Outer Volume Fails To Mount Only When the Hidden Volume Write-Protection is Enabled
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
So, i have the Decoy OS & the Hidden OS running fine without any issues.
Whenever i mount the Outer volume with the Hidden volume Write-Protection "disabled" the Outer volume gets mounted fine in both OS's.
( NOTE : In case of Decoy OS I didn't choose/selected any of the options/settings under the "Mount Options..." to mount the Outer volume.
But in case of the Hidden OS only when the option "Use backup header embedded in volume if available"
under the "Mount Options..." is selected ( while the Hidden volume Write-Protection is "disabled" )
the Outer volume gets mounted fine.)
Now, whenever i try to mount the Outer volume with the Hidden Volume Write-Protection "enabled"
( rest of the options were not selected under the "Mount Options..." ), it fails everytime with the following error ( shown in the images below ) in case of both OS's ( Decoy as well as Hidden ) :
( Here i am absolutely sure that i entered the password absolutely correct )
In case of Hidden OS :
Settings Chosen - https://imgur.com/TiTYzom
The Error - https://imgur.com/pwMjQQG
In case of Decoy OS :
Settings Chosen - https://imgur.com/gVocG9T
The Error - https://imgur.com/oSWrCMJ
What might be the reason for this?
Per the error messages, are you using US keyboard layout?
Did you display the passwords to see that the characters match what you type for the passwords for Outer and Protect Hidden volumes?
Yes i am using the US keyboard layout.
Also, this time i checked the "Display password" option and yes all the characters absolutely
matched what i was typing .
I don't know if this matters or not but i am doing all this on a lenovo thinkpad t460 laptop
( using an internal toshiba mechanical hard drive).
Also, i don't use the laptop's keyboard but an "external" logitech usb keyboard.
( I typed the passwords using the external logitech keyboard and not the laptop's keyboard
and yes all the characters matched fine while typing the passwords for Outer and Hidden Volumes ).
Last edit: Mukesh Kumar 2020-07-29
Last edit: Mounir IDRASSI 2020-08-02
@mukeshk: my previous answer was obvisouly wrong...I completely missed the point and I should not have answered before thinking more.
I try to make sens of all of this and give you my feedback before.
@mukeshk: I think the header of hidden volume was somehow corrupt and so the hidden volume can not be mounted.
Are you able to mount the hidden volume from within the Decoy OS? I think you will receive an error and this explains why the write protection of hidden volume can not be activated.
In order to fix the issue, you will need to boot the Hidden OS and then change the password of the Hidden OS system encryption. Once done, the header of the hidden volume will be updated in order to use the same new Hidden OS password and after than you will be able to activated write protection of hidden volume without issues.
Do you confirm that this fixes your issue?
Yes you are right that mounting the Hidden volume from within the Decoy OS actually failed ( before changing the Hidden Volume password ).
Also, mounting the Hidden volume from within the Hidden OS failed as well ( before changing the hidden volume password ).
( In both cases i also checked the option - " Use backup header embedded in volume if available" under "Mount options...." ).
The error was the same in both cases as shown below in the image :
Hidden OS : https://imgur.com/r6ECu5a
Decoy OS : https://imgur.com/ig5tbhu
So, after doing the above thing, i went on to change the password for the Hidden OS/System/Volume and the password was changed successfully
as shown in the image : https://imgur.com/72Mqwdr
Then , i did a restart and logged into the Hidden OS successfully.
Firstly, from within the Hidden OS i tried to mount the Outer Volume ( With The Hidden Volume Write-Protection "enabled" and with the new Hidden volume password )
and still the Outer volume mounting failed as shown in the image(s) below :
Settings Chosen : https://imgur.com/a/wYHG5Q5
The Error : https://imgur.com/a/y0hhnjU
Then , from within the Decoy OS i tried to mount the Outer Volume ( With The Hidden Volume Write-Protection "enabled" and with the new Hidden volume password )
and again the Outer volume mounting failed as shown in the image(s) below :
Settings Chosen : https://imgur.com/a/LWQBuyg
The Error : https://imgur.com/a/NNi0k2p
Also, and again, from within the Decoy OS i tried to mount the Hidden Volume this time with the new Hidden volume password and it failed to mount
with the error :
Settings Chosen : https://imgur.com/a/JXrCYt4
The Error : https://imgur.com/a/KbjuiLP
I am still not sure what is wrong.
I did again made sure that i am using the US keyboard layout.
I also made sure that all the characters of the password absolutely matched what i was typing .
( The passwords for the outer volume and the hidden volume are completely different and i made sure that i am entering the
right one into the right place ).
Thank you for the detailled feedback.
Just to clarify, are you using hidden OS in MBR boot mode or EFI boot mode?
Hidden OS in EFI boot mode is newer and less tested than one for MBR mode and it is possible that there is a bug in the handling of hidden value header.
My system uses the legacy bios.
So, it's the MBR mode.
https://imgur.com/a/ndx4ZkQ
https://imgur.com/a/Vl5wyUF
Since you are in MBR mode, I have no idea what is causing this issue especially that you are sure the passwords match. This kind of setup is battle tested for years and it would be surprising that this is caused by a bug but we never say never in software so it remains a possibility.
Is it possible to share the encryption algorithms and PRF you are using? My own test machine for hidden OS uses AES/SHA256 to the 3 volumes and maybe you are using a different combination that may explain the problem.
By PRF you mean PKCS-5 PRF?
In that case, here they are ( encryption algorithm, PKCS-5 PRF and other details ( just in case you need them ) from Volume Properties for Hidden OS ) : https://imgur.com/Ew1Zz3P
This is the same as my test configuration so algorithms choice is not the cause.
Just a question: did you try without checking the option "Use backup header embedded in volume is available"? It is worth trying because maybe the main header will work better than the backup.
A last test that you can do is to change the Hidden OS password to a short simple value (for example "eeee") in order to rule out any issue with password encoding, and then try again.
If it works with such simple password, then the issue is linked to password encoding and if it still fails then there is an unknown factor at play.
"Password Encoding is certainly the issue."
So, this time i choose a "short & simple" password for the Hidden OS consisting of only & only four english alphabet letters.
( no special symbols/ no upper case letters/ no numbers.
In all the previous cases i have always chosen the Hidden OS password to be more than "100 characters" ( not exceeding the 128 characters limit)
including some special symbols, upper case english alphabet letters and numbers ).
Firstly, from within the Hidden OS, i tried to mount the Outer Volume ( With The Hidden Volume Write-Protection "enabled" and
with the new "short & simple" Hidden volume password ) and the Outer volume mounted successfully as shown in the image(s) below :
Settings Chosen : https://imgur.com/a/9L7H1Dc
Mounting Successful : https://imgur.com/a/mpeYBoS
Then , from within the Decoy OS, i tried to mount the Outer Volume ( With The Hidden Volume Write-Protection "enabled" and
with the new " short & simple" Hidden volume password ) and the Outer volume mounted successfully as shown in the image(s) below :
Settings Chosen : https://imgur.com/a/8XSBad6
Mounting Successful : https://imgur.com/a/a5V7fp9
https://imgur.com/a/hYDlo7m
Also, from within the Decoy OS, i tried to mount the Hidden Volume this time with the new "short & simple" Hidden volume password
and it mounted successfully as shown in the image(s) below :
Settings Chosen : https://imgur.com/a/2JoXvQj
Mounting Successful : https://imgur.com/a/o89t7P5
Also, the passwords that i used for the Decoy OS as well as the Outer Volume are completely different and are of more than "100 characters" ( not exceeding the 128 character limit )
including some special symbols, upper case english alphabet letters and numbers.
Last edit: Mukesh Kumar 2020-08-05
Thank you for the confirmation, now I understand the origin of the problem: it is the password length!
For system encryption, the maximum length of the password has not changed (it is still 64 bytes which equal maximum size in charactes in case of US layout). The increase of password maximum length to 128 bytes applies only non-system encryption as indicated in the release notes of version 1.24.
So what happened is that during the process of Hidden OS creation, the long password was automatically truncated to the first 64 bytes and it is the truncated value that was used for the hidden volume password. But we you try to mount the hidden volume or activate hidden volume protection, VeraCrypt doesn't truncate the password since for such volumes maximum length is 128 bytes.
Normally, the UI should have blocked typing more than 64 characters for Hidden OS password and if you use copy-paste it should have displayed a warning that the password is going to be truncated. I will check the code to see if I missed this case when I modified the password maximum length for non-system encryption.
Anyway, to solve your issue, use a 64 character password for Hidden OS and you will be able to activate protection of hidden volume when mounting the outer volume.
@Mounir IDRASSI
Following your suggestion i was able to successfully mount the Outer Volume with the Hidden Volume write - protection enabled from within the Decoy OS as well as from within the Hidden OS ( i chose a 64 character Hidden OS password this time ).
Everything is working fine now.
Thank you for helping me out with the issue.
Last edit: Mukesh Kumar 2020-08-06