veracrypt
For Mac, have the option to use FUSE-T
Desired behavior
Please add, as an option for macOS, the ability to use FUSE-T. FUSE-T is similar to FUSE, but instead of presenting volumes directly to the OS, it presents them as loopback mounted NFS v4 volumes. Since FUSE-T requires no kernel extensions, it is easier to maintain for MacOS's constantly changing kernel space, and that one has to go into recovery mode to select a lower security option for FUSE, while FUSE-T doesn't require this.
Additional information
FUSE-T's website: https://www.fuse-t.org/
Your Environment
Please tell us more about your environment
VeraCrypt version: VeraCrypt 1.25.9
Operating system and version: macOS 13.3.1
System type: arm64
+1 to this issue. FUSE-T markets itself as a "Drop-in replacement for osxfuse," so even though I haven't looked at the VeraCrypt code, I can't imagine that the implementation would be very difficult.
Since VeraCrypt aims to be transparent, I also think that it's problematic that both MacFUSE and FUSE-T are closed-source programs, but I suppose that's a different discussion.
Well, it will work with minor changes to veracrypt, the developer of Fuse-T did compile and tested it with minor changes.
It is indeed becoming harder to configure macFUSE on recent macOS versions for non-technical users. This limits the userbase of VeraCrypt and supporting Fuse-T is a solution to this problem.
Thank you @arifzeeshan for sharing the confirmation of Fuse-T author that minimal changes are needed to make it compatible. He didn't share these changes but I give it a try in the coming weeks and see how it goes.
Looking forward to the changes and since Fuse-T runs on a userspace, hope we will also have a portable version too.
Could you please provide an update on the progress made in this area? Any details on the specific changes implemented or the overall experience in integrating Fuse-T with VeraCrypt would be greatly appreciated. Thank you again for your efforts and for sharing this information!
@idrassi What steps are necessary before macos-fuse-t/VeraCrypt can be merged into the main VeraCrypt repository?
@idrassi thank you for your great work. It looks as if the PR from the Fuse-T repo is rather straight forward. Could you at least merge it into a new feature branch so that it gets some exposure and can be tested by the brave folks here? Thank you!
Any update on this? Would be great to have this option, I don't want to mess with kernel extensions on my new M1 machine.
I have finally merged https://github.com/veracrypt/VeraCrypt/pull/1276 and added some enhancements on top of it. I’m now looking into fuse-t support. I have reviewed the changes proposed by the fuse-t author in https://github.com/macos-fuse-t/fuse-t/issues/11, and they indeed look simple.
I will implement the changes to create a fuse-t build and share it here for testing.
I have added FUSE-T support to VeraCrypt in this commit: https://github.com/veracrypt/VeraCrypt/commit/edde1d45f6de3e71b585b92e0e06d7499735c238
There was an issue that caused volumes not to mount the first time they are used, and it took time to figure out the cause and the fix. It turns out that FUSE-T is slower in making the content of the mounted volume control file available compared to MacFUSE, so I had to add a waiting loop (250 ms for each loop) in order for the mounted content to be accessible. You can see the loop here: https://github.com/veracrypt/VeraCrypt/commit/edde1d45f6de3e71b585b92e0e06d7499735c238?diff=split&w=0#diff-c700f1c203f50e9d8f52601149b2406b97501ce983d57afa1ad5a61a22bfe3c5R303
Another issue is that FUSE-T libraries are built in such a way that they target only macOS Sonoma (14.0), while VeraCrypt targets macOS Monterey as the minimum version. I don't know if this was done on purpose and macOS Ventura and Monterey are not supported by FUSE-T. So for now, we get this warning during the linking of VeraCrypt:
ld: warning: dylib (/usr/local/lib/libfuse-t.dylib) was built for newer macOS version (14.0) than being linked (12.0)
ld: warning: dylib (/usr/local/lib/libfuse-t.dylib) was built for newer macOS version (14.0) than being linked (12.0)
It would be better if FUSE-T could target Monterey or Ventura as the minimum version.
Apart from this, it seems to work well and it is certainly less painful than MacFUSE which requires disabling security settings on Apple Silicon.
The next step is to notarize the VeraCrypt binary for FUSE-T and share it here for testing.
As promised, here is the notarized version of VeraCrypt that uses FUSE-T instead of MacFUSE: VeraCrypt_FUSE-T_1.26.11.dmg.zip
SHA256 SUM:
a2ee0316c409d78d721b381cb0610ae33dc6246c0497178780310836644b7b97 VeraCrypt_FUSE-T_1.26.11.dmg
Based my tests, it seems to work well. Feedback is welcomed.
Hi @idrassi,
First of all, thank you very much for your work!
The new version seems to work on my M1 MacBook, but I found two (minor?) problems.
- After creating a new volume and mounting it for the first time, I get the following error:
The next time it was mounted without any problems.
- It always mounts to "/Volumes/NO NAME". This may be related to a previous error and may be a problem in the future. I'd suggest using the volume name in the mount point, e.g. "/Volumes/my-vc-test-volume".
Best regards, Vladyslav
Edit: typo.
Thank you @pashynskykh for the quick feedback.
For the first issue, it is caused by a FUSE-T issue for which I have already implemented a workaround (a waiting loop of max 1.2 seconds): https://github.com/veracrypt/VeraCrypt/blob/210827d27cdab8ffe33e71653ff269cd3c02dcff/src/Core/Unix/CoreUnix.cpp#L306. On my M1 system, it is enough but it looks like it is not the case everywhere. So I will increase it, maybe to 5 or 10 seconds.
For the second issue, you certainly selected FAT as your filesystem in the wizard, and that’s why you are getting “NO NAME” in the mount point. This is hardcoded in VeraCrypt for FAT formatted volumes: https://github.com/veracrypt/VeraCrypt/blob/210827d27cdab8ffe33e71653ff269cd3c02dcff/src/Core/FatFormatter.cpp#L285. With other filesystems, you will get the standard “Untitled” name variation because VeraCrypt doesn’t set any volume name explicitly.
You can always change the volume name to your liking in Finder by selecting “Rename.” Once done, you will start to see this customized name when you mount the volume with VeraCrypt.
@idrassi thanks for the detailed answer. Yes, for the second "problem" I used FAT. It really does make sense to avoid using any names at all, as the name could theoretically be a privacy/security issue if not chosen carefully. Thanks for the clarification.
I'll have more time to play with the app tomorrow. If I find anything else, I'll post an update here.
Thanks again for all your work. It's really great to see progress on this issue, as FUSE-T is a superior choice to macFUSE.
Best regards, Vladyslav
The new 1.26.11 is working well for me (M1 Max MacBook Pro/MacOS 14.5 + external USB C SSD).
I haven't tested extensively but everything is good so far.
Andy
Thank you @tarbs for the feedback. This shows that the current workaround for the FUSE-T delay issue does work on some machines other than mine.
I’m starting to like FUSE-T and I hope further tests by the community will not uncover any major issues because it is a good candidate for replacing MacFUSE as the default FUSE layer, esopecially that it is easier to deploy on Apple Silicon for non-technical users.
@pashynskykh, I have increased the waiting time for FUSE-T to 5 seconds and prepared a new build with this change. Please let me know if this solves the problem of mounting newly created volumes.
VeraCrypt_FUSE-T_1.26.12.dmg.zip
SHA256SUM:
bc7f2a37560e46d67b42cf699b29871ac376f8551a10d8bc01f50a80265f6cae Setup/MacOSX/VeraCrypt_FUSE-T_1.26.12.dmg
@idrassi just checked: created a new volume and mounted it. I didn't get any errors this time. Thank you very much!
Just tested on a corp machine with kernel extensions locked down, and thank you! This works perfectly!
I have been playing more with 1.26.12 today and have not seen any problems. I am happy that it can finally be used on my Macbook with FUSE-T. Thanks a lot @idrassi!
Thank you all for the testing, specially @pashynskykh. Things look good for FUSE-T support. It will be the recommended version of VeraCrypt for Apple Silicon.
It works in regards to using fuse-t - fantastic news.
But I have noticed that it has missing "TrueCrypt Mode" when mounting. Any particular reason to remove it? I have still some old TrueCrypt disks I mount from time to time.
EDIT: I missed that it is no longer supported. I have my answer then.
@kapitainsky Thank you for the feedback.
Concerning TrueCrypt support, it was indeed dropped in version 1.26.7 in order to simplify the code base and add room for new Blake2s algorithm. For users like you that have old TrueCrypt volume, it is possible to convert them to VeraCrypt format without loosing any data as indicated in the documentation: https://veracrypt.fr/en/Converting%20TrueCrypt%20volumes%20and%20partitions.html You will have to use version 1.25.9 for this.
Maybe good excuse to convert these old volumes:)
BTW. I am testing VC and FUSE-T on Intel mac - so far all works perfectly.
Installed in a fresh env (first VC installation), Sonoma (24.5) Mac Book Air M3.
FUSE-T 1.0.38 (sshfs: 1.0.2).
First tests OK. Will test on a old volume as soon as possible.
As promised, here is the notarized version of VeraCrypt that uses FUSE-T instead of MacFUSE: VeraCrypt_FUSE-T_1.26.11.dmg.zip
SHA256 SUM:
a2ee0316c409d78d721b381cb0610ae33dc6246c0497178780310836644b7b97 VeraCrypt_FUSE-T_1.26.11.dmgBased my tests, it seems to work well. Feedback is welcomed.
@idrassi Thank you for updating VeraCrypt to work with fuse-t. Is the code posted somewhere? I can’t seem to find it.
you can grab the latest code from master, the fuse-t changes will be there.