FUSE mounting quirks on Linux (with VeraCrypt)

!
Warning: This post is over 365 days old. The information may be out of date.

If you get a

Permission denied: file.hc

VeraCrypt::File::Open:232

error when attempting to mount a VeraCrypt volume on Linux, this is the post for you!

Why does this happen?

This usually occurs because the encrypted VeraCrypt file resides on a FUSE mount that VeraCrypt cannot access.

To explain further, FUSE is used whenever you need to mount a custom filesystem, say a filesystem based on SSH (SSHFS), or a Samba share (such as from your NAS), or from another encryption software (such as a mount from VeraCrypt itself or Cryptomator). FUSE assigns a mount point, does the complex translation between your computer and the save medium, and you can happily write away at the mount without knowing of all the details.

The issue occurs because on Linux, FUSE restricts who can access a given mount based on who mounted the volume in the first place. This applies to the superuser as well, on defaults, anyway. If this sounds complicated, just know that whoever first mounted the filesystem is the only one who can access the mount, and nobody else can.

VeraCrypt requires superuser permissions, since it tries to mount the volume at /mnt, or some other system mount directory that requires superuser permissions. Therefore, it runs as the root user. Remember the restriction from above? Even as the root user, FUSE disallows access to the previous mount that holds the encrypted VeraCrypt file, which means VeraCrypt can’t access the file to open it.

How can you solve it?

One of several ways:

Mount as root

You can simply mount the underlying filesystem as the root user, which will allow VeraCrypt to mount the file without any problems. Unfortunately, this has the side effect of not allowing you, the user, to actually modify any files on the underlying mount, which is cumbersome if the mount is, say, a Samba share from a NAS and you want to actually change any other file on your NAS.

Configure FUSE to allow other users (or root)

Add the following to your /etc/fuse.conf file:

user_allow_other

If the line exists, make sure it is uncommented so that it is enabled.

Then, when mounting the underlying filesystem, you can pass in an optional parameter that allows other users to access the mount, or the root user.

To allow other users (including root):

-o allow_other

To allow only the root user:

-o allow_root

comments