<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

<meta http-equiv="content-type" content="text/html; charset=utf-8" />

<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>

<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>

<meta name="keywords" content="encryption, security"/>

<link href="styles.css" rel="stylesheet" type="text/css" />

</head>

<body>

<div>

</div>

<div id="menu">

<ul>

<li><a href="Home.html">Home</a></li>

<li><a href="/code/">Source Code</a></li>

<li><a href="Downloads.html">Downloads</a></li>

<li><a class="active" href="Documentation.html">Documentation</a></li>

<li><a href="Donation.html">Donate</a></li>

<li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>

</ul>

</div>

<div>

<p>

<a href="Documentation.html">Documentation</a>

<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">

<a href="Plausible%20Deniability.html">Plausible Deniability</a>

<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">

<a href="VeraCrypt%20Hidden%20Operating%20System.html">Hidden Operating System</a>

volume header cannot be identified, as it appears to consist entirely of random data). If the header is successfully decrypted (for information on how VeraCrypt determines that it was successfully decrypted, see the section

<a href="Encryption%20Scheme.html" style="text-align:left; color:#0080c0; text-decoration:none.html">

Encryption Scheme</a>), the information about the size of the hidden volume is retrieved from the decrypted header (which is still stored in RAM), and the hidden volume is mounted (its size also determines its offset). For further technical details, see the

section <a href="Encryption%20Scheme.html" style="text-align:left; color:#0080c0; text-decoration:none.html">

Encryption Scheme</a> in the chapter <a href="Technical%20Details.html" style="text-align:left; color:#0080c0; text-decoration:none.html">

Technical Details</a>.</div>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

When running, the hidden operating system appears to be installed on the same partition as the original operating system (the decoy system). However, in reality, it is installed within the partition behind it (in a hidden volume). All read/write operations

are transparently redirected from the system partition to the hidden volume. Neither the operating system nor applications will know that data written to and read from the system partition is actually written to and read from the partition behind it (from/to

a hidden volume). Any such data is encrypted and decrypted on the fly as usual (with an encryption key different from the one that is used for the decoy operating system).</div>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

Note that there will also be a third password &mdash; the one for the <a href="Hidden%20Volume.html" style="text-align:left; color:#0080c0; text-decoration:none.html">

<strong style="text-align:left">outer volume</strong></a>. It is not a pre-boot authentication password, but a regular VeraCrypt volume password. It can be safely disclosed to anyone forcing you to reveal the password for the encrypted partition where the hidden

volume (containing the hidden operating system) resides. Thus, the existence of the hidden volume (and of the hidden operating system) will remain secret. If you are not sure you understand how this is possible, or what an outer volume is, please read the

section <a href="Hidden%20Volume.html" style="text-align:left; color:#0080c0; text-decoration:none.html">

Hidden Volume</a>. The outer volume should contain some sensitive-looking files that you actually do

<em style="text-align:left">not</em> want to hide.</div>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

To summarize, there will be three passwords in total. Two of them can be revealed to an attacker (for the decoy system and for the outer volume). The third password, for the hidden system, must remain secret.</div>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

<em style="text-align:left">Example Layout of System Drive Containing Hidden Operating System</em></div>

<p>&nbsp;</p>

<h4 id="CreationProcess" style="text-align:left; font-family:Arial,Helvetica,Verdana,sans-serif; font-weight:bold; margin-top:0px; font-size:12px; margin-bottom:1px">

Process of Creation of Hidden Operating System</h4>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

To start the process of creation of a hidden operating system, select <em style="text-align:left">

System</em> &gt; <em style="text-align:left">Create Hidden Operating System</em> and then follow the instructions in the wizard.</div>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

Initially, the wizard verifies that there is a suitable partition for a hidden operating system on the system drive. Note that before you can create a hidden operating system, you need to create a partition for it on the system drive. It must be the first partition

behind the system partition and it must be at least 5% larger than the system partition (the system partition is the one where the currently running operating system is installed). However, if the outer volume (not to be confused with the system partition)

is formatted as NTFS, the partition for the hidden operating system must be at least 110% (2.1 times) larger than the system partition (the reason is that the NTFS file system always stores internal data exactly in the middle of the volume and, therefore,

the hidden volume, which is to contain a clone of the system partition, can reside only in the second half of the partition).</div>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

In the next steps, the wizard will create two VeraCrypt volumes (<a href="Hidden%20Volume.html" style="text-align:left; color:#0080c0; text-decoration:none.html">outer and hidden</a>) within the first partition behind the

system partition. The <a href="Hidden%20Volume.html" style="text-align:left; color:#0080c0; text-decoration:none.html">

hidden volume</a> will contain the hidden operating system. The size of the hidden volume is always the same as the size of the system partition. The reason is that the hidden volume will need to contain a clone of the content of the system partition (see below).

Note that the clone will be encrypted using a different encryption key than the original. Before you start copying some sensitive-looking files to the outer volume, the wizard tells you the maximum recommended size of space that the files should occupy, so

that there is enough free space on the outer volume for the hidden volume.</div>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

<br style="text-align:left">

<br style="text-align:left">

Note: When the user attempts to encrypt the system partition with a cascade encryption algorithm, VeraCrypt warns him or her that it can cause the following problems (and implicitly recommends to choose a non-cascade encryption algorithm instead):

<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px; font-size:10px; line-height:12px">

For cascade encryption algorithms, the VeraCrypt Boot Loader is larger than normal and, therefore, there is not enough space in the first drive track for a backup of the VeraCrypt Boot Loader. Hence,

<em style="text-align:left">whenever</em> it gets damaged (which often happens, for example, during inappropriately designed anti-piracy activation procedures of certain programs), the user must use the VeraCrypt Rescue Disk to repair the VeraCrypt Boot Loader

or to boot. </li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px; font-size:10px; line-height:12px">

On some computers, resuming from hibernation takes longer. </li></ul>

</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">

In contrast to a password for a non-system VeraCrypt volume, a pre-boot authentication password needs to be typed each time the computer is turned on or restarted. Therefore, if the pre-boot authentication password is long (which is required for security purposes),

it may be very tiresome to type it so frequently. Hence, you can answer that it was more convenient for you to use a short (and therefore weaker) password for the system partition (i.e. the decoy system) and that it is more convenient for you to store the

most sensitive data (which you do not need to access as often) in the non-system VeraCrypt partition (i.e. in the outer volume) for which you chose a very long password.

<br style="text-align:left">

<br style="text-align:left">

As the password for the system partition is not very strong (because it is short), you do not intentionally store sensitive data on the system partition. However, you still prefer the system partition to be encrypted, because potentially sensitive or mildly

sensitive data is stored on it as a result of your everyday use of the computer (for example, passwords to online forums you visit, which can be automatically remembered by your browser, browsing history, applications you run, etc.)

</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">

When an attacker gets hold of your computer when a VeraCrypt volume is mounted (for example, when you use a laptop outside), he can, in most cases, read any data stored on the volume (data is decrypted on the fly as he reads it). Therefore, it may be wise to

limit the time the volume is mounted to a minimum. Obviously, this may be impossible or difficult if the sensitive data is stored on an encrypted system partition or on an entirely encrypted system drive (because you would also have to limit the time you work

(so as to limit the time the volume is mounted to a minimum). On the system partition, you store data that is less sensitive (but which you need to access often) than data you store on the non-system partition (i.e. on the outer volume).

</li></ul>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

&nbsp;</div>

<h4 style="text-align:left; font-family:Arial,Helvetica,Verdana,sans-serif; font-weight:bold; margin-top:0px; font-size:12px; margin-bottom:1px">

Safety/Security Precautions and Requirements Pertaining to Hidden Operating Systems</h4>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

As a hidden operating system resides in a hidden VeraCrypt volume, a user of a hidden operating system must follow all of the security requirements and precautions that apply to normal hidden VeraCrypt volumes. These requirements and precautions, as well as

additional requirements and precautions pertaining specifically to hidden operating systems, are listed in the subsection

<a href="Security%20Requirements%20for%20Hidden%20Volumes.html" style="text-align:left; color:#0080c0; text-decoration:none.html">

Security Requirements and Precautions Pertaining to Hidden Volumes</a>.</div>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

WARNING: If you do not protect the hidden volume (for information on how to do so, refer to the section

<a href="Protection%20of%20Hidden%20Volumes.html" style="text-align:left; color:#0080c0; text-decoration:none.html">

Protection of Hidden Volumes Against Damage</a>), do <em style="text-align:left">

not</em> write to the outer volume (note that the decoy operating system is <em style="text-align:left">

not</em> installed in the outer volume). Otherwise, you may overwrite and damage the hidden volume (and the hidden operating system within it)!</div>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

If all the instructions in the wizard have been followed and if the security requirements and precautions listed in the subsection

<a href="Security%20Requirements%20for%20Hidden%20Volumes.html" style="text-align:left; color:#0080c0; text-decoration:none.html">