The format of file-hosted volumes is identical to the format of partition/device-hosted volumes. TrueCrypt volume has no “signature“ or ID string. Until decrypted, it appears to consist of random data entirely. Therefore, it is impossible to identify a TrueCrypt container or partition.

Free space of each TrueCrypt volume is filled with random data when the volume is created (if the options Quick Format and Dynamic are disabled). The random data is generated as follows: Right before TrueCrypt volume formatting begins, a temporary encryption key and a temporary secondary key (XTS mode) are generated by the random number generator (see the section Random Number Generator). The encryption algorithm that the user selected is initialised with the temporary keys. The encryption algorithm is then used to encrypt plaintext blocks generated by the random number generator. The encryption algorithm operates in XTS mode (see the section Hidden Volume). The resulting ciphertext blocks are used to fill (overwrite) the free space on the volume. The temporary keys are stored in RAM and are securely erased after formatting finishes.

TrueCrypt Volume Format Specification:

Offset (bytes) Size (bytes) Encryption Status* Description

0

64

Not Encrypted**

Salt
64

4

Encrypted

ASCII string “TRUE”
68

2

Encrypted

Volume header format version
70

2

Encrypted

Minimum program version required to open the volume
72

4

Encrypted

CRC-32 checksum of the (decrypted) bytes 256-511
76

8

Encrypted

Volume creation time
84

8

Encrypted

Header creation/modification time
92

8

Encrypted

Reserved (set to zero)
100

8

Encrypted

Size of the volume
108

8

Encrypted

Byte offset of the encrypted area
116

8

Encrypted

Size of the encrypted area
124

132

Encrypted

Reserved (set to zero)
256

Var.

Encrypted

Concatenated primary and secondary master keys***
512

Var.

Encrypted

Data area (virtual volume contents)

The fields located at the byte #0 (salt) and #256 (master keys) contain random values generated by the random number generator (see the section Random Number Generator) during the volume creation process.

If a TrueCrypt volume hosts a hidden volume (within its free space), the header of the hidden volume is located at the byte #1536 (offset) from the end of the host volume (the header of the host/outer volume is located at the beginning of the volume – see the section Hidden Volume). The format of the hidden volume header is specified in the following table:
Offset (bytes) Size (bytes) Encryption Status* Description

0

64

Not Encrypted**

Salt
64

4

Encrypted

ASCII string “TRUE”
68

2

Encrypted

Volume header format version
70

2

Encrypted

Minimum program version required to open the volume
72

4

Encrypted

CRC-32 checksum of the (decrypted) bytes 256-511
76

8

Encrypted

Volume creation time
84

8

Encrypted

Header creation/modification time
92

8

Encrypted

Size of the hidden volume
100

8

Encrypted

Size of the volume
108

8

Encrypted

Byte offset of the encrypted area
116

8

Encrypted

Size of the encrypted area
124

132

Encrypted

Reserved (set to zero)
256

Var.

Encrypted

Concatenated primary and secondary master keys***
288

Var.

Encrypted

Master key(s)

The maximum possible TrueCrypt volume size is 263 bytes (8,589,934,592 GB). However, due to security reasons (with respect to the 128-bit block size and the mode of operation), the maximum allowed volume size is 1 PB (1,048,576 GB).

* The encrypted areas of the volume header are encrypted with the header key (and the secondary header key in XTS mode). For more information, see the section Encryption Scheme and the section Header Key Derivation, Salt, and Iteration Count.
** Note that the salt does not need to be encrypted, as it does not have to be kept secret [7] (salt is a sequence of random values).
*** Multiple concatenated master keys are stored here when the volume is encrypted using a cascade of ciphers (secondary master keys are used for XTS mode).