ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

VeraCrypt & how-to basics

For a long time TrueCrypt was the go-to full disk encryption solution of choice for security professions (it was recommended by Edward Snowden, and successfully prevented the UK police from accessing files carried by Glen Grunewald’s partner, David Miranda).

The security world was therefore extremely alarmed when the TrueCrypt developers withdrew their product under very suspicious circumstances (a situation which led to no small amount of general paranoia). At the time, a crowdfunded full audit of the software was being performed, Phase I of which had recently given it the all-clear.

The withdrawal of TrueCrypt by its developers threw the auditing project into some disarray, but it was finally decided to continue onto Phase II and finish the audit. This was completed at the beginning of April 2015, and although some problems were discovered, the report (as summarized in this blog post) found that,

Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.

This is great news, but leaves the problem that TrueCrypt is no longer supported. With some known weaknesses, plus the fact that no more updates will become available, it is therefore difficult to recommend using TrueCrypt these days…. so enter VeraCrypt…

VeraCrypt

VeraCrypt is a fully audited and open source fork of TrueCrypt that ‘solves many vulnerabilities and security issues found in TrueCrypt.’  It is also under active development, and is therefore likely to be improved and any remaining flaws patched in due time.

With VeraCrypt you can:

  • Create a virtual encrypted disk (volume) which you can mount and use just like a real disk (and which can be made into a Hidden Volume)
  • Encrypt an entire partition or storage device (e.g. a hard drive or USB stick)
  • Create a partition or storage drive containing an entire operating system (which can be hidden)

All encryption is performed on-the-fly in real-time, making VeraCrypt transparent in operation. It should be noted, however, that groovy as this ability to mount an encrypted drive is (and it is one of the things that makes VeraCrypt a great program), it does mean that cryptographic keys are stored in temporary memory (RAM) during use, which can theoretically expose VeraCrypt users to the possibility of attack through the use of pre-installed keyloggers and other malware.

Hidden volumes and hidden operating systems provide plausible deniability, as it should be impossible to prove they exist (as long as all the correct precautions are taken). In Part 2 of this article we explore hidden volumes in detail.

VeraCrypt is available for Windows, OSX and Linux. Our how-to guide was written for Windows 8.1, but the basics should more or less the same for any operating system (and other forks or versions of TrueCrypt).

Note that unlike Ciphershed, VeraCrypt is not compatible with TrueCrypt volumes (see the end of this article for more information on this subject).

How to create and use a simple VeraCrypt container

Creating a container

The simplest way to use VeraCrypt is to create an encrypted container within a file. This file behaves just like any other file, and can be moved, deleted, renamed etc. as if it was a normal file.

1. Download VeraCrypt, install and run it, then click ‘Create Volume’ on the main screen.

VC1

2. Make sure the ‘Create an encrypted file container’ radio button is selected and click ‘Next’.

VC2

3. Make sure that ‘Standard VeraCrypt volume’ is selected and click ‘Next’.

VC3

4. Click ‘Select File’, choose where you want the file saved, and pick a name for the file. Do not select an already existing file as VeraCrypt will delete it and replace it with a new VeraCrypt container.

VC4

5. Choose an encryption algorithm and a hash algorithm. Information is provided on each encryption algorithm to help you choose one that is right for you. Generally speaking, the stronger the encryption, the longer the encryption/decryption process will take.

VC5

You can benchmark how fast the encryption/decryption takes, and test that all the algorithms are working properly.

VC6

Although not as fast as AES, we prefer Twofish because we are suspicious of anything NIST certified (we explain why here.) We’ll also go with the Whirlpool hash algorithm for the same reason (see the full documentation for more info on this subject)

6. Choose how big you want the file to be. It can be any size up the available free space on the drive it is located.

7. Chose a password. This is a vital step; if your data is worth encrypting then it is worth protecting with a good password. The wizard offers some good advice on choosing a strong password (it is possible to use a keyfile instead, but for simplicity in this beginner’s tutorial we’ll just stick to using a password)VC7

VC8

8. In the ‘Volume Format’ screen you can choose which file system to use. We’ll go for FAT to maintain maximum compatibility across devices and platforms. Moving your mouse pointer around the window increases the cryptographic strength of the encryption keys by introducing a truly random element (which increases security), so you should wiggle it around for at least 30 seconds. When you are done, click ‘Format’ and wait for the confirmation dialogue (then click ‘OK’ and ‘Exit’).

VC9

You have now created a VeraCrypt volume (file container)! Yay!

Mounting and using a VeraCrypt volume

1. Select a drive letter from the list on the VeraCrypt main screen. Then click ‘Select File’ and navigate to where you saved the VeraCrypt volume you just created, and ‘Open’. Once done, click ‘Mount’.


Any spare letter will do, so we’ll choose ‘J’. This will now be the drive letter assigned to our encrypted volumeVC10

2. You will be asked for the password you specified earlier.

VC11

3. The volume is now mounted and will behave in all ways like a normal volume, except that all data on it is encrypted. You can open it by double-clicking on the volume name from the VeraCrypt main screen…

VC12

… or it can be accessed as regular volume in Explorer.

VC13

As you can see, the basics of setting up a simple encrypted volume are quite easy, and VeraCrypt does a good job at holding your hand. To see how to setup a hidden volume, check out Part 2 of this guide.

Handy tip

If you use Dropbox and are worried about Dropbox being able to see your files, you can create an encrypted VeraCrypt container inside your Dropbox folder. In this way, all files placed in the mounted container will be encrypted before being uploaded to Dropbox, and decrypted locally for viewing.

Of course, this does not make sharing and collaborating on files easy, but it does secure them against prying eyes. Android users are also in luck, as the EDS (full) app allows you to browse and open VeraCrypt encrypted volumes when on the move (the free EDS Lite is compatible with TrueCrypt containers.)

Other TrueCrypt forks

The main rival to VeraCrypt is Ciphershed, which is also a fork based off the original TrueCrypt code. Unlike VeraCrypt, Ciphershed is fully compatible with legacy TrueCrypt containers, but is generally considered not as secure.

As the author of VeraCrypt, I can say that the main difference with CipherShed is related to security:

  • Since 2013, we choose to enhance the key derivation because the TrueCrypt approach doesn't offer the same security as in 2004 when it was released. This explains why TrueCrypt containers can't be supported anymore in VeraCrypt (a conversion tool is planned).
  • In the latest version, we corrected most of the security issues discovered by the Open Crypto Audit project. In the next version, we'll correct the security issue in the bootloader.

I understand CipherShed decision to stick with TrueCrypt format but this makes it difficult for them to enhance the security of the key derivation. Nevertheless, they can benefit from all the security fixes we have implemented so far (lack of time makes it difficult from me to contribute to CipherShed but since the two projects share the same code base, reporting the modifications from one project to another is feasible).

Some users prefer to stick with the last known ‘safe’ version of TrueCrypt (7.1a), but as this contains known (if not critical) weaknesses we recommend using VeraCrypt instead (or Ciphershed if backwards compatibility is important).

For those still wary of anything to do with TrueCrypt (a quite understandable position in our view, regardless of the audit results) we have an article on 6 best open source alternatives to TrueCrypt.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

21 Comments

David Brown
on February 16, 2018
Hi, I have carried out the above twice now but the folder, after showing on the "my computer" for a few days, then disappears and I have to do it all again. I hadn't put anything in the folder luckily but not sure what I am doing wrong after mounting it into a spare drive letter.
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small.png
Douglas Crawford replied to David Brown
on February 19, 2018
Hi David, When the folder disappears from My Computer, have you tried re-mounting the file in VeraCrypt?
jeremy replied to David Brown
on April 23, 2019
hi doug so what is your recommendation for an encryption tool software that is user friendly? maybe one of the commercial ones with zero knowledge, even axcrypt seems difficult to use its scary being locked out without recourse to a pasword hint like with veracrypt
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small.png
douglas replied to jeremy
on April 30, 2019
Hi Jeremy, Zero knowledge products have the same problem that VeraCrypt has, in that they don't record your passwords. Full-disk encryption is performed locally, and so is not a service that you subscribe to. As such, remembering your own passwords is pretty much always a must. I would suggest using a password manager with online backup such as Bitwarden (https://proprivacy.com/privacy-news/bitwarden-review/) to remember passwords for you.
Jeanette
on December 16, 2016
HI, I encrypted my computer, went away for a few days and I come back now and I have attempted several times to enter the password which I know is correct and it keeps telling me that it is incorrect, I have tried all the solutions that were offered when I encrypted it and nothing works. I am beyond frustrated, can you shed a light and tell me what I can do to be able to get back into my computer. Nothing seems to work now
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small.png
Douglas Crawford replied to Jeanette
on December 19, 2016
Hi Jeanette, I'm afraid that I have some very bad news for you. The entire point of full disk encryption is that it makes it impossible to access encrypted data without the correct password. If you are 100% sure that you are entering the correct password, then I can only guess that you have hit some kind of bug in the VeraCrypt software. This is very unfortunate, and almost certainly means that you will not be able to just "get back into" your computer. What you can do is take out the hard/SSD drive, plug it into another computer, format it, and return it to your computer, and reinstall Windows (or OS of choice). All you data etc. will be lost, but you will, at least, be able to use your hardware again...
johnyy
on September 13, 2016
Hi D., Thanks a lot for your enlightenments on the subject. You have once advised not to compress a veracrypt container. But the other way arround shouldn't do any harm, right? Or would you also recommend against "veracrypting" a zipped archive? Actually we can run directly a VeraCrypt container by clicking it: if the container is "masked" under another file extension like .jpg, .exe, .doc, .txt, etc., or even if it is an original .hc or even without any extension especified, you can just right-click it(or double-click it depending on the case) -> Open with -> VeraCrypt and you know the rest (mount, password, etc). At least on my computer it is working like that... Can you tell me what happens when I modify or create new files/folders inside a VC container which is inside a syncing dropbox or g.drive folder (or other similar cloud service)? Is it going to upload the entire container again or it will just upload the modified part of the file or does it depend on the cloud service and you cannot know for sure? Normally, how long does the uploading time takes per GB, assuming we have a good internet connection? I am experiencing some trouble with that... with a 100gb container. Can the pc or internet connection be turned off during the uploading proccess and when the connection is restored it will start uploading where it stopped or will this restart the uploading proccess from the very beginning all over again each time? Finnaly, would you recommed against using a .gif, .jp(e)g, .png, .exe, .doc, .txt, etc for a VC container or not and why? And if you think there is no problem in doing so, what would you suggest to avoid file corruption or overwriting. I am asking this because when I create a container using some of these extensions I receive a warning message saying to avoid some kinds of file extensions due to risk of data loss or overwriting by other programs but does not explain clearly why. So I got confused. Once again, thanks for your advice and patience. You have been very helpful. Best regards
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small.png
Douglas Crawford replied to johnyy
on September 14, 2016
Hi johnyy, - TBH,I have not tried doing this either way round, but no, I can't see the harm in creating a VerCrypt container hidden inside a zip file. You could create a test file, and experiment. - Yes, but you can do this with any file, and VeraCryprt will mount it! It will even ask for a password, whether one exists or not. This makes it impossible to tell if a file is really a Veracrypt hidden volume. - This all depends somewhat on the cloud service. Most will replace with old file with the new file, and then backup the old files (this is called versioning). Upload time depends entirely on the the upload speed of your internet connection and capabilities of you cloud servers. 100gb is quite large, so its not surprising that upload times might be slow. Whether the PC can be turned off during upload and then continue afterwards depends on the technology used by your cloud provider. In general, if it uses P2P (e.g. BitTorrent) technology, then yes. If it uses HTTP transfers, then no. - Veracrypt does not care which file type you choose, so any of those is fine. In Part 2 of this guide I show how to prevent overwriting a VeraCrypt Hidden volume's data with data from the outer container. Otherwise, just backup the file regularly (as you normally should). The warning probably comes because these are very common file types, and it is therefore easy to mistake them for regular files.
johnyy
on August 24, 2016
Hi Douglas, A few questions about this VeraCrypt software. 1. So, if I got it right and roughly speaking, I have to be very carefull when creating a hidden volume inside another veracrypt volume so one doesn't mess the other up and I can not create a hidden volume without a normal volume first to fit it in. Correct? It is not possible to create a hidden veracrypt volume just inside my partition or my hard drive or whatever and that is the reason why you have the option of masking your normal volume like it was another .jpg or .mp4 file instead of using the standard veracrypt extension which would raise a red flag, right? 2. Is it possible to create a file container within another file container? If yes, is there any limit? I understand that you believe (and have tested) that we can only have 1 hidden volume inside a another volume. Is it the same for normal volumes and/or file containers? I think it like normal folders, ones hidden and others not but we can put and create other folders and files inside, ones in secret and other not that much. 3. What are those drive/partition letters for? I can mount one of my file containers or volumes one time in the letter A and other time in the letter C and so on, right? It is there only to limit the number of volumes or containers you can open and manage at the same time. Am I getting this right or am I missing something? It is not possible to create more "letters" to that list, is it? 4. I was surprise about your suspicious concerning the AES. I was convinced that AES-256 or even 128 was a good encryption, being the first like the best available. In the meantime I heard that combining AES, Twofish and Serpent. I didn't even know it was possible but it makes sense. So, when it says, in the encryption algorythm options, AES(Twofish(Serpent)) or Serpent(Twofish(AES)) is that what it means? A combination with the three of them? Which one of these two would you prefer? Still about encryption, 7-Zip or WinRAR? I understand that for compressing winRAR with be better in some cases according to what have read but what about encryption? 5. Other thing that confuses me is that if I choose a location for my file container or volume why would it happen in My PC or This PC as another drive? Is there any particular reason or it is like that just because but my file is located exactly where I decided and I should just forget about this in order to avoid more confusion in my head or is it because the creators would think it would be easier for organisation or is it because the OS recognises it as if it was another drive but anyway the file is located wherever I decided so let's just forget about this? Anyway, I can change the file from the original location and it would still work, right? I just have to search for its new location before mounting it, correct? Of course I can! Otherwise people couldn't move arround their files or upload them to the clouds, instead they'd have to create the volume or container directly inside the syncing cloud folder or pendrive or hard drive... I know I am almost answering to my own question but just for writing them it makes it clearer than it was before and then you can correct me if I am wrong and/or add your comments to the reasoning. Thank you
johnyy replied to johnyy
on August 24, 2016
In the 5. question where it says "why would it happen in My PC or This PC" I mean "why would it APPEAR", and not "happen". Sorry about the mispelling.
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small.png
Douglas Crawford replied to johnyy
on August 24, 2016
Hi johnyy, 1. Any Veracrypt volume can also contain a hidden container, and any VeraCrypt container can be hidden inside another file type. Hidden containers must be created inside a regular VeraCrypt container, and so must have an associated file. By default, the contents of a hidden container will be overwritten by the contents of the outer container, so the outer container should not be written to after creation - it exists purely to hide the existence of the hidden volume. Asa discussed in Part 2 of this guide however, it is possible to protect the data in your hidden container. 2. You can create a hidden volume inside a normal Veracrypt container, but you cannot otherwise containers inside containers (as far as I know). 3. When a VeraCrypt container is mounted, it acts just like a regular hard drive or USB drive, and therefore requires a drive letter. You cannot assign it a letter that is already taken (for example your hard disk is usually assigned c:), but otherwise you are limited only by the number of letters in the alphabet. There is also no limit (other than the number of letters in the alphabet) to the number of VeraCrypt containers you can mount at the same time. 4. For my problem with AES, please see the NIST section of this article. The options you mention encrypt the file multiple times using different ciphers. For example, AES (Twofish(Serpent)) - "Three ciphers in a cascade operating in XTS mode. Each block is first encrypted with Serpent (256-bit key), then with Twofish (256-bit key), and finally with AES (256-bit key). Each cipher has its own key. All keys are mutually independent." I use Twofish, which was developed by Bruce Schneier. I am not sure what you are after with WinRAR or 7-Zip, but I recommend against compressing a VeraCrypt container (although there is no harm trying on test container if you really want to). 5. A VeraCrypt volume is a file, and can therefore be moved and copied to wherever you like, just like any regular file. To open it, double click on the file (wherever it is), and choose a drive letter to mount it to. It will be mounted by whichever PC you open the file with. If you know where you have moved the file to, then there is no need to search for it. I hope this helps.
johnyy replied to Douglas Crawford
on August 25, 2016
Hi Douglas, I really appreciate your help with this matter. Regarding to question 4: I meant, between those 2 options of triple cipher which one would you choose? Which one you find more secure? Also, I understand you like the Twofish cipher because you find it secure enough and doesn't take to much time to encrypt and decrypt but a triple cipher would obviously be more secure although requiring more time to encrypt/decrypt, correct? About the 7-zip/WinRAR, I was not intending to compress a VeraCrypt file but it could be a later idea so I thank you for your advice. But what I wanted to know was to compress a random normal file and encrypt it with some software not as complex as VeraCrypt, would you say both of them make a good job? One is better than the other? I believe both of them use AES-256 but I am not sure. I understand what you feel about this type of cipher but since my possible adversary should not be the NSA but some random people sticking up their nose where it doesn't belong I should be fine with this? Is there an alternative you would recommend? The point is a simple software to quickly encrypt a file or folder with sensitive content most likely to be shared or stored in/with cloud or e-mail. Even though you may recommend some other software I would still appreciate your opinion about these two softwares regarding to their encryption option. About 5. I am sorry I was not explicit enough. When I said "search for its new location" I was assuming the VeraCrypt file was disguised as another file type and you wanted to open it through VeraCrypt software directly instead of right-clicking the file - Open wtih - VeraCrypt so the VeraCrypt doesn't be suggested on that list to open any file so possible nose-stickers don't get any ideas. Anyway I understood and appreciate your enlightenment about this matter. And I have a new question regarding VeraCrypt's reliability: Do you have experienced loss, or do you know someone who has, because of the encryption file itself? I mean, assuming nobody forgets the password (which is not necessarily true as we all know), and the precautions with the hidden files are taken, is it likely for the VeraCrypt file to be corrupted somehow and that the data within may be lost? I know that there is not such thing as a perfect software, everything fails sometime, and there are a lot of variables which can influence the behavior of the files/systems/softwares but is it likely to fail? Would you recommend to or have a backup of that data within the VeraCrypt file somewhere else, not encrypted (or encrypted with some other software), just in case, or as long as we have several copies of that VeraCrypt file there is no point in having a non-encrypted backup of the same data? Thank you for your patience and help
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small.png
Douglas Crawford replied to johnyy
on August 30, 2016
Hi johnyy, - For my own use, I have chosen Twofish. as I consider multiple encryption using different ciphers to be massive overkill for my modest security purposes. Encrypting and decrypting multiple ciphers will take longer, bit unless you are dealing with very large file sizes, this may well be unnoticeable on a modern computer. - VeraCrypt is good for encrypting entire folders, while also being able to use those files as you normally would (by mounting and encrypted volume as a drive). For encrypting individual files or folders primarily for storage, then yes, programs such as 7-zip and WinRAR are easier to use, and provide a high level of encryption. 7-Zip uses AES-256 with SHA-256 hash authentication, and WinRAR also uses AES-256. As far as I can tell WinRAR uses SHA-1 – this is broken (although not if employed as HMAC), but the 262144 rounds of random salt it uses should help counter this problem). For most purposes, I would consider both programs good for creating securely encrypted files (with 7-Zip having the edge). - I also recommend AESCrypt and AxCrypt. Please see 6 best open source alternatives to TrueCrypt for more details. - You cannot just right-click on a file -> Open with Veracrypt. To open a VeraCrypt container you must run Vercrypt -> Mount -> navigate to file. There is no way to tell that a file has a container hidden inside it (and even if you try to mount a normal file without any container hidden inside it, you will be asked for a password in order to provide obfuscation). - I have never experienced a problem with VeraCrypt files, but if the drive or media a file is stored on becomes corrupted or is damaged then you may lose the file. So yes, I always recommend making backups. If you have backed up the VerCrypt file, then you no longer need to keep the unencrypted data.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives: