Veracrypt decryption Microsoft OEM

[rhexor]

Recently, the installation of Microsoft that came bundled with the device, Asus Vivobook, had to be reset. The device had been originally setup with full-disk encryption with the latest version of Veracrypt. Microsoft Windows was reset with the option to remove everything following the steps in the instructions - https://www.asus.com/support/faq/1013063/. The device wasn't decrypted prior to resetting Microsoft Windows to prevent any files to be written to disk. This resulted in the device returning the "Blue screen of death" on restart.

To gain access to the Windows installation, the device was booted using the generic Veracrypt rescue disk that was generated from another device with full-disk encryption. To continue the Microsoft installation process, the option to decrypt the OS was selected and oddly, it returned the message that it wasn't successfully in yellow. The device restarted and the installation process resumed. On completion of the installation, the device continued to prompt for the Veracrypt boot password. Attempting to remove the bootloader using the rescue disk did not work.

To get around the issue of the bootloader, Veracrypt was installed on the device again and the option to encrypt the system partition was picked. Towards the end of the process, it returned the message that another bootloader was already installed and may cause issues. Ignoring the warning, the process was completed and the device restarted. On restart, it prompted for the password and although the password was authenticated, it did not progress any further.

The device was booted again with the Veracrypt rescue disk and the option to boot the original bootloader was chosen. It successfully launched Microsoft Windows. Once logged in, the option "Permanently Decrypt System Partition/Drive" was selected and only then was the bootloader removed.

Questions

• Since the device was reset without first decrypting Veracrypt, can it be safely assumed that all previous files have been securely removed/deleted and cannot be recovered?
• As Veracrypt was installed again, the initial bootloader removed and full-disk encryption enabled again, can it be safely assumed that the device is successfully encrypted with no historical remnants?
• Is there a better way to achieve the same outcome with OEM versions of Microsoft i.e. the installation files are on a recovery partition?

[harryytm]

From what I understand VeraCrypt system encryption rescue disk contains a backup copy of the volume header merged with the bootloader, that contains the master key required for the system encryption when unlocked with the correct password and PIM, if you use the rescue disk created on another device, you are using the master key of the another device for system encryption on the device you are trying to reset.

VeraCrypt Rescue Disk (VRD) is encrypted system specific, it is only for the encrypted system it created on, and should not be use on another encrypted system.

Normally when passed the pre-boot authentication, the bootloader would on-the-fly encrypt/decrypt the system files for Windows kernel to boot until the VeraCrypt driver loaded and takeover.

If you want to do a complete Window reset on a device with VeraCrypt system encryption enabled, you should always create a VRD for that specific system encryption first, before proceeding the reset.

Disclaimer: I have never use VeraCrypt system encryption before, all of above are only based on my understanding of system encryption in VeraCrypt documentation.