Hidden volume protection dialog is misleading about required password (outer vs hidden)

[FabioLeitao]

Summary:
When mounting a hidden volume with “Protect hidden volume against damage” enabled in the Windows GUI,
the password dialog is misleading and does not clearly state that it requires the OUTER (decoy) volume
credentials. This leads to common authentication failures (Error 9135) even for correctly created volumes.

Environment:

• VeraCrypt version: (1.26.24)
• OS: Windows (Windows 11)
• Volume type: File container
• Outer and hidden volumes use exFAT
• Outer and hidden volumes use completely random and distinct passphrases
• Outer volume: 20GB [AES+SHA512+default PIM(0), no key files]
• Inner hidden volume: 15GB [AES+SHA512+PIM(485)+keyfile]

Problem description:
The dialog shown when enabling “Protect hidden volume against damage” refers to “password” and mentions
that a cached password may be used, but it does not explicitly state that the OUTER volume password
(and PIM/keyfiles used at outer-volume creation) are required.

Because the dialog looks identical to a normal mount dialog, it is very natural for users to re-enter
the hidden volume password, hidden PIM, or hidden keyfiles. This results in Error 9135, which can
incorrectly suggest corruption or design errors—even immediately after volume creation.

Observed behavior:

• Hidden volume mounts successfully when protection is disabled
• Enabling protection causes Error 9135 unless outer volume credentials are entered
• Error message does not explain that the wrong volume’s credentials were provided

Expected behavior / suggestion:

• Dialog should explicitly state: “Enter OUTER (decoy) volume password. Do NOT enter hidden volume password here.”
• Consider labeling fields as “Outer volume password / PIM / keyfiles”
• Optionally clear PIM and keyfile selections when the dialog opens to prevent accidental reuse

Impact:
This wording ambiguity affects even technically experienced users and creates unnecessary confusion
around hidden volumes, which are already a sensitive and high‑stakes feature.

[idrassi]

Hidden volume protection is intended for mounting the outer volume while protecting a hidden volume inside it. The main password dialog must receive the outer volume credentials. The Mount Options protection fields are intentionally for the hidden volume credentials, because VeraCrypt decrypts the hidden header only to determine the protected range.

So the requested change to make the protection dialog ask for the outer password would be incorrect.

However, the report identifies a real UI ambiguity: after enabling protection, the main password dialog still uses generic labels
and the wrong-password error does not explain the two credential sets. We will consider improving the Windows GUI labels/error text to make this explicit.

[FabioLeitao]

Ok, I see your point, but what I meant was, when you open the second dialog where you are supposed to put the Outer password/pim/keyfile for the protection of the inner (hidden) volume, the text NEVER mentions you are supposed to write down the OUTER information there... that is why I have considered it ambiguous, and kind of distracting to whoever is trying to saveguard their data in such a sensitive (plausible deniability) way...

…

________________________________ De: Mounir IDRASSI ***@***.***> Enviado: terça-feira, 14 de abril de 2026 20:24 Para: veracrypt/VeraCrypt ***@***.***> Cc: Fabio Tavares Leitão ***@***.***>; Author ***@***.***> Assunto: Re: [veracrypt/VeraCrypt] Hidden volume protection dialog is misleading about required password (outer vs hidden) (Issue #1673) [https://avatars.githubusercontent.com/u/4698669?s=20&v=4]idrassi left a comment (veracrypt/VeraCrypt#1673)<#1673 (comment)> Hidden volume protection is intended for mounting the outer volume while protecting a hidden volume inside it. The main password dialog must receive the outer volume credentials. The Mount Options protection fields are intentionally for the hidden volume credentials, because VeraCrypt decrypts the hidden header only to determine the protected range. So the requested change to make the protection dialog ask for the outer password would be incorrect. However, the report identifies a real UI ambiguity: after enabling protection, the main password dialog still uses generic labels and the wrong-password error does not explain the two credential sets. We will consider improving the Windows GUI labels/error text to make this explicit. — Reply to this email directly, view it on GitHub<#1673 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAJZSK7MTFOPRKJHKAUUPWD4V3CB7AVCNFSM6AAAAACXY2NOMCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DENBXHEZTMMZXGY>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[idrassi]

I think there is still a misunderstanding about what "hidden volume protection" does.

Hidden volume protection is NOT used when mounting the hidden volume. If you mount the hidden volume itself, there is no outer-volume write activity to protect against, so this option is not needed.

Hidden volume protection is only for this case:

• you want to mount the outer volume,
• you want to write to the outer volume,
• and you want VeraCrypt to prevent those writes from overwriting the hidden volume area.

In that case, the mounted volume is the outer volume. Therefore:

• the main password dialog must receive the outer volume password/PIM/keyfiles;
• the Mount Options protection section must receive the hidden volume password/PIM/keyfiles, because VeraCrypt needs to decrypt the hidden header in RAM to know which area of the outer volume must be protected.

If you enter the hidden volume password in the main password dialog while also enabling hidden volume protection, VeraCrypt cannot proceed: it would be trying to mount the hidden volume while also enabling a protection mode that only makes sense for mounting the outer volume.

VeraCrypt cannot simply disable the option automatically in advance, because before trying the credentials it does not know whether the user intends to mount the outer volume or the hidden volume. That is determined only by which password successfully decrypts a header.

So the correct rule is:

• To mount the hidden volume: enter hidden credentials in the main dialog and do not enable hidden volume protection.
• To mount the outer volume with hidden volume protection: enter outer credentials in the main dialog, enable protection in Mount Options, and enter hidden credentials in the protection section.

[FabioLeitao]

Ah, ok, I see your point, but when I did it, I went the other way around... I have "mounted" the inner hidden volume and "protected" it by adding in the second dialog the "outer" decoy volume configs. It works. Even stranger and wronger then I have first imagined... Cool in so many levels, but still, pretty wrong.

…

________________________________ De: Mounir IDRASSI ***@***.***> Enviado: terça-feira, 14 de abril de 2026 20:40 Para: veracrypt/VeraCrypt ***@***.***> Cc: Fabio Tavares Leitão ***@***.***>; Author ***@***.***> Assunto: Re: [veracrypt/VeraCrypt] Hidden volume protection dialog is misleading about required password (outer vs hidden) (Issue #1673) [https://avatars.githubusercontent.com/u/4698669?s=20&v=4]idrassi left a comment (veracrypt/VeraCrypt#1673)<#1673 (comment)> I think there is still a misunderstanding about what "hidden volume protection" does. Hidden volume protection is NOT used when mounting the hidden volume. If you mount the hidden volume itself, there is no outer-volume write activity to protect against, so this option is not needed. Hidden volume protection is only for this case: * you want to mount the outer volume, * you want to write to the outer volume, * and you want VeraCrypt to prevent those writes from overwriting the hidden volume area. In that case, the mounted volume is the outer volume. Therefore: * the main password dialog must receive the outer volume password/PIM/keyfiles; * the Mount Options protection section must receive the hidden volume password/PIM/keyfiles, because VeraCrypt needs to decrypt the hidden header in RAM to know which area of the outer volume must be protected. If you enter the hidden volume password in the main password dialog while also enabling hidden volume protection, VeraCrypt cannot proceed: it would be trying to mount the hidden volume while also enabling a protection mode that only makes sense for mounting the outer volume. VeraCrypt cannot simply disable the option automatically in advance, because before trying the credentials it does not know whether the user intends to mount the outer volume or the hidden volume. That is determined only by which password successfully decrypts a header. So the correct rule is: * To mount the hidden volume: enter hidden credentials in the main dialog and do not enable hidden volume protection. * To mount the outer volume with hidden volume protection: enter outer credentials in the main dialog, enable protection in Mount Options, and enter hidden credentials in the protection section. — Reply to this email directly, view it on GitHub<#1673 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAJZSK7G3KOC2X77HLSKYVT4V3D7ZAVCNFSM6AAAAACXY2NOMCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DENBYGA2DQOJQHA>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[idrassi]

If your mount "worked" after entering outer credentials in the Mount Options protection section, then one of the following is probably true:

• the mounted volume was actually the outer volume, not the hidden one
• the hidden credentials were already cached and used implicitly
• the credentials entered were not the ones assumed

Please check the mounted volume properties. If the type says Outer and hidden volume protection says Yes, then VeraCrypt is behaving as designed.
If it really says Hidden while hidden volume protection is active, please provide exact step-by-step reproduction details, because that would contradict the intended implementation.