VeraCrypt

Documentation >> Main Program Window >> Program Menu

Program Menu

Note: To save space, only the menu items that are not self-explanatory are described in this documentation.

Volumes -> Auto-Mount All Device-Hosted Volumes

See the section Auto-Mount Devices.

Volumes -> Dismount All Mounted Volumes

See the section Dismount All.

Volumes -> Change Volume Password

Allows changing the password of the currently selected VeraCrypt volume (no matter whether the volume is hidden or standard). Only the header key and the secondary header key (XTS mode) are changed – the master key remains unchanged. This function re-encrypts the volume header using

a header encryption key derived from a new password. Note that the volume header contains the master encryption key with which the volume is encrypted. Therefore, the data stored on the volume will not be lost after you use this function (password change will only take a few seconds).

To change a VeraCrypt volume password, click on Select File or Select Device, then select the volume, and from the Volumes menu select Change Volume Password.

Note: For information on how to change a password used for pre-boot authentication, please see the section System -> Change Password.

See also the chapter Security Requirements and Precautions.

PKCS-5 PRF

In this field you can select the algorithm that will be used in deriving new volume header keys (for more information, see the section Header Key Derivation, Salt, and Iteration Count) and in generating the new salt (for more information, see the section Random Number Generator).

Note: When VeraCrypt re-encrypts a volume header, the original volume header is first overwritten many times (3, 7, 35 or 256 depending on the user choice) with random data to prevent adversaries from using techniques such as magnetic force microscopy or magnetic force scanning tunneling microscopy [17] to recover the overwritten header (however, see also the chapter Security Requirements and Precautions).

Volumes -> Set Header Key Derivation Algorithm

This function allows you to re-encrypt a volume header with a header key derived using a different PRF function (for example, instead of HMAC-BLAKE2S-256 you could use HMAC-Whirlpool). Note that the volume header contains the master encryption key with which the volume is encrypted. Therefore, the data stored on the volume will not be lost after you use this function. For more information, see the section Header Key Derivation, Salt, and Iteration Count.

Note: When VeraCrypt re-encrypts a volume header, the original volume header is first overwritten many times (3, 7, 35 or 256 depending on the user choice) with random data to prevent adversaries from using techniques such as magnetic force microscopy or magnetic force scanning tunneling microscopy [17] to recover the overwritten header (however, see also the chapter Security Requirements and Precautions).

Volumes -> Add/Remove Keyfiles to/from Volume

Volumes -> Remove All Keyfiles from Volume

See the chapter Keyfiles.

Favorites -> Add Mounted Volume to Favorites Favorites -> Organize Favorite Volumes Favorites -> Mount Favorites Volumes

See the chapter Favorite Volumes.

Favorites -> Add Mounted Volume to System Favorites

Favorites -> Organize System Favorite Volumes

See the chapter System Favorite Volumes.

System -> Change Password

Changes the password used for pre-boot authentication (see the chapter System Encryption). WARNING: Your VeraCrypt Rescue Disk allows you to restore key data if it is damaged. By doing so, you also restore the password that was valid when the VeraCrypt Rescue Disk was created. Therefore, whenever you change the password, you should destroy your VeraCrypt Rescue Disk and create a new one (select System -> Create Rescue Disk). Otherwise, an attacker could decrypt your system partition/drive using the old password (if he finds the old VeraCrypt Rescue Disk and uses it to restore the key data). See also the chapter Security Requirements and Precautions.

For more information on changing a password, please see the section Volumes -> Change Volume Password above.

System -> Mount Without Pre-Boot Authentication

Check this option, if you need to mount a partition that is within the key scope of system encryption without pre-boot authentication. For example, if you need to mount a partition located on the encrypted system drive of another operating system that is not running. This can be useful e.g. when you need to back up or repair an operating system encrypted by VeraCrypt (from within another operating system).

Note 1: If you need to mount multiple partitions at once, click ‘Auto-Mount Devices’, then click ‘Mount Options’ and enable the option ‘Mount partition using system encryption without pre-boot authentication’.

Please note you cannot use this function to mount extended (logical) partitions that are located on an entirely encrypted system drive.

Tools -> Clear Volume History

Clears the list containing the file names (if file-hosted) and paths of the last twenty successfully mounted volumes.

Tools -> Traveler Disk Setup

See the chapter Portable Mode.

Tools -> Keyfile Generator

See section Tools -> Keyfile Generator in the chapter Keyfiles.

Tools -> Backup Volume Header

Tools -> Restore Volume Header

If the header of a VeraCrypt volume is damaged, the volume is, in most cases, impossible to mount. Therefore, each volume created by VeraCrypt (except system partitions) contains an embedded backup header, located at the end of the volume. For extra safety, you can also create external volume header backup files. To do so, click Select Device or Select File, select the volume, select Tools -> Backup Volume Header, and then follow the instructions.

Note: For system encryption, there is no backup header at the end of the volume. For non-system volumes, a shrink operation is done first to ensure that all data are put at the beginning of the volume, leaving all free space at the end so that we have a place to put the backup header. For system partitions, we can't perform this needed shrink operation while Windows is running and so the backup header can't be created at the end of the partition. The alternative way in the case of system encryption is the use of the Rescue Disk.

Note: A backup header (embedded or external) is not a copy of the original volume header because it is encrypted with a different header key derived using a different salt (see the section Header Key Derivation, Salt, and Iteration Count). When the volume password and/or keyfiles are changed, or when the header is restored from the embedded (or an external) header backup, both the volume header and the backup header (embedded in the volume) are re-encrypted with header keys derived using newly generated salts (the salt for the volume header is different from the salt for the backup header). Each salt is generated by the VeraCrypt random number generator (see the section Random Number Generator).

Both types of header backups (embedded and external) can be used to repair a damaged volume header. To do so, click Select Device or Select File, select the volume, select Tools -> Restore Volume Header, and then follow the instructions.

WARNING: Restoring a volume header also restores the volume password and PIM that were valid when the backup was created. Moreover, if keyfile(s) are/is necessary to mount a volume when the backup is created, the same keyfile(s) will be necessary to mount the volume again after the volume header is restored. For more information, see the section Encryption Scheme in the chapter Technical Details.

After you create a volume header backup, you might need to create a new one only when you change the volume password and/or keyfiles, or when you change the PIM value. Otherwise, the volume header remains unmodified so the volume header backup remains up-to-date.

Note: Apart from salt (which is a sequence of random numbers), external header backup files do not contain any unencrypted information and they cannot be decrypted without knowing the correct password and/or supplying the correct keyfile(s). For more information, see the chapter Technical Details.

When you create an external header backup, both the standard volume header and the area where a hidden volume header can be stored is backed up, even if there is no hidden volume within the volume (to preserve plausible deniability of hidden volumes). If there is no hidden volume within the volume, the area reserved for the hidden volume header in the backup file will be filled with random data (to preserve plausible deniability).

When restoring a volume header, you need to choose the type of volume whose header you wish to restore (a standard or hidden volume). Only one volume header can be restored at a time. To restore both headers, you need to use the function twice (Tools -> Restore Volume Header). You will need to enter the correct password (and/or to supply the correct keyfiles) and the non-default PIM value, if applicable, that were valid when the volume header backup was created. The password (and/or keyfiles) and PIM will also automatically determine the type of the volume header to restore, i.e. standard or hidden (note that VeraCrypt determines the type through the process of trial and error).

Note: If the user fails to supply the correct password (and/or keyfiles) and/or the correct non-default PIM value twice in a row when trying to mount a volume, VeraCrypt will automatically try to mount the volume using the embedded backup header (in addition to trying to mount it using the primary header) each subsequent time that the user attempts to mount the volume (until he or she clicks Cancel). If VeraCrypt fails to decrypt the primary header but it successfully decrypts the embedded backup header at the same time, the volume is mounted and the user is warned that the volume header is damaged (and informed as to how to repair it).

Settings -> Performance and Driver Options

Invokes the Performance dialog window, where you can change enable or disable AES Hardware acceleration and thread based parallelization. You can also change the following driver option:

Enable extended disk control codes support

If enabled, VeraCrypt driver will support returning extended technical information about mounted volumes through IOCTL_STORAGE_QUERY_PROPERTY control code. This control code is always supported by physical drives and it can be required by some applications to get technical information about a drive (e.g. the Windows fsutil program uses this control code to get the physical sector size of a drive.).
Enabling this option brings VeraCrypt volumes behavior much closer to that of physical disks and if it is disabled, applications can easily distinguish between physical disks and VeraCrypt volumes since sending this control code to a VeraCrypt volume will result in an error.
Disable this option if you experience stability issues (like volume access issues or system BSOD) which can be caused by poorly written software and drivers.

Settings -> Preferences

Invokes the Preferences dialog window, where you can change, among others, the following options:

Wipe cached passwords on exit

If enabled, passwords (which may also contain processed keyfile contents) and PIM values cached in driver memory will be cleared when VeraCrypt exits.

Cache passwords in driver memory

When checked, passwords and/or processed keyfile contents for up to last four successfully mounted VeraCrypt volumes are cached. If the 'Include PIM when caching a password' option is enabled in the Preferences, non-default PIM values are cached alongside the passwords. This allows mounting volumes without having to type their passwords (and selecting keyfiles) repeatedly. VeraCrypt never saves any password or PIM values to a disk (however, see the chapter Security Requirements and Precautions). Password caching can be enabled/disabled in the Preferences (Settings -> Preferences) and in the password prompt window. If the system partition/drive is encrypted, caching of the pre-boot authentication password can be enabled or disabled in the system encryption settings (Settings > ‘System Encryption’).

Temporary Cache password during "Mount Favorite Volumes" operations

When this option is unchecked (this is the default), VeraCrypt will display the password prompt window for every favorite volume during the execution of the "Mount Favorite Volumes" operation and each password is erased once the volume is mounted (unless password caching is enabled).

If this option is checked and if there are two or more favorite volumes, then during the operation "Mount Favorite Volumes", VeraCrypt will first try the password of the previous favorite and if it doesn't work, it will display password prompt window. This logic applies starting from the second favorite volume onwards. Once all favorite volumes are processed, the password is erased from memory.

This option is useful when favorite volumes share the same password since the password prompt window will only be displayed once for the first favorite and VeraCrypt will automatically mount all subsequent favorites.

Please note that since we can't assume that all favorites use the same PRF (hash) nor the same TrueCrypt mode, VeraCrypt uses Autodetection for the PRF of subsequent favorite volumes and it tries both TrueCryptMode values (false, true) which means that the total mounting time will be slower compared to the individual mounting of each volume with the manual selection of the correct PRF and the correct TrueCryptMode.

Open Explorer window for successfully mounted volume

If this option is checked, then after a VeraCrypt volume has been successfully mounted, an Explorer window showing the root directory of the volume (e.g., T:\) will be automatically opened.

Use a different taskbar icon when there are mounted volumes

If enabled, the appearance of the VeraCrypt taskbar icon (shown within the system tray notification area) is different while a VeraCrypt volume is mounted, except the following:

VeraCrypt Background Task – Enabled

See the chapter VeraCrypt Background Task.

VeraCrypt Background Task – Exit when there are no mounted volumes

If this option is checked, the VeraCrypt background task automatically and silently exits as soon as there are no mounted VeraCrypt volumes. For more information, see the chapter VeraCrypt Background Task. Note that this option cannot be disabled when VeraCrypt runs in portable mode.

Auto-dismount volume after no data has been read/written to it for

After no data has been written/read to/from a VeraCrypt volume for n minutes, the volume is automatically dismounted.

Force auto-dismount even if volume contains open files or directories

This option applies only to auto-dismount (not to regular dismount). It forces dismount (without prompting) on the volume being auto-dismounted in case it contains open files or directories (i.e., file/directories that are in use by the system or applications).

 

Next Section >>