Have you previously made an encrypted ext4 formatted drive to use with a Linux distro but now have moved to Windows 10 and would like to continue using the encrypted drive without permanently decrypting it to be recognisable? This guide is for you!
You need to enable access for yourself to the Windows Insider Preview programme and select the Dev channel. Update, restart and follow this guide to make sure you're on WSL2: https://docs.microsoft.com/en-us/windows/wsl/install-win10
You can switch to Beta Insider channel now if you wish or leave the programme altogether but most importantly now you have access to the Linux Subsystem.
Is the official Windows documentation for mounting Linux drives in WSL. I'll cut to the chase and say if you were to mount an unencrypted device it would show up under \wsl.localhost\Ubuntu\mnt\wsl.
To do that you would do something like:
wmic diskdrive list brief
In Powershell to list the attached devices and their partitions.
wsl --mount \.\PHYSICALDRIVE1 --partition 1
If your ext4 drive only had one partition it would now be accessible to Windows under /mnt/wsl. Wow, awesome!
But where does Veracrypt fit in?
But you have an encrypted Veracrypt drive, maybe once even encrypted with Truecrypt. Do you decrypt it first then mount in WSL? Which OS should be decrypting it first? Hey, I've done everything the Windows documentation says but I can't see it anywhere :/
1) If you decrypt it first in Veracrypt Windows side and then mount it in WSL you will be told the drive is busy and being accessed already - a stonewall.
2) If you mount it in WSL inside Powershell and then decrypt in Veracrypt it can't see a partition on your device to mount. There's nothing to mount!
3) You try to decrypt it in the Linux terminal and receive "Error: device-mapper: reload ioctl on veracrypt1 failed: Invalid argument"
Why isn't this working you might ask?
Understanding what's responsible for what duty
Just like inside a Linux distro the OS needs to see an attached device, if it's encrypted Veracrypt will be the one responsible for mounting it. So we need to follow the same order of duty.
The steps
WSL side
4) Open up Linux Subsystem and we're going to install and use the command-line Veracrypt (I'm using the Window's program Terminal to have both Subsystem and Powershell open)
We need to attach our encrypted drive to our 'machine' without mounting it so Veracrypt can start its job.
7) wmic diskdrive list brief
Type and run and identify the DeviceID of the drive you want to attach.
8) wsl --mount \.\PHYSICALDRIVE1 --bare
The device I want is PHYSICALDRIVE1 but yours could be different. Identify it by the model number and size. --bare attaches the drive without mounting it.
You can use either Powershell or WSL terminal
For this part we'll switch to WSL terminal but you can run the same commands in Powershell, just put wsl in front (we're doing this so we don't have to type wsl and so you become familiar with relying on the Linux side for managing the Linux drive).
9)lsblk
Runs in WSL terminal.
This will identify our encrypted partition. We are looking for something like:
sdc 8:32 0 1.8T 0 disk
└─sdc1 8:33 0 1.8T 0 part
We are looking for available block devices and their partitions.
Inside Linux, a block device is identified as /dev/<Device><Partition>#number.
10) veracrypt -tc -m=nokernelcrypto /dev/sdc1
Is my example. See I am using -tc because I need to run Veracrypt in Truecrypt mode and /dev/sdc1 was my previously identified device and partition.
If your encrypted device was done with Truecrypt please include -tc as an argument, otherwise drop it.
But what is -m=nokernelcrypto? We are telling Veracrypt to decrypt our device without relying on the kernel. WSL is a work-in-progress from Microsoft; our WSL kernel doesn’t natively support any encryption scheme we are using. Maybe it's because Truecrypt mode is enabled, but if you get the
Error: device-mapper: reload ioctl on veracrypt2_0 failed
You need to include -m=nokernelcrypto as an argument. If you still get errors and you're not using Truecrypt mode, remove it so you have:
veracrypt /dev/sdc1
Breakdown
You will see:
Enter mount directory [default]: /mnt/wsl/PHYSICALDRIVE1 You must type your mount point the same DeviceID name as before and it has to be under /mnt/wsl otherwise you will not be able to navigate to it from Windows
Enter password for /dev/sdc1: This is your decryption password
Enter keyfile [none]: Press Enter
Protect hidden volume (if any)? (y=Yes/n=No) [No]: Press Enter
Result and unmount
Now your encrypted ext4 drive is accessible under Windows!
11) veracrypt -tc -d /dev/sdc1
To unmount we first do so in WSL terminal. Remove -tc if you are not in Truecrypt mode.
12) wsl --unmount In Powershell side: this detaches all drives and spins them down. Add your DeviceID to unmount a
---specific drive.
Once your drive is mounted and decrypted you can exit WSL terminal and any Powershell, it will remain mounted. If you power down your machine and power it on you will need to only enter two commands you can adapt in Powershell:
(--keyfiles="" --pim=0 --protect-hidden=no arguments help skip additional questions)
Tailor them to your machine. If you are mounting more than one drive you will need to explore fstab and making sure your drives always mount to the same block device like /dev/sdc1.
I wrote this guide because I hadn't seen a compiled piece of documentation covering this mounting approach.
Security caution
With the nature of convenience and papertrails I recommend you manually enter your decryption password when prompted.
July 2021 Update
I have written a Powershell script that will do the above mounting for you!
Download the attached file for this thread: VeraWSL.ps1
Right click the file > Properties > Unblock > Ok
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Enter in Powershell.
Open VeraWSL.ps1 in Windows Powershell ISE, or right-click > Edit.
Separately search for Powershell in Windows search and right-click open and run as administrator.
Run VeraWSL.ps1 by typing ./VeraWSL.ps1
In Windows Powershell ISE edit $path as we revealed in Section "Order is most important".
Inside the Powershell script press 3 to list available attached devices and edit your encrypted drive's DeviceID to the end of $path.
Edit $partition and $truecrypt variables if you need to.
Save the script with your settings in Windows Powershell ISE and rerun the script in Powershell. Proceed to mount with option 1.
Thanks, really cool.
However, I only have one physical disk drive on my laptop.
I think I have read that wsl atm only allows mounting linux "drives", not partitions.
Would the schema you propose work with the veracrypt partition sitting next to, say, the currently active windows partition and a linux partition, all on the same disk?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
@ahenobarbus Could you please write up another guide? When I open a Macrium Reflect image, selecting to mount the one partition that is encrypted, it opens in Windows Explorer, which gives me this prompt if I want to format the drive because it's unreadable, but I'm sure this could be accessed using Powershell, perhaps, although the options are not showing up in the Veracrypt graphical user interface.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi @ehheh1000, this guide is for opening a Linux filesystem formatted drive within the Windows OS conveniently and explaining the order of steps to do so.
Correct me if I am wrong but I believe you are describing an imaged file of a drive's contents, right?
Was this imaged file of an encrypted NTFS drive made on Windows or something formatted by a Linux OS?
If it's NTFS made by Windows do you know how to decrypt the imaged file/volume from Veracrypt GUI?
My guide is for the command line. If your Reflect image was of a Linux, say, EXT4 drive let me know and perhaps we would need to try mounting this image like so:
@ahenobarbus, If only I could find a program that would label Windows drives as sd1 etc. It's an imaged file of an encrypted NTFS drive made on Windows. My post was pretty clear, I think. It's not a Veracrypt container file. However, it would be interesting if powershell could somehow see what Macrium Reflect mounts to a drive letter, and send that information to Veracrypt, which could then decrypt and mount it further.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Unfortunately VeraCrypt has discontinued support for TrueCrypt volumes as of version 1.26.7 (October 1st, 2023). I can confirm that with the latest version of VeraCrypt I am no longer able to open TC volumes and there is no longer an option for "TrueCrypt Mode". They are now officially recommending an older version to access TC volumes.
Therefore remove references to Truecrypt from the script if you do not use such a volume, or select one of the none Truecrypt mounting options or use a Veracrypt version older than 1.26.7.
Basically remove references of '-tc' from the script if you don't use Truecrypt volumes.
Who is this for?
Have you previously made an encrypted ext4 formatted drive to use with a Linux distro but now have moved to Windows 10 and would like to continue using the encrypted drive without permanently decrypting it to be recognisable? This guide is for you!
Windows Subsystem for Linux (WSL) saves the day!
It's now possible to mount Linux filesystem drives inside Windows and access them natively without relying on third-party software like DiskInternals Linux Reader: https://docs.microsoft.com/en-us/windows-insider/Active-Dev-Branch#build-20211
You need to enable access for yourself to the Windows Insider Preview programme and select the Dev channel. Update, restart and follow this guide to make sure you're on WSL2: https://docs.microsoft.com/en-us/windows/wsl/install-win10
You can switch to Beta Insider channel now if you wish or leave the programme altogether but most importantly now you have access to the Linux Subsystem.
Order is most important
Get started mounting a Linux disk in WSL 2: https://docs.microsoft.com/en-gb/windows/wsl/wsl2-mount-disk
Is the official Windows documentation for mounting Linux drives in WSL. I'll cut to the chase and say if you were to mount an unencrypted device it would show up under \wsl.localhost\Ubuntu\mnt\wsl.
To do that you would do something like:
wmic diskdrive list brief
In Powershell to list the attached devices and their partitions.
wsl --mount \.\PHYSICALDRIVE1 --partition 1
If your ext4 drive only had one partition it would now be accessible to Windows under /mnt/wsl. Wow, awesome!
But where does Veracrypt fit in?
But you have an encrypted Veracrypt drive, maybe once even encrypted with Truecrypt. Do you decrypt it first then mount in WSL? Which OS should be decrypting it first? Hey, I've done everything the Windows documentation says but I can't see it anywhere :/
1) If you decrypt it first in Veracrypt Windows side and then mount it in WSL you will be told the drive is busy and being accessed already - a stonewall.
2) If you mount it in WSL inside Powershell and then decrypt in Veracrypt it can't see a partition on your device to mount. There's nothing to mount!
3) You try to decrypt it in the Linux terminal and receive "Error: device-mapper: reload ioctl on veracrypt1 failed: Invalid argument"
Why isn't this working you might ask?
Understanding what's responsible for what duty
Just like inside a Linux distro the OS needs to see an attached device, if it's encrypted Veracrypt will be the one responsible for mounting it. So we need to follow the same order of duty.
The steps
WSL side
4) Open up Linux Subsystem and we're going to install and use the command-line Veracrypt (I'm using the Window's program Terminal to have both Subsystem and Powershell open)
5) Select the Console version of the Linux version relevant to you and copy the link: https://www.veracrypt.fr/en/Downloads.html
cd Desktop
and wget link
or
wget -P Desktop/ https://launchpad.net/veracrypt/trunk/1.24-update7/+download/veracrypt-console-1.24-Update7-Ubuntu-20.10-amd64.deb
This will download the Veracrypt Linux console installer to your Windows desktop.
6) sudo dpkg -i Desktop/veracrypt-console-1.24-Update7-Ubuntu-20.10-amd64.deb
Install.
Powershell side
We need to attach our encrypted drive to our 'machine' without mounting it so Veracrypt can start its job.
7) wmic diskdrive list brief
Type and run and identify the DeviceID of the drive you want to attach.
8) wsl --mount \.\PHYSICALDRIVE1 --bare
The device I want is PHYSICALDRIVE1 but yours could be different. Identify it by the model number and size. --bare attaches the drive without mounting it.
You can use either Powershell or WSL terminal
For this part we'll switch to WSL terminal but you can run the same commands in Powershell, just put wsl in front (we're doing this so we don't have to type wsl and so you become familiar with relying on the Linux side for managing the Linux drive).
9)lsblk
Runs in WSL terminal.
This will identify our encrypted partition. We are looking for something like:
sdc 8:32 0 1.8T 0 disk
└─sdc1 8:33 0 1.8T 0 part
We are looking for available block devices and their partitions.
Inside Linux, a block device is identified as /dev/
<Device><Partition>
#number.10) veracrypt -tc -m=nokernelcrypto /dev/sdc1
Is my example. See I am using -tc because I need to run Veracrypt in Truecrypt mode and /dev/sdc1 was my previously identified device and partition.
If your encrypted device was done with Truecrypt please include -tc as an argument, otherwise drop it.
But what is -m=nokernelcrypto? We are telling Veracrypt to decrypt our device without relying on the kernel. WSL is a work-in-progress from Microsoft; our WSL kernel doesn’t natively support any encryption scheme we are using. Maybe it's because Truecrypt mode is enabled, but if you get the
Error: device-mapper: reload ioctl on veracrypt2_0 failed
You need to include -m=nokernelcrypto as an argument. If you still get errors and you're not using Truecrypt mode, remove it so you have:
veracrypt /dev/sdc1
Breakdown
You will see:
Enter mount directory [default]: /mnt/wsl/PHYSICALDRIVE1
You must type your mount point the same DeviceID name as before and it has to be under /mnt/wsl otherwise you will not be able to navigate to it from Windows
Enter password for /dev/sdc1:
This is your decryption password
Enter keyfile [none]:
Press Enter
Protect hidden volume (if any)? (y=Yes/n=No) [No]:
Press Enter
Result and unmount
Now your encrypted ext4 drive is accessible under Windows!
11) veracrypt -tc -d /dev/sdc1
To unmount we first do so in WSL terminal. Remove -tc if you are not in Truecrypt mode.
12) wsl --unmount
In Powershell side: this detaches all drives and spins them down. Add your DeviceID to unmount a
---specific drive.
Summary of commands for future use:
wmic diskdrive list brief
wsl --mount \.\PHYSICALDRIVE1 --bare
veracrypt -tc -m=nokernelcrypto /dev/sdc1 /mnt/wsl/PHYSICALDRIVE1
veracrypt -tc -d /dev/sdc1
wsl --unmount
Ending notes
Once your drive is mounted and decrypted you can exit WSL terminal and any Powershell, it will remain mounted. If you power down your machine and power it on you will need to only enter two commands you can adapt in Powershell:
wsl --mount \.\PHYSICALDRIVE1 --bare
wsl veracrypt -tc -m=nokernelcrypto --keyfiles="" --pim=0 --protect-hidden=no /dev/sdc1 /mnt/wsl/PHYSICALDRIVE1
(--keyfiles="" --pim=0 --protect-hidden=no arguments help skip additional questions)
Tailor them to your machine. If you are mounting more than one drive you will need to explore fstab and making sure your drives always mount to the same block device like /dev/sdc1.
I wrote this guide because I hadn't seen a compiled piece of documentation covering this mounting approach.
Security caution
With the nature of convenience and papertrails I recommend you manually enter your decryption password when prompted.
July 2021 Update
I have written a Powershell script that will do the above mounting for you!
Download the attached file for this thread: VeraWSL.ps1
Right click the file > Properties > Unblock > Ok
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Enter in Powershell.
Open VeraWSL.ps1 in Windows Powershell ISE, or right-click > Edit.
Separately search for Powershell in Windows search and right-click open and run as administrator.
Run VeraWSL.ps1 by typing ./VeraWSL.ps1
In Windows Powershell ISE edit $path as we revealed in Section "Order is most important".
Inside the Powershell script press 3 to list available attached devices and edit your encrypted drive's DeviceID to the end of $path.
Edit $partition and $truecrypt variables if you need to.
Save the script with your settings in Windows Powershell ISE and rerun the script in Powershell. Proceed to mount with option 1.
BONUS: Script deletes all Powershell history.
Last edit: Aheno Barbus 2022-10-22
Many thanks!
Thanks, really cool.
However, I only have one physical disk drive on my laptop.
I think I have read that wsl atm only allows mounting linux "drives", not partitions.
Would the schema you propose work with the veracrypt partition sitting next to, say, the currently active windows partition and a linux partition, all on the same disk?
mmm you know the answer kk, of course a partition will not work.
July 2021 Update added to end of original thread with a script to help mount all this!
Enjoy!
@ahenobarbus Could you please write up another guide? When I open a Macrium Reflect image, selecting to mount the one partition that is encrypted, it opens in Windows Explorer, which gives me this prompt if I want to format the drive because it's unreadable, but I'm sure this could be accessed using Powershell, perhaps, although the options are not showing up in the Veracrypt graphical user interface.
Hi @ehheh1000, this guide is for opening a Linux filesystem formatted drive within the Windows OS conveniently and explaining the order of steps to do so.
Correct me if I am wrong but I believe you are describing an imaged file of a drive's contents, right?
Was this imaged file of an encrypted NTFS drive made on Windows or something formatted by a Linux OS?
If it's NTFS made by Windows do you know how to decrypt the imaged file/volume from Veracrypt GUI?
Here is an easy guide for you: https://tdicomputing.dartmouth.edu/veracrypt-mounting-encrypted-volumes-containers/
My guide is for the command line. If your Reflect image was of a Linux, say, EXT4 drive let me know and perhaps we would need to try mounting this image like so:
wsl --mount Desktop/<your_Reflect_image> --bare
veracrypt -m=nokernelcrypto /dev/sdc1 /mnt/wsl/<the_location_of_this_mounted_image>
Last edit: Aheno Barbus 2022-04-20
@ahenobarbus, If only I could find a program that would label Windows drives as sd1 etc. It's an imaged file of an encrypted NTFS drive made on Windows. My post was pretty clear, I think. It's not a Veracrypt container file. However, it would be interesting if powershell could somehow see what Macrium Reflect mounts to a drive letter, and send that information to Veracrypt, which could then decrypt and mount it further.
@ehheh1000, I think you should ask on the Macrium Reflect support forums.
October 2022 update: Powershell script now includes example for three mounted disks, simpler code, faster input.
Unfortunately VeraCrypt has discontinued support for TrueCrypt volumes as of version 1.26.7 (October 1st, 2023). I can confirm that with the latest version of VeraCrypt I am no longer able to open TC volumes and there is no longer an option for "TrueCrypt Mode". They are now officially recommending an older version to access TC volumes.
Therefore remove references to Truecrypt from the script if you do not use such a volume, or select one of the none Truecrypt mounting options or use a Veracrypt version older than 1.26.7.
Basically remove references of '-tc' from the script if you don't use Truecrypt volumes.
https://www.veracrypt.fr/en/Downloads_1.25.9.html