Recover a TrueCrypt Volume

From CGSecurity
Jump to: navigation, search

En.png english version It.png versione italiana


TrueCrypt is a popular on-the-fly encryption for Windows - it is also available for Mac OS X and Linux. It can create a file-hosted container or write a partition which consists of an encrypted volume with its own file system (contained within a regular file) which can then be mounted as if it were a real disk. TrueCrypt also supports device-hosted volumes, which can be created on either an individual partition or an entire disk. Because presence of a TrueCrypt volume can not be verified without the password, disk and filesystems utilities may report the filesystem as unformatted or corrupted that may lead to data loss after incorrect user intervention or automatic "repair".

Corrupted Standard Volume header

The standard volume header uses the first 512 bytes of the TrueCrypt container. It contains the master keys needed to decrypt the volume. If the header gets corrupted or the container reformatted, TrueCrypt will display Incorrect password or not a TrueCrypt volume.. Using a backup of the volume header is the only possibility to recover the data.

Corrupted Hidden Volume header

The 512 bytes hidden volume header is stored 1536 bytes from the end of the host volume. It's very unlikely that it becomes corrupted but as previously stated, using a backup of the volume header is the only possibility of recovering the data.

Corrupted Standard Volume file system

Sometimes both Standard Volume header and filesystem boot sector are partially overwritten. After recovering the volume header using a backup, the volume can be accessed but the filesystem is still corrupted.

Recovery under Windows

Run TestDisk, select the drive letter corresponding to the damaged volume, choose None for partition type, Advanced. TestDisk can repair the FAT/NTFS boot sector, ext2/ext3 superblock.

Recovery using whole decryption

Another method is to permanently decrypt the damaged system partition/drive. You can use the TrueCrypt Rescue Disk and next use TestDisk. Run TestDisk, select the drive letter or partition corresponding to the damaged volume, Advanced. TestDisk can repair the FAT/NTFS boot sector, ext2/ext3 superblock.

Recovery under Linux

Find the fuse device and run TestDisk on the volume device.

$ ./truecrypt -t --filesystem=none /data/data_for_testdisk/truecrypt.dd 
Enter password for /data/data_for_testdisk/truecrypt.dd: 
Enter keyfile [none]: 
Protect hidden volume? (y=Yes/n=No) [No]: 
Enter system administrator password: 
$ mount
...
truecrypt on /tmp/.truecrypt_aux_mnt1 type fuse.truecrypt (rw,nosuid,nodev,allow_other)
$ sudo testdisk /tmp/.truecrypt_aux_mnt1/volume

Run TestDisk, select the volume, choose None for partition type, Advanced. TestDisk can repair the FAT/NTFS boot sector, ext2/ext3 superblock.

Corrupted Hidden Volume file system

If too much data has been stored in the standard volume or if you have tried to defragment the standard volume without protecting the hidden volume (truecrypt --protect-hidden), the hidden volume file system may be partially overwritten. TestDisk Advanced menu can be used to rebuild the missing FAT or NTFS boot sector.


Wikipedia description of TrueCrypt
Return to TestDisk main page