VeraCrypt icon indicating copy to clipboard operation
VeraCrypt copied to clipboard
verified publisher icon veracrypt

Mounting the system partition of a disk clone fails using option "Mount partition using system encryption (preboot authentication)" in VeraCrypt via Debian live boot

Open mikerosoft2v opened this issue 1 year ago • 1 comments

Expected behavior

I'm able to mount the system partition of the clone using option "Mount partition using system encryption (preboot authentication)" in VeraCrypt via Debian live boot.

Observed behavior

The message box "Operation failed due to one or more of the following" appears.

Steps to reproduce

How I got there: Upon entering the encryption password at the bootloader, it fails with: "Authentication failed. Wrong password, PIM or hash".

My primary disk: Samsung 970 EVO Plus 1TB My spare disk used to clone onto for recovery: Samsung 850 EVO 250GB

I solved it by booting a Debian live usb stick and wrote the volume header backup from the recovery usb stick onto the original Windows System partition at sector 62 using dd. (Cloning, backups, back and forth, see "Backstory" at the end).

But I was (and am still) confused and somewhat scared that the clone failed to mount (in VeraCrypt GUI via Debian live boot usb stick). So for proof of concept, I boot into Debian live again and clone the first three partitions of my (NOW WORKING) primary disk onto the spare disk again, each partition using dd, with the partition layout still the same on the spare disk. Again it fails with: "Authentication failed. Wrong password, PIM or hash".

Screenshots

Mounting from original disk works

Screenshot from 2024-10-06 22-54-09 Screenshot from 2024-10-06 22-54-18

Mounting from cloned disk fails

Screenshot from 2024-10-06 22-54-38 Screenshot from 2024-10-06 22-54-53

still fails after also cloning efi and reserved partition

Screenshot from 2024-10-06 23-29-10 Screenshot from 2024-10-06 23-29-21

gdisk list and gparted

Screenshot from 2024-10-06 23-25-09 Screenshot from 2024-10-06 23-25-18

gdisk details

Screenshot from 2024-10-06 23-35-52 Screenshot from 2024-10-06 23-37-20

Debian and VeraCrypt version

Screenshot from 2024-10-27 14-52-03

Your Environment

Windows

VeraCrypt version: 1.26.15 (latest Windows version as of now)

Operating system and version: Windows 10 22H2 build 19045.5011 (but I did the "proof of concept" on 2024-10-06, so Windows might be slightly newer since then. Though I guess only the Debian version is relevant here anyway).

System type: 64-bit

Debian live boot usb stick (with persistence feature)

VeraCrypt version: 1.26.14 (latest Linux version as of now)

Operating system and version: Debian 12

System type: 64-bit

Questions

I guess the sector number factors into the encryption algorithm, in XTS mode (similar to TrueCrypt LRW mode), right? If so, is the sector number counted from the particular partition or from the whole disk in the case of VeraCrypt's system encryption? But even then, I can't see a difference in the partition layout of the cloned disk vs. the original disk.

How can I produce a disk clone for safe recovery attempts, with which VeraCrypt can work with? (I rather like to avoid using the VeraCrypt recovery usb stick, as I read some issues here on Github and/or SourceForge where people lost their data (by double decrypt?, or other problems).

Backstory: Why this issue is serious

Course of events:

  1. I set up system encryption (Windows 10) on my primary disk: Samsung 970 EVO Plus 1TB
  2. VeraCrypt's dry-run bootloader check, and actual encryption (back inside the booted Windows) worked succesfully.
  3. Been able to boot into Windows entering the encryption password at the bootloader, a couple of times.
  4. Few days later though, upon entering the encryption password at the bootloader, it fails with: "Authentication failed. Wrong password, PIM or hash".

Tried recovery using the VeraCrypt recovery usb stick:

  1. "v) Boot VeraCrypt loader from rescue disk".
  2. Fails with: "Authentication failed. Wrong password, PIM or hash".

Does this option use the volume header backup on the recovery usb stick or only the boot loader?

Tried further recovery steps only after cloning the partitions to a spare disk, so that the original can stay untouched (using Debian live boot stick):

  1. I created the same partition layout (as existing on the primary disk) on my spare disk: Samsung 850 EVO 250GB
  2. Cloned the first three partitions, each with dd: EFI, Windows reserved, Windows System.
  3. wrote the volume header backup from the recovery usb stick onto the cloned Windows System partition at sector 62 using dd.
  4. Tried to mount in VeraCrypt GUI using option "Mount partition using system encryption (preboot authentication)".
  5. "Operation failed due to one or more of the following" message box appears (see screenshot).

Because the clone failed to mount I suspected I misremembered my password. I only found out that this was not the case by taking lots of effort on messing with hashcat to run against a dummy veracrypt-container file where I wrote the backup header at offset zero.

Then:

  1. From my primary disk, I backed up the EFI and the Windows-reserved partition, as well as the first 100MB of the Windows System partition to a NAS.
  2. wrote the volume header backup from the recovery usb stick onto the original Windows System partition at sector 62 using dd.
  3. Entering the password on the VeraCrypt bootloader and booting into Windows then worked successfully.

mikerosoft2v avatar Oct 27 '24 13:10 mikerosoft2v

FWIW: Trying to mount the clone on Windows fails as well (with basically the same error message):

Image

mikerosoft2v avatar Feb 07 '25 20:02 mikerosoft2v

Some months back, I finally found the issue. As I only copied the individual partitions, the header was missing in the backup disk. After I copied it to sector 62, mounting worked.

mikerosoft2v avatar Sep 05 '25 19:09 mikerosoft2v