Linux: refine in-kernel NTFS driver selection

Keep the NTFS kernel-driver option as a generic in-kernel NTFS path rather than an ntfs3-specific path. Add --filesystem=kernel-ntfs and -m kernelntfs routes that select a registered or loadable kernel NTFS driver and mount with -i so mount.ntfs/ntfs-3g helpers are not invoked.

Preserve --filesystem=ntfs3 as a literal pin to the ntfs3 driver. Treat both ntfs3 and kernel-ntfs as mount-only selectors; volume creation continues to use filesystem type NTFS.

The preference and -m kernelntfs path only select an in-kernel NTFS driver when no explicit filesystem type was supplied and blkid detects NTFS.

Treat ntfs as the preferred in-kernel driver on Linux 7.1 and later, where the upstream read/write driver is expected. On earlier kernels, select ntfs only when module metadata identifies the standalone read/write driver and /sys/module confirms it loaded, avoiding ntfs3 read-only ntfs compatibility registrations. Fall back to ntfs3 otherwise, and report a generic kernel-driver error if neither supported driver is available or loadable.

Rename the internal preference/config field to MountNtfsWithKernelDriver, migrate the old MountNtfsWithNtfs3 preference key, and update UI strings, CLI help, documentation, release notes, and translation placeholders accordingly.

Reference: https://github.com/veracrypt/VeraCrypt/issues/1735

src/Main/CommandLineInterface.cpp

@@ -367,8 +367,20 @@ namespace VeraCrypt
 					ArgFilesystem = VolumeCreationOptions::FilesystemType::Ext4;
 				else if (str.IsSameAs (L"NTFS", false))
 					ArgFilesystem = VolumeCreationOptions::FilesystemType::NTFS;
+				else if (str.IsSameAs (L"kernel-ntfs", false)
+					|| str.IsSameAs (L"ntfs-kernel", false))
+				{
+					if (ArgCommand == CommandId::CreateVolume)
+						throw_err (LangString["UNKNOWN_OPTION"] + L": " + str);
+
+					ArgMountOptions.FilesystemType = L"kernel-ntfs";
+					ArgFilesystem = VolumeCreationOptions::FilesystemType::NTFS;
+				}
 				else if (str.IsSameAs (L"ntfs3", false))
 				{
+					if (ArgCommand == CommandId::CreateVolume)
+						throw_err (LangString["UNKNOWN_OPTION"] + L": " + str);
+
 					ArgMountOptions.FilesystemType = L"ntfs3";
 					ArgFilesystem = VolumeCreationOptions::FilesystemType::NTFS;
 				}
@@ -466,6 +478,10 @@ namespace VeraCrypt
 					ArgMountOptions.PartitionInSystemEncryptionScope = true;
 				else if (token == L"timestamp" || token == L"ts")
 					ArgMountOptions.PreserveTimestamps = false;
+#ifdef TC_LINUX
+				else if (token == L"kernelntfs" || token == L"kernel-ntfs")
+					ArgMountOptions.MountNtfsWithKernelDriver = true;
+#endif
 #ifdef TC_WINDOWS
 				else if (token == L"removable" || token == L"rm")
 					ArgMountOptions.Removable = true;

src/Main/Forms/PreferencesDialog.cpp

@@ -28,14 +28,14 @@
 namespace VeraCrypt
 {
 #ifdef TC_LINUX
-	class Ntfs3HelpIconWindow : public wxWindow
+	class KernelNtfsHelpIconWindow : public wxWindow
 	{
 	public:
-		Ntfs3HelpIconWindow (wxWindow *parent)
+		KernelNtfsHelpIconWindow (wxWindow *parent)
 			: wxWindow (parent, wxID_ANY, wxDefaultPosition, wxSize (16, 16))
 		{
 			SetMinSize (wxSize (16, 16));
-			Bind (wxEVT_PAINT, &Ntfs3HelpIconWindow::OnPaint, this);
+			Bind (wxEVT_PAINT, &KernelNtfsHelpIconWindow::OnPaint, this);
 		}
 
 	protected:
@@ -98,18 +98,18 @@ namespace VeraCrypt
 
 		FilesystemOptionsTextCtrl->SetValue (Preferences.DefaultMountOptions.FilesystemOptions);
 #ifdef TC_LINUX
-		wxBoxSizer *ntfs3PreferenceSizer = new wxBoxSizer (wxHORIZONTAL);
-		MountNtfsWithNtfs3CheckBox = new wxCheckBox (FilesystemSizer->GetStaticBox(), wxID_ANY, LangString["LINUX_PREF_MOUNT_NTFS_WITH_NTFS3"]);
-		MountNtfsWithNtfs3CheckBox->SetToolTip (LangString["LINUX_PREF_MOUNT_NTFS_WITH_NTFS3_HELP"]);
-		ntfs3PreferenceSizer->Add (MountNtfsWithNtfs3CheckBox, 0, wxALIGN_CENTER_VERTICAL | wxRIGHT, 5);
+		wxBoxSizer *kernelNtfsPreferenceSizer = new wxBoxSizer (wxHORIZONTAL);
+		MountNtfsWithKernelDriverCheckBox = new wxCheckBox (FilesystemSizer->GetStaticBox(), wxID_ANY, LangString["LINUX_PREF_MOUNT_NTFS_WITH_KERNEL_DRIVER"]);
+		MountNtfsWithKernelDriverCheckBox->SetToolTip (LangString["LINUX_PREF_MOUNT_NTFS_WITH_KERNEL_DRIVER_HELP"]);
+		kernelNtfsPreferenceSizer->Add (MountNtfsWithKernelDriverCheckBox, 0, wxALIGN_CENTER_VERTICAL | wxRIGHT, 5);
 
-		wxWindow *ntfs3HelpIcon = new Ntfs3HelpIconWindow (FilesystemSizer->GetStaticBox());
-		ntfs3HelpIcon->SetToolTip (LangString["LINUX_PREF_MOUNT_NTFS_WITH_NTFS3_HELP"]);
-		ntfs3PreferenceSizer->Add (ntfs3HelpIcon, 0, wxALIGN_CENTER_VERTICAL | wxLEFT, 10);
+		wxWindow *kernelNtfsHelpIcon = new KernelNtfsHelpIconWindow (FilesystemSizer->GetStaticBox());
+		kernelNtfsHelpIcon->SetToolTip (LangString["LINUX_PREF_MOUNT_NTFS_WITH_KERNEL_DRIVER_HELP"]);
+		kernelNtfsPreferenceSizer->Add (kernelNtfsHelpIcon, 0, wxALIGN_CENTER_VERTICAL | wxLEFT, 10);
 
-		FilesystemSizer->Add (ntfs3PreferenceSizer, 0, wxALL, 5);
+		FilesystemSizer->Add (kernelNtfsPreferenceSizer, 0, wxALL, 5);
 
-		MountNtfsWithNtfs3CheckBox->SetValidator (wxGenericValidator (&Preferences.DefaultMountOptions.MountNtfsWithNtfs3));
+		MountNtfsWithKernelDriverCheckBox->SetValidator (wxGenericValidator (&Preferences.DefaultMountOptions.MountNtfsWithKernelDriver));
 #endif
 
 		int index, prfInitialIndex = 0;

src/Main/Forms/PreferencesDialog.h

@@ -56,7 +56,7 @@ namespace VeraCrypt
 
 		KeyfilesPanel *DefaultKeyfilesPanel;
 #ifdef TC_LINUX
-		wxCheckBox *MountNtfsWithNtfs3CheckBox;
+		wxCheckBox *MountNtfsWithKernelDriverCheckBox;
 #endif
 		int LastVirtualKeyPressed;
 		unique_ptr <wxTimer> mTimer;

src/Main/Forms/WaitDialog.cpp

@@ -53,6 +53,7 @@ namespace VeraCrypt
 		VC_CONVERT_EXCEPTION (EncryptedSystemRequired);
 		VC_CONVERT_EXCEPTION (HigherFuseVersionRequired);
 		VC_CONVERT_EXCEPTION (KernelCryptoServiceTestFailed);
+		VC_CONVERT_EXCEPTION (KernelNtfsDriverUnavailable);
 		VC_CONVERT_EXCEPTION (LoopDeviceSetupFailed);
 		VC_CONVERT_EXCEPTION (MountPointRequired);
 		VC_CONVERT_EXCEPTION (MountPointUnavailable);

src/Main/UserInterface.cpp

@@ -526,6 +526,7 @@ namespace VeraCrypt
 		EX2MSG (InvalidSecurityTokenKeyfilePath,	LangString["INVALID_TOKEN_KEYFILE_PATH"]);
 		EX2MSG (HigherVersionRequired,				LangString["NEW_VERSION_REQUIRED"]);
 		EX2MSG (KernelCryptoServiceTestFailed,		LangString["LINUX_EX2MSG_KERNELCRYPTOSERVICETESTFAILED"]);
+		EX2MSG (KernelNtfsDriverUnavailable,		LangString["LINUX_KERNEL_NTFS_DRIVER_UNAVAILABLE"]);
 		EX2MSG (KeyfilePathEmpty,					LangString["ERR_KEYFILE_PATH_EMPTY"]);
 		EX2MSG (LoopDeviceSetupFailed,				LangString["LINUX_EX2MSG_LOOPDEVICESETUPFAILED"]);
 		EX2MSG (MissingArgument,					LangString["LINUX_EX2MSG_MISSINGARGUMENT"]);
@@ -1307,13 +1308,22 @@ const FileManager fileManagers[] = {
 					" option specifies the filesystem to be created on the new volume.\n"
 					" Filesystem type 'none' disables mounting or creating a filesystem.\n"
 #ifdef TC_LINUX
-					" On Linux, filesystem type 'ntfs3' mounts an NTFS volume using the\n"
-					" in-kernel ntfs3 driver. The ntfs3 kernel module must be available\n"
-					" and allowed by the distribution; otherwise mounting may fail.\n"
-					" The Linux preference \"Mount NTFS volumes with the Linux kernel ntfs3\n"
+					" On Linux, filesystem type 'ntfs3' mounts with the in-kernel ntfs3\n"
+					" driver and bypasses mount helpers. Filesystem type 'kernel-ntfs'\n"
+					" mounts an NTFS volume using an available in-kernel NTFS driver.\n"
+					" These Linux driver selectors are mount-only; use filesystem type\n"
+					" 'NTFS' when creating a new NTFS volume.\n"
+					" VeraCrypt uses ntfs when it is positively identified as a modern\n"
+					" read/write driver or expected on Linux 7.1 or later;\n"
+					" otherwise it selects ntfs3.\n"
+					" The Linux preference \"Mount NTFS volumes with an in-kernel Linux\n"
 					" driver\" is disabled by default. When enabled, VeraCrypt probes the\n"
-					" decrypted virtual device with blkid -p and applies ntfs3 only when\n"
-					" NTFS is detected and no explicit filesystem type was supplied. If\n"
+					" decrypted virtual device with blkid -p and uses an available in-kernel\n"
+					" NTFS driver only when NTFS is detected and no explicit filesystem type\n"
+					" was supplied. The mount option -m kernelntfs enables the same detected\n"
+					" NTFS selection for the current mount; use --filesystem=kernel-ntfs to\n"
+					" force kernel-driver selection. If no supported in-kernel NTFS driver is\n"
+					" available, mounting fails instead of falling back to ntfs-3g. If\n"
 					" detection fails, VeraCrypt uses the normal automatic filesystem\n"
 					" selection. This can avoid suspend or hibernate hangs caused by frozen\n"
 					" user-space FUSE filesystems during kernel filesystem sync; use findmnt\n"
@@ -1369,6 +1379,10 @@ const FileManager fileManagers[] = {
 					"   is unmounted (note that the operating system under certain circumstances\n"
 					"   does not alter host-file timestamps, which may be mistakenly interpreted\n"
 					"   to mean that this option does not work).\n"
+#ifdef TC_LINUX
+					"  kernelntfs: Use an available in-kernel NTFS driver when NTFS is\n"
+					"   detected and no filesystem type was supplied.\n"
+#endif
 					" See also option --fs-options.\n"
 					"\n"
 					"--new-keyfiles=KEYFILE1[,KEYFILE2,KEYFILE3,...]\n"
@@ -1468,8 +1482,8 @@ const FileManager fileManagers[] = {
 					"veracrypt -t -k \"\" --pim=0 --protect-hidden=no volume.hc /media/veracrypt1\n"
 					"\n"
 #ifdef TC_LINUX
-					"Mount an NTFS volume using the Linux in-kernel ntfs3 driver:\n"
-					"veracrypt -t --filesystem=ntfs3 volume.hc /media/veracrypt1\n"
+					"Mount an NTFS volume using a Linux in-kernel NTFS driver:\n"
+					"veracrypt -t --filesystem=kernel-ntfs volume.hc /media/veracrypt1\n"
 					"\n"
 #endif
 					"Unmount a volume:\n"
@@ -1762,6 +1776,7 @@ const FileManager fileManagers[] = {
 		VC_CONVERT_EXCEPTION (EncryptedSystemRequired);
 		VC_CONVERT_EXCEPTION (HigherFuseVersionRequired);
 		VC_CONVERT_EXCEPTION (KernelCryptoServiceTestFailed);
+		VC_CONVERT_EXCEPTION (KernelNtfsDriverUnavailable);
 		VC_CONVERT_EXCEPTION (LoopDeviceSetupFailed);
 		VC_CONVERT_EXCEPTION (MountPointRequired);
 		VC_CONVERT_EXCEPTION (MountPointUnavailable);

src/Main/UserPreferences.cpp

@@ -103,7 +103,9 @@ namespace VeraCrypt
 			DefaultMountOptions.Protection = readOnly ? VolumeProtection::ReadOnly : VolumeProtection::None;
 
 #ifdef TC_LINUX
-			if (configMap.count(L"MountNtfsWithNtfs3") > 0) { SetValue (configMap[L"MountNtfsWithNtfs3"], DefaultMountOptions.MountNtfsWithNtfs3); configMap.erase (L"MountNtfsWithNtfs3"); }
+			if (configMap.count(L"MountNtfsWithKernelDriver") > 0) { SetValue (configMap[L"MountNtfsWithKernelDriver"], DefaultMountOptions.MountNtfsWithKernelDriver); configMap.erase (L"MountNtfsWithKernelDriver"); }
+			else if (configMap.count(L"MountNtfsWithNtfs3") > 0) { SetValue (configMap[L"MountNtfsWithNtfs3"], DefaultMountOptions.MountNtfsWithKernelDriver); }
+			configMap.erase (L"MountNtfsWithNtfs3");
 #endif
 			if (configMap.count(L"MountVolumesRemovable") > 0) { SetValue (configMap[L"MountVolumesRemovable"], DefaultMountOptions.Removable); configMap.erase (L"MountVolumesRemovable"); }
 			if (configMap.count(L"NoHardwareCrypto") > 0) { SetValue (configMap[L"NoHardwareCrypto"], DefaultMountOptions.NoHardwareCrypto); configMap.erase (L"NoHardwareCrypto"); }
@@ -225,7 +227,7 @@ namespace VeraCrypt
 		TC_CONFIG_ADD (MountFavoritesOnLogon);
 		formatter.AddEntry (L"MountVolumesReadOnly", DefaultMountOptions.Protection == VolumeProtection::ReadOnly);
 #ifdef TC_LINUX
-		formatter.AddEntry (L"MountNtfsWithNtfs3", DefaultMountOptions.MountNtfsWithNtfs3);
+		formatter.AddEntry (L"MountNtfsWithKernelDriver", DefaultMountOptions.MountNtfsWithKernelDriver);
 #endif
 		formatter.AddEntry (L"MountVolumesRemovable", DefaultMountOptions.Removable);
 		formatter.AddEntry (L"NoHardwareCrypto", DefaultMountOptions.NoHardwareCrypto);