VeraCrypt & how-to basics

For a long time TrueCrypt was the go-to full disk encryption solution of choice for security professions (it was recommended by Edward Snowden, and successfully prevented the UK police from accessing files carried by Glen Grunewald’s partner, David Miranda).

The security world was therefore extremely alarmed when the TrueCrypt developers withdrew their product under very suspicious circumstances (a situation which led to no small amount of general paranoia). At the time, a crowdfunded full audit of the software was being performed, Phase I of which had recently given it the all clear.

The withdrawal of TrueCrypt by its developers threw the auditing project into some disarray, but it was finally decided to continue onto Phase II and finish the audit. This was completed at the beginning of April 2015, and although some problems were discovered, the report (as summarized in this blog post) found that,

Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.

This is great news, but leaves the problem that TrueCrypt is no longer supported. With some known weaknesses, plus the fact that no more updates will become available, it is therefore difficult to recommend using TrueCrypt these days…. so enter VeraCrypt…


VeraCrypt is a fork of TrueCrypt that ‘solves many vulnerabilities and security issues found in TrueCrypt’ (a list of improvements can be found here.) It is also under active development, and is therefore likely to be improved, and any remaining flaws patched in due time.

One thing users should be aware of, though, is that TrueCrypt was not fully open source. It was source available, allowing the code to be audited, but its developers have expressly forbidden any further development or forking of their product.

Technically, this means that VeraCrypt could be shut down at any time by the TrueCrypt devs. However, as the TrueCrypt developers have taken pains to maintain their anonymity, and given the (somewhat worrying) speed with which they acted to distance themselves from their software, it seems unlikely they will force the issue…

With VeraCrypt you can:

  • Create a virtual encrypted disk (volume) which you can mount and use just like a real disk (and which can be made into a Hidden Volume)
  • Encrypt an entire partition or storage device (e.g. a hard drive or USB stick)
  • Create a partition or storage drive containing an entire operating system (which can be hidden)

All encryption is performed on-the-fly in real-time, making VeraCrypt transparent in operation. It should be noted, however, that groovy as this ability to mount an encrypted drive is (and it is one of the things that makes VeraCrypt a great program), it does mean that cryptographic keys are stored in temporary memory (RAM) during use, which can theoretically expose VeraCrypt users to the possibility of attack through the use of pre-installed keyloggers and other malware.

Hidden volumes and hidden operating systems provide plausible deniability, as it should be impossible to prove they exist (as long as all the correct precautions are taken). In Part 2 of this article we explore hidden volumes in detail.

VeraCrypt is available for Windows, OSX and Linux. Our how-to guide was written for Windows 8.1, but the basics should more or less the same for any operating system (and other forks or versions of TrueCrypt).

Note that unlike Ciphershed, VeraCrypt is not compatible with TrueCrypt volumes (see the end of this article for more information on this subject).

How to create and use a simple VeraCrypt container

Creating a container

The simplest way to use VeraCrypt is to create an encrypted container within a file. This file behaves just like any other file, and can be moved, deleted, renamed etc. as if it was a normal file.

1. Download VeraCrypt, install and run it, then click ‘Create Volume’ on the main screen.


2. Make sure the ‘Create an encrypted file container’ radio button is selected and click ‘Next’.


3. Make sure that ‘Standard VeraCrypt volume’ is selected and click ‘Next’.


4. Click ‘Select File’, choose where you want the file saved, and pick a name for the file. Do not select an already existing file as VeraCrypt will delete it and replace it with a new VeraCrypt container.


5. Choose an encryption algorithm and a hash algorithm. Information is provided on each encryption algorithm to help you choose one that is right for you. Generally speaking, the stronger the encryption, the longer the encryption/decryption process will take.


You can benchmark how fast the encryption/decryption takes, and test that all the algorithms are working properly.


Although not as fast as AES, we prefer Twofish because we are suspicious of anything NIST certified (we explain why here.) We’ll also go with the Whirlpool hash algorithm for the same reason (see the full documentation for more info on this subject)

6. Choose how big you want the file to be. It can be any size up the available free space on the drive it is located.

VC77. Chose a password. This is a vital step; if your data is worth encrypting then it is worth protecting with a good password. The wizard offers some good advice on choosing a strong password (it is possible to use a keyfile instead, but for simplicity in this beginner’s tutorial we’ll just stick to using a password)


8. In the ‘Volume Format’ screen you can choose which file system to use. We’ll go for FAT to maintain maximum compatibility across devices and platforms. Moving your mouse pointer around the window increases the cryptographic strength of the encryption keys by introducing a truly random element (which increases security), so you should wiggle it around for at least 30 seconds. When you are done, click ‘Format’ and wait for the confirmation dialogue (then click ‘OK’ and ‘Exit’).


You have now created a VeraCrypt volume (file container)! Yay!

Mounting and using a VeraCrypt volume

1. Select a drive letter from the list on the VeraCrypt main screen. Then click ‘Select File’ and navigate to where you saved the VeraCrypt volume you just created, and ‘Open’. Once done, click ‘Mount’.

Any spare letter will do, so we’ll choose ‘J’. This will now be the drive letter assigned to our encrypted volume

2. You will be asked for the password you specified earlier.


3. The volume is now mounted and will behave in all ways like a normal volume, except that all data on it is encrypted. You can open it by double-clicking on the volume name from the VeraCrypt main screen…


… or it can be accessed as regular volume in Explorer.


As you can see, the basics of setting up a simple encrypted volume are quite easy, and VeraCrypt does a good job at holding your hand. To see how to setup a hidden volume, check out Part 2 of this guide.

Handy tip

If you use Dropbox and are worried about Dropbox being able to see your files, you can create an encrypted VeraCrypt container inside your Dropbox folder. In this way, all files placed in the mounted container will be encrypted before being uploaded to Dropbox, and decrypted locally for viewing.

Of course, this does not make sharing and collaborating on files easy, but it does secure them against prying eyes. Android users are also in luck, as the EDS (full) app allows you to browse and open VeraCrypt encrypted volumes when on the move (the free EDS Lite is compatible with TrueCrypt containers.)

Other TrueCrypt forks

The main rival to VeraCrypt is Ciphershed, which is also a fork based off the original TrueCrypt code. Unlike VeraCrypt, Ciphershed is fully compatible with legacy TrueCrypt containers, but is generally considered not as secure. A full discussion on the subject is available here, which includes the following statement,

As the author of VeraCrypt, I can say that the main difference with CipherShed is related to security:


  • Since 2013, we choose to enhance the key derivation because the TrueCrypt approach doesn’t offer the same security as in 2004 when it was released. This explains why TrueCrypt containers can’t be supported anymore in VeraCrypt (a conversion tool is planned).
  • In the latest version, we corrected most of the security issues discovered by the Open Crypto Audit project. In the next version, we’ll correct the security issue in the bootloader.

I understand CipherShed decision to stick with TrueCrypt format but this makes it difficult for them to enhance the security of the key derivation. Nevertheless, they can benefit from all the security fixes we have implemented so far (lack of time makes it difficult from me to contribute to CipherShed but since the two projects share the same code base, reporting the modifications from one project to another is feasible).

Some users prefer to stick with the last known ‘safe’ version of TrueCrypt (7.1a), but as this contains known (if not critical) weaknesses we recommend using VeraCrypt instead (or Ciphershed if backwards compatibility is important).

For those still wary of anything to do with TrueCrypt (a quite understandable position in our view, regardless of the audit results) we have an article on 6 best open source alternatives to TrueCrypt.

Don’t forget to check out Part 2 of this article, in whch we take a detailed look at VeraCrypt hidden Volumes.

Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage

15 responses to “VeraCrypt & how-to basics

  1. Hi D.,

    Thanks a lot for your enlightenments on the subject.

    You have once advised not to compress a veracrypt container. But the other way arround shouldn’t do any harm, right? Or would you also recommend against “veracrypting” a zipped archive?

    Actually we can run directly a VeraCrypt container by clicking it: if the container is “masked” under another file extension like .jpg, .exe, .doc, .txt, etc., or even if it is an original .hc or even without any extension especified, you can just right-click it(or double-click it depending on the case) -> Open with -> VeraCrypt and you know the rest (mount, password, etc). At least on my computer it is working like that…

    Can you tell me what happens when I modify or create new files/folders inside a VC container which is inside a syncing dropbox or folder (or other similar cloud service)? Is it going to upload the entire container again or it will just upload the modified part of the file or does it depend on the cloud service and you cannot know for sure?
    Normally, how long does the uploading time takes per GB, assuming we have a good internet connection? I am experiencing some trouble with that… with a 100gb container. Can the pc or internet connection be turned off during the uploading proccess and when the connection is restored it will start uploading where it stopped or will this restart the uploading proccess from the very beginning all over again each time?

    Finnaly, would you recommed against using a .gif, .jp(e)g, .png, .exe, .doc, .txt, etc for a VC container or not and why? And if you think there is no problem in doing so, what would you suggest to avoid file corruption or overwriting. I am asking this because when I create a container using some of these extensions I receive a warning message saying to avoid some kinds of file extensions due to risk of data loss or overwriting by other programs but does not explain clearly why. So I got confused.

    Once again, thanks for your advice and patience.

    You have been very helpful.

    Best regards

    1. Hi johnyy,

      – TBH,I have not tried doing this either way round, but no, I can’t see the harm in creating a VerCrypt container hidden inside a zip file. You could create a test file, and experiment.

      – Yes, but you can do this with any file, and VeraCryprt will mount it! It will even ask for a password, whether one exists or not. This makes it impossible to tell if a file is really a Veracrypt hidden volume.

      – This all depends somewhat on the cloud service. Most will replace with old file with the new file, and then backup the old files (this is called versioning). Upload time depends entirely on the the upload speed of your internet connection and capabilities of you cloud servers. 100gb is quite large, so its not surprising that upload times might be slow. Whether the PC can be turned off during upload and then continue afterwards depends on the technology used by your cloud provider. In general, if it uses P2P (e.g. BitTorrent) technology, then yes. If it uses HTTP transfers, then no.

      – Veracrypt does not care which file type you choose, so any of those is fine. In Part 2 of this guide I show how to prevent overwriting a VeraCrypt Hidden volume’s data with data from the outer container. Otherwise, just backup the file regularly (as you normally should). The warning probably comes because these are very common file types, and it is therefore easy to mistake them for regular files.

  2. Hi Douglas,

    A few questions about this VeraCrypt software.

    1. So, if I got it right and roughly speaking, I have to be very carefull when creating a hidden volume inside another veracrypt volume so one doesn’t mess the other up and I can not create a hidden volume without a normal volume first to fit it in. Correct? It is not possible to create a hidden veracrypt volume just inside my partition or my hard drive or whatever and that is the reason why you have the option of masking your normal volume like it was another .jpg or .mp4 file instead of using the standard veracrypt extension which would raise a red flag, right?

    2. Is it possible to create a file container within another file container? If yes, is there any limit? I understand that you believe (and have tested) that we can only have 1 hidden volume inside a another volume. Is it the same for normal volumes and/or file containers? I think it like normal folders, ones hidden and others not but we can put and create other folders and files inside, ones in secret and other not that much.

    3. What are those drive/partition letters for? I can mount one of my file containers or volumes one time in the letter A and other time in the letter C and so on, right? It is there only to limit the number of volumes or containers you can open and manage at the same time. Am I getting this right or am I missing something? It is not possible to create more “letters” to that list, is it?

    4. I was surprise about your suspicious concerning the AES. I was convinced that AES-256 or even 128 was a good encryption, being the first like the best available.
    In the meantime I heard that combining AES, Twofish and Serpent. I didn’t even know it was possible but it makes sense. So, when it says, in the encryption algorythm options, AES(Twofish(Serpent)) or Serpent(Twofish(AES)) is that what it means? A combination with the three of them? Which one of these two would you prefer?
    Still about encryption, 7-Zip or WinRAR? I understand that for compressing winRAR with be better in some cases according to what have read but what about encryption?

    5. Other thing that confuses me is that if I choose a location for my file container or volume why would it happen in My PC or This PC as another drive?
    Is there any particular reason or it is like that just because but my file is located exactly where I decided and I should just forget about this in order to avoid more confusion in my head or is it because the creators would think it would be easier for organisation or is it because the OS recognises it as if it was another drive but anyway the file is located wherever I decided so let’s just forget about this?
    Anyway, I can change the file from the original location and it would still work, right? I just have to search for its new location before mounting it, correct? Of course I can! Otherwise people couldn’t move arround their files or upload them to the clouds, instead they’d have to create the volume or container directly inside the syncing cloud folder or pendrive or hard drive…

    I know I am almost answering to my own question but just for writing them it makes it clearer than it was before and then you can correct me if I am wrong and/or add your comments to the reasoning.

    Thank you

    1. In the 5. question where it says “why would it happen in My PC or This PC” I mean “why would it APPEAR”, and not “happen”.

      Sorry about the mispelling.

    2. Hi johnyy,

      1. Any Veracrypt volume can also contain a hidden container, and any VeraCrypt container can be hidden inside another file type. Hidden containers must be created inside a regular VeraCrypt container, and so must have an associated file. By default, the contents of a hidden container will be overwritten by the contents of the outer container, so the outer container should not be written to after creation – it exists purely to hide the existence of the hidden volume. Asa discussed in Part 2 of this guide however, it is possible to protect the data in your hidden container.

      2. You can create a hidden volume inside a normal Veracrypt container, but you cannot otherwise containers inside containers (as far as I know).

      3. When a VeraCrypt container is mounted, it acts just like a regular hard drive or USB drive, and therefore requires a drive letter. You cannot assign it a letter that is already taken (for example your hard disk is usually assigned c:), but otherwise you are limited only by the number of letters in the alphabet. There is also no limit (other than the number of letters in the alphabet) to the number of VeraCrypt containers you can mount at the same time.

      4. For my problem with AES, please see the NIST section of this article. The options you mention encrypt the file multiple times using different ciphers. For example, AES (Twofish(Serpent)) – “Three ciphers in a cascade operating in XTS mode. Each block is first encrypted with Serpent (256-bit key), then with Twofish (256-bit key), and finally with AES (256-bit key). Each cipher has its own key. All keys are mutually independent.” I use Twofish, which was developed by Bruce Schneier. I am not sure what you are after with WinRAR or 7-Zip, but I recommend against compressing a VeraCrypt container (although there is no harm trying on test container if you really want to).

      5. A VeraCrypt volume is a file, and can therefore be moved and copied to wherever you like, just like any regular file. To open it, double click on the file (wherever it is), and choose a drive letter to mount it to. It will be mounted by whichever PC you open the file with. If you know where you have moved the file to, then there is no need to search for it.

      I hope this helps.

      1. Hi Douglas,

        I really appreciate your help with this matter.

        Regarding to question 4:
        I meant, between those 2 options of triple cipher which one would you choose? Which one you find more secure?
        Also, I understand you like the Twofish cipher because you find it secure enough and doesn’t take to much time to encrypt and decrypt but a triple cipher would obviously be more secure although requiring more time to encrypt/decrypt, correct?
        About the 7-zip/WinRAR, I was not intending to compress a VeraCrypt file but it could be a later idea so I thank you for your advice. But what I wanted to know was to compress a random normal file and encrypt it with some software not as complex as VeraCrypt, would you say both of them make a good job? One is better than the other? I believe both of them use AES-256 but I am not sure. I understand what you feel about this type of cipher but since my possible adversary should not be the NSA but some random people sticking up their nose where it doesn’t belong I should be fine with this? Is there an alternative you would recommend? The point is a simple software to quickly encrypt a file or folder with sensitive content most likely to be shared or stored in/with cloud or e-mail. Even though you may recommend some other software I would still appreciate your opinion about these two softwares regarding to their encryption option.

        About 5.
        I am sorry I was not explicit enough. When I said “search for its new location” I was assuming the VeraCrypt file was disguised as another file type and you wanted to open it through VeraCrypt software directly instead of right-clicking the file – Open wtih – VeraCrypt so the VeraCrypt doesn’t be suggested on that list to open any file so possible nose-stickers don’t get any ideas.
        Anyway I understood and appreciate your enlightenment about this matter.

        And I have a new question regarding VeraCrypt’s reliability:
        Do you have experienced loss, or do you know someone who has, because of the encryption file itself? I mean, assuming nobody forgets the password (which is not necessarily true as we all know), and the precautions with the hidden files are taken, is it likely for the VeraCrypt file to be corrupted somehow and that the data within may be lost? I know that there is not such thing as a perfect software, everything fails sometime, and there are a lot of variables which can influence the behavior of the files/systems/softwares but is it likely to fail? Would you recommend to or have a backup of that data within the VeraCrypt file somewhere else, not encrypted (or encrypted with some other software), just in case, or as long as we have several copies of that VeraCrypt file there is no point in having a non-encrypted backup of the same data?

        Thank you for your patience and help

        1. Hi johnyy,

          – For my own use, I have chosen Twofish. as I consider multiple encryption using different ciphers to be massive overkill for my modest security purposes. Encrypting and decrypting multiple ciphers will take longer, bit unless you are dealing with very large file sizes, this may well be unnoticeable on a modern computer.

          – VeraCrypt is good for encrypting entire folders, while also being able to use those files as you normally would (by mounting and encrypted volume as a drive). For encrypting individual files or folders primarily for storage, then yes, programs such as 7-zip and WinRAR are easier to use, and provide a high level of encryption. 7-Zip uses AES-256 with SHA-256 hash authentication, and WinRAR also uses AES-256. As far as I can tell WinRAR uses SHA-1 – this is broken (although not if employed as HMAC), but the 262144 rounds of random salt it uses should help counter this problem). For most purposes, I would consider both programs good for creating securely encrypted files (with 7-Zip having the edge).

          – I also recommend AESCrypt and AxCrypt. Please see 6 best open source alternatives to TrueCrypt for more details.

          – You cannot just right-click on a file -> Open with Veracrypt. To open a VeraCrypt container you must run Vercrypt -> Mount -> navigate to file. There is no way to tell that a file has a container hidden inside it (and even if you try to mount a normal file without any container hidden inside it, you will be asked for a password in order to provide obfuscation).

          – I have never experienced a problem with VeraCrypt files, but if the drive or media a file is stored on becomes corrupted or is damaged then you may lose the file. So yes, I always recommend making backups. If you have backed up the VerCrypt file, then you no longer need to keep the unencrypted data.

  3. Veracrypt is suspect, and sucks in my opinion. After installation and testing it out (which was working fine at the time), when i went to turn on my computer again, its done. HP symbol all day and can’t even get a response from Veracrypt customer support. Im all about customer service, and wouldn’t be as mad if I had someone respond to an email, any email kindly asking for advice in the situation.

    1. Hi Unhappy Customer,

      Do you understand the concept of free open source software (FOSS)? VeraCrypt is not a “product,” and there is no “customer service”. VeraCrypt is an open community project run by volunteers. If you are having problems then you can ask on the discussions forum . You will likely find the community very helpful, but it is under no obligation to provide any support. Despite issues such not having any form of “customer service”, open source projects are much better when it comes to security than closed source commercial products. Please see Why Open Source is so Important for a discussion on why this is the case.

    1. Hi Imani,

      No. The only way to decrypt an encrypted Android is through its settings (System -> Security-> Decrypt Device,) or though a full factory reset.

  4. I want to encrypt my entire Hard Drive. Then to unencrypt it, I have to enter the (type in) the password for my Windows 7 to start.
    My Question is: Can I store the password on a USB Stick and then insert it every time I want to boot, OR, do I have to manually type in the (long!) password?
    I want it to be just like Windows 7 BitLocker where you can just insert the USB Stick with the password on it.

    1. Hi Tony,

      VeraCrypt does allow you to create a keyfile, which can be stored on a USB stick and used to decrypt an encrypted hard drive (as long as it is not the system drive.) Simply choose “Use keyfiles” instead of enetring a password in step 7 above. Note that VeraCrytpt allows you to use any file as a keyfile, so you can easily hide the keyfile inside an innocuous looking mp3, jpeg, etc. file.

      1. Hi Douglas,
        You said “Note that VeraCrytpt allows you to use any file as a keyfile, so you can easily hide the keyfile inside an innocuous looking mp3, jpeg, etc.”
        Will that file be broken then, i.e. will the mp3 play, will the jpg/pdf render, … ? In other words is the key hidden within a std field inside the given file format ?
        So to move from TC to VeraCrypt, I need to have both apps running and transfer from one container to the other ? Is it OK to run both at the same time for such a critical transfer ?
        Thanks !
        PS: sorry, I just found out about this site, don’t know the forum rules regarding email in this form so the email is self destructing …

        1. Hi Marc,

          1) No, the file remains fully functional.
          2) Yes, that would probably be easiest. If you are worried about losing data then it might be be better to transfer files out of the TC container to a regular unencrypted folder, then transfer them from the unencrypted folder to the the VeraCrypt container. Once you have verified all the files in the new VeraCrypt container (and stored a backup of the container somewhere safe), you can delete the old TC container and unencrypted folder using a good file shredder (I use AxCrypt).

          ps. At BestVPN we value privacy, sptherefore do not require readers to provide their real email addresses (so disposable emails are fine, as are completely made-up ones).

Leave a Reply

Your email address will not be published. Required fields are marked *