This project has moved. For the latest updates, please go here.

Hidden Volume >2TB

Topics: Technical Issues, Users Discussion
Dec 29, 2015 at 8:20 PM
Edited Dec 29, 2015 at 10:38 PM
Hi,

I have a 4 TB Drive [1]. I'd like to create a hidden volume for data only (non-os) system.

When trying to go through the process of creating the outer volume (create a volume within a partition/drive), I get

"Error: The hidden volume to be created is larger than 2 TB (2048 GB).

Possible solutions:
  • Create a container/partition smaller than 2 TB.
  • Use a drive with 4096-byte sectors to be able to create partition/device-hosted hidden volumes up to 16 TB in size."
Unfortunately, I can't figure out exactly how to format/configure the drive to create the volume Veracrypt requires. I tried ext2 and ext4 (disabled journaling) and searched the veracrypt documentation and forums and couldn't find any instructions around it. Any suggestions? It's installed in to a linux machine but I also have access to a Mac OS X system or win7 vm.

P.S> Splitting the drive in to 2x2TB isn't a good option nor does it seem to be my only option from the error.

[1]
On Linux (fdisk output):
Disk /dev/sdd: 3.7 TiB, 4000787030016 bytes, 7814037168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: gpt
Disk identifier: 1C504D68-1BC1-412F-B317-B4FB75E3778E

Device Start End Sectors Size Type
/dev/sdd1 2048 7814035455 7814033408 3.7T Microsoft basic data
Feb 26, 2016 at 3:54 PM
I am having the same issue.

VeraCrypt 1.17
Linux Mint 17.2 64bit
Toshiba Ext. USB3 DWC250 (does that funky controler MBR fake out thing.)

Formated for ext4:
Disk /dev/sdb: 5001.0 GB, 5000981073920 bytes
255 heads, 63 sectors/track, 608001 cylinders, total 9767541160 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes


I can create a standard partition volume just fine if the drive is partitioned.
If I try to create a hidden partition it will not even let me create the outer partition. I get the 2TB error.
I tried creating a standard partion then going back and choosing a hidden one but it does not give me the "direct mode" option.
Coordinator
Feb 27, 2016 at 11:56 PM
Hi,

This issue is linked to the fact that VeraCrypt forces the outer volume to be formatted using FAT32: this is the only format we know how to parse in order to get the available clusters bitmap which is needed to define the position and the size of the hidden volume inside the outer volumes.
Since FAT32 has a 2TB maximum size limit when the logical sector size is 512 bytes, VeraCrypt can not create an outer volume bigger than 2 TB on disks where the logical sector size if 512 byes.

Both of you are using disks that have a logical sector size of 512 bytes, this explains why VeraCrypt refuses to create an outer volume larger than 2 TB.

If you were using disks with a logical sector size set to 4096 bytes, VeraCrypt would have been able to an outer volume with a size up to 16 TB which the maximum size allowed by FAT32 for such 4K disks.

Actually, a similar issue has been already reported and analyzed on November/December 2014. It is still open and you can see my analysis at https://veracrypt.codeplex.com/workitem/18

As indicated in the link above, the ideal solution would be to implement cluster bitmap analysis for Ext3/Ext4 filesystems which is not something easy to do. Until then, FAT32 will be the only filesystem supported on Linux for hidden volumes and in order to have a size bigger than 2 TB, a disk with a logical sector size equal to 4096 must be used.

Of course, we can implement the possibility for users to manually select the size of the hidden volume but there is risk for data loss if the user enter wrong values and VeraCrypt can not check their validity. Is this something acceptable?
Mar 17, 2016 at 4:24 AM
Edited Mar 17, 2016 at 4:28 AM
Hi,

Thanks for addressing this issue so comprehensively.

It seems like this has been a lingering issue but may not be "severe" if your main user is windows, drives are <2TB, or logical sector size is more commonly 4096 bytes in off the shelf drives. FAT32 is just so limiting and antiquated! I understand this is just for the outer volume and that the inner volume can be anything, but, in 2016, having a drive >2TB formatted with FAT32 is extremely suspicious and goes against the plausible deniability "defense".

That being said, I would state I still love this project and it's goals.

A couple of requests:
  1. Please create a page in the documentation dedicated to this issue. (a tl;dr section with the conclusion of: don't get a drive with logical sector size < 512 for drives bigger than 2 TB). It would have a prudent to have considering I bought a large capacity drive specifically to use VeraCrypt on with no idea of this issue.
  2. Modify the error message to state logical sector size and point back to the documentation for the discussion.
  3. Create a work item that has an accurate title/description. Point to it from the documentation page.
  4. I can see the work to do cluster bitmap analysis for another FS is non-trivial but would be the best option. I already upvoted the work item.
  5. Manually selecting size of the hidden value sounds like a bridge to nowhere? Is there a formula that could give us a magic number that won't result in data loss yet still have reasonable capacity yield?
Please let me know if you need help with any of those items.
Mar 18, 2016 at 9:17 AM
idrassi wrote:
. . . we can implement the possibility for users to manually select
the size of the hidden volume but there is risk for data loss if the
user enter wrong values and VeraCrypt can not check their validity. Is
this something acceptable?
I think that would be an EXTREMELY cool feature, but of course you'd
want to wrap it in a "Are you sure you want to do this?" dialog if you
did it. But I'd love it.

Myami wrote:
having a drive >2TB formatted with FAT32 is extremely suspicious . . .
Not really, unless I'm missing something.

I just tested for container crypts, not partitions, and only up to
75 giB, because that is all I have available atm, but for me with
the gnu/linux 64 bit version, with either the gui or the interactive
command line methods (interactive meaning you didn't specify the
filesystem type with an option in the command) when making a plain
crypt with no hidden volume, it DEFAULTS to FAT-32. So, unless
either I've misunderstood, or it doesn't behave that way under your
conditions, I can't see that having a crypt that has the DEFAULT file
system type as being any more suspicious than having a crypt period.

Most people do stuff like this the same way they approach life -
hitting the enter key and accepting the default whenever possible. So
making it the default is probably sufficient to ensure that 90%
of the plain crypts without hidden volumes are FAT-32 just like the
outer volumes.

Nonetheless, this is a good argument for disallowing anything BUT
FAT-32 in plain crypts, so that would ALL be the same, but I like
the idea of being able to manually select a hidden volume size a
lot better.
Mar 25, 2016 at 11:44 PM
Thanks idrassi. An override would be good with proper warnings and documentation on how to calculate a good size.
Sep 11, 2016 at 1:22 PM
I am having the exact same issue on Ubuntu 16.04!
Are there any updates to this limitation?
Is it POSSIBLE to change the logical sector size to 4096 so that the whole drive can be encrypted all at once? and if so, HOW would one go about doing that after seeing this limitation/error ??

Is it also possible to do this on windows and it will encrypt more than 2GB? or will the same error pop up?

I also agree that that feature would be very helpful and useful!! I don't think anyone wants to partition their 8TB drives into 2TB encrypted partitions, especially when 10TB drives are already out and HDD capacities in the market are increasing fast.
Nov 28, 2016 at 5:24 PM
Hello, can someone please update on this important issue?

Someone also posted a ticket https://sourceforge.net/p/veracrypt/discussion/technical/thread/68c13e63/ having the same problem.

please help.