VeraCrypt
In this chapter we will go over how to use VeraCrypt, a free and secure encryption tool, to encrypt disks, files, and folders on both a Mac and Windows computer.
Table of Contents
Key considerations for VeraCrypt
VeraCrypt can create encrypted containers and encrypt disk partitions on almost all versions of Linux, MacOS, and Windows, and even ARM-based processors like a Raspberri Pi (see full list of available downloads). Note that VeraCrypt only supports whole disk encryption for Windows.
The VeraCrypt wizard walks you through several decisions, which we want to preface for your information here:
- VeraCrypt allows you to choose the type of encryption and hash algorithms you use and provides many options. The defaults – AES encryption and “SHA-256” hash – are good choices.
- You can “Use keyfiles” and/or “Use PIM” when setting your encryption password. These are just additional security measures that require some extra considerations – read more in the What is Encryption? chapter.
- When encrypting an entire disk, you can choose a “wipe mode.” When you are initially encrypting the drive, you can choose to overwrite your unencrypted data with random data, which would prevent an attacker from recovering sensitive data from before it was encrypted. You can choose 1-pass, a larger number of passes (which will take longer), or “None” (which is the fastest option). If you do not yet have any sensitive data on your drive, select None. If you are concerned about sensitive data that you are now encrypting, select 1 or more. This process only occurs during the initial drive encryption.
- When you encrypt your entire boot disk, you can choose whether you want “Normal” encryption or “Hidden” encryption. Most researchers want Normal – read more in the What is Encryption? chapter.
Creating an encrypted container
Encrypted containers appear as a single file, which acts as a password-protected virtual disk. These can be created on any drive – external, secondary, or system – and can be moved and copied like normal files. When you create the container, you will be prompted to choose which file system you want to use. There are a number of options, but it is typically recommended to choose NTFS if you will only be using the drive with a Windows computer, and exFAT if you will be using the drive on Linux or macOS (or require cross-platform compatibility; this format will also work on Windows if need be). If you are using an external drive, ensure that its native file system is compatible with the file system you choose and the operating system you are working on, or else you will have to format it first.
If you are creating an encrypted container on an external drive, insert the drive first.
Step 1: Open VeraCrypt and select “Create a Volume.”
Step 2: Select “Create an encrypted container file” and select Next.
Step 3: Choose whether you want normal or hidden encryption.
Step 4: Under “Location,” click “Select File” and navigate to the desired location for your encrypted container. Enter a name for the file and click “Save.”
Step 5: Choose the type of encryption and hash algorithms you want to use.
Step 6: Define the volume size (how large you want the container to be). Make sure you have sufficient space on the disk to which you are saving the file.
Step 7: Enter your password. You can choose here if you want to use any keyfiles or a PIM. Make sure you choose a strong password and Back! It! Up!
Step 8: Choose the desired File System for the container.
Step 9: VeraCrypt will prompt you for random mouse movements. Move your clicker until you’ve filled up the meter and click Format.
You will receive a notification when your volume has been created and encrypted. Now you have to actually mount the file.
Step 10: Open VeraCrypt and click “Select File.” Select your encrypted container.
Step 11: In the main VeraCrypt window, select an unused drive letter from the list and click “Mount”. Enter your password for decryption.
After decryption, your external drive should appear as usual with the drive letter you chose, and you can add, remove, and modify files like usual.
Step 12: Once you are done using the drive, select it from the list in the VeraCrypt window and click “Dismount.” This will finish any ongoing or pending encryption. You can then safely eject the external drive.
Encrypting an external drive
To encrypt an entire USB flash drive or other external drive, VeraCrypt will want to first format the drive. This will delete the content of the drive, so make a copy of any files on the drive that you need to keep and empty the drive before beginning. You can also avoid this by encrypting the drive in place, but that will take longer.
In addition, an external drive that has been formatted and fully encrypted with VeraCrypt can only be decrypted on a computer that also has VeraCrypt installed and which recognizes that format. The portability limitation can be surmounted by downloading the correct “portable” version of VeraCrypt to the drive (see full list of available downloads), but compatability is still limited (e.g. a Windows-formatted drive will only work on a PC.)
One alternative for both limitations (formatting and limited compatibility) is to create an encrypted container on the flashdrive (see below) rather than encrypting the entire drive.
However, if you will always be accessing your files from the same computer, or computers with the same operating system, encrypting the entire drive is a safe and viable option. Here’s how to do it:
Step 1: Insert the external drive, launch VeraCrypt, and select “Create Volume”. Then choose “Encrypt secondary partition/drive” (may display as “Encrypt a non-system partition/drive”).
Step 2: Select if you want normal or hidden encryption.
Step 3: Click “Select Device”, find your external drive in the list, and select the partition you want to encrypt. Unless you have previously created a partition on the drive, there should only be one choice, with the drive letter and name listed. Click Next once you have returned to the main wizard.
Step 4: Select if you want to format the drive and create an encrypted volume, or encrypt the entire partition in place (will take longer).
Step 5: Choose the type of encryption and hash algorithms you want to use.
Since we are encrypting the entire drive, you cannot select the container size, so just press Next.
Step 6: Enter your password. You can choose here if you want to use any keyfiles or a PIM. Make sure you choose a strong password and Back! It! Up!
Step 7: VeraCrypt will prompt you for random mouse movements. Move your clicker until you’ve filled up the meter and click Format.
Unless you chose to encrypt in place you will see a warning that when your drive is formatted all files will be erased – click Yes to proceed and VeraCrypt will format and encrypt your drive. Now you have to actually mount the drive.
Step 8: Open VeraCrypt and click “Select Device.” Select the external drive partition.
Step 9: In the main VeraCrypt window, select an unused drive letter from the list and click “Mount.” Enter your password for decryption.
After decryption, your external drive should appear as usual with the drive letter you chose, and you can add, remove, and modify files like usual.
Step 10: Once you are done using the drive, select it from the list in the VeraCrypt window and click “Dismount.” This will finish any ongoing or pending encryption. You can then safely eject the external drive.
Encrypting the full boot disk
Step 1: Launch VeraCrypt and click System -> Encrypt System Partition/Drive. Choose whether you want normal encryption or hidden encryption.
Step 2: Choose “Encrypt the whole drive”.
Step 3: If you have more than one operating system installed and you choose between them when you boot your computer, select “Multi-boot” – otherwise choose “Single-boot” (most likely case).
Step 4: Choose the type of encryption and hash algorithms you want to use.
Step 5: Enter your password. You can choose here if you want to use any keyfiles or a PIM. Make sure you choose a strong password and Back! It! Up!
Step 6: VeraCrypt will prompt you for random mouse movements. Move your clicker until you’ve filled up the meter and click Next.
Step 7: The wizard will display the Header Key and Master Key, which you can display and backup if desired.
Step 8: The wizard will have you create a Rescue Disk image (.zip) in the location of your choice. If your computer ever has an issue booting, you will have to enter your password and boot from the rescue disk to decrypt and access your encrypted files. You must extract the EFI folder from the Rescue Disk to a flash drive or other disk to create your backup boot drive. VeraCrypt will ask you to confirm that you have done so.
Step 9: VeraCrypt will now ask to Test that everything is set up correctly before encrypting your files. It will install the VeraCrypt bootloader and restart. You will have to enter your encryption key, and if the normal welcome screen appears, sign in as usual.
VeraCrypt provides detailed instructions on what to do if your computer does not boot normally during the test. Take note of these instructions just in case: On Windows, restart your PC and press Esc (repeatedly if need be) while VeraCrypt is booting. Windows should boot and ask if you want to uninstall the VeraCrypt bootloader, and you should say yes. If that doesn’t work, insert your VeraCrypt Rescue Disk, restart your computer and boot from that. In the rescue disk interface, select Repair Options -> Restore Original and restart your PC.
Step 10: If you do not already have a backup of the files you are encrypting, select Defer and create a backup. Then you can relaunch VeraCrypt and click System -> Resume Interrupted Process to resume encryption. Otherwise, press “Encrypt”.
If at some point you want to remove the disk encryption, launch VeraCrypt and click System -> Permanently Decrypt System Partition/Drive.
Video tutorial
Reference pages
Check out VeraCrypt’s documentation page
https://www.howtogeek.com/6169/use-truecrypt-to-secure-your-data/?utm_source=pocket_shared
https://tecnobits.com/en/Encrypt-a-USB-flash-drive-with-VeraCrypt/