Truecrypt 6a Volume Header Backup Bug ?

Discussion in 'privacy technology' started by Overwriter, Jul 12, 2008.

Thread Status:
Not open for further replies.
  1. Overwriter

    Overwriter Registered Member

    Oct 27, 2007
    I think I may have found a bug in Truecrypt 6a.

    If anyone with a Truecrypt forum account is interested in this could you post it for me please ? I tried to make an account on the Truecrypt forum but it is such a nightmare to join I decide in the end to give up !

    It is a shame that finding and writing the report for a bug is quicker than joining the Truecrypt forum to report it !!

    Anyway here is what I found.

    How to reproduce.

    If you create a volume of any size say, 1 MB with a hidden container.

    Serpent/Twofish/AES (Although this doesn’t seem relevant to the bug.)

    Whirlpool. (Although this doesn’t seem relevant to the bug.)

    First (outer volume) password is “x”.

    Second (hidden) password is “xx” but (and this is the important bit) with a keyfile or multiple keyfiles.

    You can open the hidden container as normal and everything works ok.

    Dismount and then choose “Backup Volume Header”

    Type your outer password when asked and then your hidden password including keyfile when asked.

    You should get an error message saying that you have supplied the incorrect password to the hidden volume.

    So it would seem to me that this is only an issue when using keyfiles with a hidden volume.

    Just to make it clear the hidden volume works ok when used normally, it is just that a user cannot backup the header.

    I would be interested if others have found the same, or this could just be me, :D !!

  2. dantz

    dantz Registered Member

    Jan 19, 2007
    Yes, you have found a bug. This was first reported on July 7 by linuxamp in the TrueCrypt "Problems" forum. His findings were similar to yours: The problem affects versions 6 and 6.0a and occurs only if the inner volume uses a keyfile. He indicated that he would file a bug report.

    I'm not sure if you'll be able to access it, but here's a link to his thread:

    TrueCrypt bugs can be reported at
  3. Overwriter

    Overwriter Registered Member

    Oct 27, 2007
    Hi Dantz

    Thank you for your reply.

    I was not able to find out if anyone else had discovered the bug as the problems page on the Truecrypt forum is not available to anyone wishing to simply view their forum as a guest.

    Thank you also for the link to the bug report page, I couldn’t find that when I first started looking to report it.

    I really think the Truecrypt forum and bug reporting could be made so much easier. Why should I have to post on a security forum instead of Truecrypts own forum !!!! Crazy !

    Also I find it strange they should release V6.a after this bug had been reported, I would have thought it was serious enough to delay V6.a by a day or so.

    Anyway thanks again Dantz for your help.
Thread Status:
Not open for further replies.