Recover a TrueCrypt Volume
english version 
versione italiana
TrueCrypt is a popular on-the-fly encryption for Windows - it is also available for Mac OS X and Linux. It can create a file-hosted container or write a partition which consists of an encrypted volume with its own file system (contained within a regular file) which can then be mounted as if it were a real disk. TrueCrypt also supports device-hosted volumes, which can be created on either an individual partition or an entire disk. Because presence of a TrueCrypt volume can not be verified without the password, disk and filesystems utilities may report the filesystem as unformatted or corrupted that may lead to data loss after incorrect user intervention or automatic "repair".
Contents |
Corrupted Standard Volume header
The standard volume header uses the first 512 bytes of the TrueCrypt container. It contains the master keys needed to decrypt the volume. If the header gets corrupted or the container reformatted, TrueCrypt will display Incorrect password or not a TrueCrypt volume..
Using a backup of the volume header is the only possibility to recover the data.
Corrupted Hidden Volume header
The 512 bytes hidden volume header is stored 1536 bytes from the end of the host volume. It's very unlikely that it becomes corrupted but as previously stated, using a backup of the volume header is the only possibility of recovering the data.
Corrupted Standard Volume file system
Sometimes both Standard Volume header and filesystem boot sector are partially overwritten. After recovering the volume header using a backup, the volume can be accessed but the filesystem is still corrupted.
- Under Windows
Run TestDisk, select the drive letter corresponding to the damaged volume, choose None for partition type, Advanced.
TestDisk can repair the FAT/NTFS boot sector, ext2/ext3 superblock.
- Under Linux, find the fuse device and run TestDisk on the volume device.
$ ./truecrypt -t --filesystem=none /data/data_for_testdisk/truecrypt.dd Enter password for /data/data_for_testdisk/truecrypt.dd: Enter keyfile [none]: Protect hidden volume? (y=Yes/n=No) [No]: Enter system administrator password: $ mount ... truecrypt on /tmp/.truecrypt_aux_mnt1 type fuse.truecrypt (rw,nosuid,nodev,allow_other) $ sudo testdisk /tmp/.truecrypt_aux_mnt1/volume
Run TestDisk, select the volume, choose None for partition type, Advanced.
TestDisk can repair the FAT/NTFS boot sector, ext2/ext3 superblock.
Corrupted Hidden Volume file system
If too much data has been stored in the standard volume or if you have tried to defragment the standard volume without protecting the hidden volume (truecrypt --protect-hidden), the hidden volume file system may be partially overwritten. TestDisk Advanced menu can be used to rebuild the missing FAT or NTFS boot sector.
Wikipedia description of TrueCrypt
Return to TestDisk main page