FAT, exFAT, or NTFS?

Once you have defined a good password and clicked Next, you can move on to selecting the volume's filesystem. FAT or exFAT can be mounted on almost any other system later. NTFS gives you the ability to use additional authorizations or file attributes on Windows. Choose the filesystem that best suits your requirements. If required, check the boxes for quick formatting and the option to dynamically grow the volume. Next, move your mouse pointer to give the pseudo-random number generator for the crypto operations further random data. Once the bar at the bottom of the window turns green, press Format. After a short time, your volume is ready, and you can press Exit to close the dialog.

After creating your container, you are taken back to the VeraCrypt start window. Now search for your previously created container by clicking on Select File, select the desired drive letter in the area above, and then press Mount. Enter the password in the dialog box or browse to the keyfiles you selected previously for the secret in Keyfiles. Clicking on OK tells the disk manager to automatically mount the volume, which you can access directly.

If you created a hidden volume in the previous step, you will now see two options when mounting. If you want to access the contents of the hidden volume, you need to enter the matching secret in order to mount it directly. The container's outer volume is not displayed or changed. However, if you want to include the outer volume (e.g., to keep up appearances and store files) enter the secret for this outer volume here. In Options, make sure you also specify the secret of the hidden volume for protection to avoid it being accidentally overwritten (Figure 4).

Figure 4: Protect existing hidden volumes against accidental overwrites.

Encrypting Partitions and Hard Disks

If you want to encrypt entire partitions or data carriers, select the Encrypt a Partition/Drive option when creating a new volume. In Windows, again confirm the User Account Control (UAC) dialog to let VeraCrypt access your data carriers. As in a container, you can also create hidden volumes. Then select the data carrier to be encrypted. In my example, I will encrypt a USB memory stick. In this case, it is not necessary to partition the storage space in advance; you can encrypt the entire drive directly. The partitioning can then be changed within the encrypted area. VeraCrypt shows you available storage and partitions for selection.

Next you can choose whether to continue using the files that are already on the data carrier in the encrypted volume (the in-place encryption option). VeraCrypt can create encrypted storage media without you needing to manually temporarily store the files and transfer them back. Note that this only works with NTFS on Windows, because the operating system is only capable of shrinking NTFS filesystems on the fly, which is necessary to free up space for the encrypted volume on the data carrier.

If you want to continue without in-place encryption, select the other option and press Next. Before formatting, you will be warned once again that all data currently on the medium will be permanently deleted. If you are using a USB memory stick, you are also told that a drive letter will still be assigned on Windows. However, you must not use the drive in this way. Windows does not recognize any content and offers to format the stick directly when you connect it, which would delete the encrypted volume.

Protecting the System Partition

Now that you have some experience with VeraCrypt, you can encrypt your entire operating system. To do this, select Encrypt System Partition/Drive from the System menu at the top.

VeraCrypt even offers to install a hidden operating system. This gives plausible deniability at the operating system level to deny the existence of a hidden operating system installation.

For my example, I will use normal encryption and then opt to encrypt the entire data carrier and not just the system partition. The entire data carrier then also includes any recovery or boot partitions, which is why VeraCrypt recommends that you only encrypt the system partition for the recovery. Otherwise, depending on the BIOS configuration, you could lose access to your system completely.