Issue with Tuxera NTFS driver and Veracrypt on macOS

[styfrombrest]

Hello.
I have a HDD with two partitions for backups, both formatted in NTFS.
One of them is encrypted with Veracrypt, the second one is common.
MacOS by default is mounting NTFS file system in read only mode, because it's not Apple file system. I'm using external driver from Tuxera to have full access, it worked well until I upgraded to Sonoma version of MacOS.

Now in Sonoma the secured partition after decryption is always mounted via native driver as read-only, however the common partition is mounted normally via Tuxera as it was before.

I had a conversation with Tuxera support, they investigated the issue and said that the issue is rather on VeraCrypt side:

Thank you for sharing the error. The error suggests (as I would expect) that the volume needs to be decrypted, before the data can pass to the NTFS driver. I've been looking at the VeraCrypt reference, but so far it looks like all the sample commands omit the NTFS option under macOS (it is not a valid option for the --filesystem parameter). This suggests that the options are hardcoded and the tool does not query macOS for valid file system options.

For example, one can use Apple's own Disk Utility to format NTFS volumes using our driver like so:
sudo diskutil eraseVolume "Tuxera NTFS" VOLNAME /dev/diskXsY

This is because Disk Utility actually populates its options with the file system modules that are present in macOS.

VeraCrypt instead always returns:
Error: Unknown option: Tuxera NTFS
Error: Unknown option: Microsoft Windows NT File System (Tuxera NTFS)
Error: Unknown option: NTFS
etc.

I'd really appreciate any help with the issue.
Thanks in advance!

[Jertzukka]

MacOS implementation of mounting the filesystems doesn't seem to have ever used the mount command in itself to mount the disk images, rather it relies on hdiutil attach mounting the filesystem and deciding on the filesystem automatically while the disk image is attached. There seems to have been a change in behaviour from previous macOS versions to Sonoma in how it decides which filesystem driver to pick, so whether it chooses "ntfs" or "tuxera_ntfs".

When hdiutil decides to use just the default "ntfs" driver, you're going to be limited to read-only. A workaround you can use is to choose "Do not mount filesystem" under the advanced mount options. This means that you'll only create the virtual device, and do the mounting yourself. Next you can either open the Tuxera Disk Manager and then proceed to mount the newly added virtual device or mount it manually through terminal as such:

sudo mkdir /Volumes/ntfs
Right click the volume of your choice on VeraCrypt GUI and hit properties, and copy the Virtual device, for example /dev/disk4.
sudo mount -t tuxera_ntfs -o nodev,nosuid,noowners /dev/disk4 /Volumes/ntfs

This should let you use the filesystem driver of your choice regardless of what hdiutil automatically picks. There might be ways to detect installed filesystem drivers and change the implementation to use a specific one through mount, but I'm not too familiar with macOS nor have a Sonoma VM setup.

[styfrombrest]

Thanks for the quick reply.
I did the same steps, but received next error:

Tuxera NTFS could not mount /dev/disk9
at /Volumes/HDD-Secure because the following problem occurred:

ntfs_mst_post_read_fixup_warn: magic: 0x00000000 size: 1024 usa_ofs: 0 usa_count: 65535: Invalid argument
ntfs_mst_post_read_fixup_warn: magic: 0x00000000 size: 1024 usa_ofs: 0 usa_count: 65535: Invalid argument
Record 1 has no FILE magic (0x0)
Failed to mount '/dev/rdisk9': Input/output error
NTFS is either inconsistent, or there is a hardware fault, or it's a
SoftRAID/FakeRAID hardware. In the first case run chkdsk /f on Windows
then reboot into Windows twice. The usage of the /f parameter is very
important! If the device is a SoftRAID/FakeRAID then first activate
it and mount a different device under the /dev/mapper/ directory, (e.g.
/dev/mapper/nvidia_eahaabcc1). Please see the 'dmraid' documentation
for more details.

[Jertzukka]

Does this even mount with the regular ntfs driver? As the mount states, there seems to be some irregularities with the master file table why it is refusing to mount it. If I were you, I'd try to fix the NTFS filesystem on a Windows computer.

[styfrombrest]

Yes, it mounts and works with regular macOS NTFS driver(see HDD-secure screenshot).
I've also attached a screenshot of mounted non-encrypted partition with Tuxera driver as a second.

I'll try to mount in on Windows machine and make a check a bit later.

[Jertzukka]

It is possible that the ntfs driver has less consistency and error checks and when it only mounts it read-only, it doesn't need to worry about corrupting the filesystem further. Though this is complete guesswork as I'm surprised one of them mounts and other doesn't.

[styfrombrest]

Problem has been solved by connecting HDD to Windows, decrypting with VeraCrypt, then checking NTFS file system for errors. There were found some issues, after fixing secured partition started to mount properly via Tuxera NTFS driver on macOS. @Jertzukka thanks for the idea!

[Jertzukka]

If I can ask, does Sonoma still mount it as default ntfs, and you need to do the manual mounting to get it to use the tuxera_ntfs? If that is the case I could take a look at some point if is feasable to detect installed drivers (Paragon, Tuxera) and using one if found over default.

[styfrombrest]

No, OS mounts it already via tuxera_ntfs by default now, so as an user I have nothing to do manually: just decrypt and use.

[Jertzukka]

Ok great it works then.