

Instructions:

  1. Download a copy of "ReadyDriver Plus" (v1.1 or later) from Citadel Industries
  2. Install the software
  3. Reboot the PC


Method 6: EasyBCD

Instructions:
  1. Download a copy of "EasyBCD" (v1.7 or later; tested with v1.7.2) from NeoSmart Technologies
  2. Install the software
  3. Run EasyBCD
  4. Click the "Advanced Options" button
  5. Check the "Allow unsigned driver installation on Vista 64-Bit Edition" checkbox
  6. Click "Apply Settings"
  7. Reboot the PC

Although NeoSmart Technologies implemented some functionality to allow the use of "unsigned" drivers under Windows Vista x64, testing shows this appears limited to setting DDISABLE_INTEGRITY_CHECKS (see method above) via a pretty GUI - despite their change log claims to "Allow 100% of unsigned drivers to run on Vista 64-Bit Edition". Support for this functionality was effectively dropped in August 2008

Because of this, it is recommended that Method 2: DDISABLE_INTEGRITY_CHECKS be employed, rather than EasyBCD; since it offers no significant advantages.


Method 7: Signing with a Microsoft certificate

This method requires signing the FreeOTFE drivers with a Microsoft certificate, as opposed to the self certified signature currently used in the release.

There are currently two ways of signing the FreeOTFE drivers:

  1. Find someone with a digital certificate, and ask them to sign the release (not ideal).
  2. Find someone prepared to finance buying a digital certificate (circa 450 EUR for three years?!!) which could be used.
The latter would probably be the best long term solution; offers of help would be gratefully received - please get in contact!