VeraCrypt: encrypted storage in practice
For most people, disk encryption is already built into the operating system: BitLocker on Windows, FileVault on macOS, LUKS on Linux. That approach protects the whole drive if someone gains physical access to your device — and it is enough for most readers.
VeraCrypt: encrypted storage in practice
For most people, disk encryption is already built into the operating system: BitLocker on Windows, FileVault on macOS, LUKS on Linux. That approach protects the whole drive if someone gains physical access to your device — and it is enough for most readers.
VeraCrypt fills a different gap. It creates encrypted containers — individual files that act as an encrypted vault — and can encrypt external drives and USB sticks in a way that works across platforms. This guide helps you decide whether VeraCrypt adds something for you, and how to set it up responsibly if it does.
When VeraCrypt makes sense
VeraCrypt is the right choice if:
- you want to store sensitive documents that must also be accessible on both Windows and macOS machines (BitLocker and FileVault do not work cross-platform for containers)
- you are encrypting an external drive or USB stick that you carry to other locations or travel with
- you want a clearly bounded vault for one category of files — source material, client files, financial documents — separate from the rest of your drive
- you need hidden volumes (see the dedicated section below)
VeraCrypt is overkill or the wrong tool if:
- your main goal is protecting your laptop if it is stolen — BitLocker, FileVault, or LUKS is the better route for that, because those protect everything including the running system
- you only want to encrypt cloud storage — Proton Drive or similar services handle that more simply
- you do not yet have basic security in place — encryption protects files at rest, not an active system that is already compromised
The baseline: make sure full-disk encryption of the system itself is enabled. VeraCrypt is a complement, not a replacement.
Containers versus full-disk encryption
VeraCrypt offers two approaches. The choice is usually straightforward.
Encrypted container (recommended for most readers)
A container is a file on your drive — say archive.vc. VeraCrypt treats that file as a drive you can mount, put files into, and then close again. Everything inside the mounted container is encrypted automatically. Once closed, the contents are inaccessible without the password.
Advantages:
- easy to back up: copy the container file like any other file
- works alongside the OS’s own disk encryption
- easy to move between machines and platforms
Disadvantage: the container has a fixed size you set at creation time. If you need more space later, you create a new container.
Full-disk or partition encryption
VeraCrypt can also encrypt a complete external drive or USB stick. This is useful when you want to protect an external drive you travel with and where you are not working with separate file categories.
For system disk encryption on Windows, VeraCrypt offers an option too, but for most users BitLocker is the simpler route. VeraCrypt system encryption is relevant if you want cross-platform boot support or if you have specific concerns about BitLocker’s closed-source implementation.
Choose containers unless you have a specific reason for full-disk encryption. Containers are simpler to manage and back up.
Creating a container
- Download VeraCrypt from veracrypt.fr and install it.
- Open VeraCrypt → click “Create Volume”.
- Choose “Create an encrypted file container”.
- Choose a location and filename for the container (e.g.
archive.vc). - Leave the encryption algorithm set to AES — this is the default and sufficient for all normal use.
- Set the container size. Think this through: you cannot easily resize it later.
- Set a strong password. Store it in your password manager — see Which password manager should you choose?.
- Move your mouse randomly inside the VeraCrypt window to generate entropy (this is literally part of the key generation).
- Click “Format”. The container is ready.
To use the container: open VeraCrypt, choose a drive letter (or mount point on macOS/Linux), select the container file, enter your password, and mount. The container appears as a normal drive.
Hidden volumes
VeraCrypt supports a specific feature: a container with two passwords. Password A opens a set of ordinary files. Password B opens the actual sensitive files. An outside party cannot prove that a hidden volume exists — the space used by the hidden volume is indistinguishable from random data.
This is relevant in two situations:
- you store sensitive source material in a jurisdiction where you can be legally compelled to hand over your password
- you store information where plausible deniability has real legal or personal value
For most readers, hidden volumes are not necessary. A normal strong password is sufficient for most threat models. Consider hidden volumes only if you are thinking concretely about compelled decryption.
If you use hidden volumes: keep the outer volume filled with plausible files. An empty “normal” container is less convincing.
Operational pitfalls
Forgetting your password means losing your data
VeraCrypt has no recovery option. No backup code, no customer support, no technical workaround. If you forget the password, the files are permanently lost. Store the password in a password manager. Also back up the password manager database itself.
Forensic traces on Windows
If a VeraCrypt container has been mounted on Windows, the Windows registry and prefetch files can leave traces: the fact that the file was opened, its location, and when. The contents are not visible, but the usage is.
If this is relevant to your threat model — journalists or activists working in environments where forensic investigation is realistic — consider using VeraCrypt from a live OS such as Tails. Tails leaves no traces on the host machine.
Slow mounting is normal
VeraCrypt intentionally uses slow key derivation (PBKDF2 with high iteration counts, and optionally Argon2id) to make brute-force attacks harder. Mounting a container takes a few seconds. This is a design choice, not a bug.
Resizing a container is not straightforward
An existing container cannot easily be resized. If you need more space later: create a new, larger container, copy the contents across, and delete the old one. Plan the size generously when you create it.
Backing up encrypted containers
A container file behaves like any other file: copy it to a backup location and the backup is done. The encryption comes with it.
Key points:
- Test your backup. Verify that you can mount the container on another machine using the same password. An untested backup is not a backup.
- Keep the password separate from the container. A backup of the container and the password on the same external drive effectively cancels out the encryption.
- Keep the backup current. An outdated container backup is missing everything added since. Sync regularly, or set a backup schedule.
See the Backup implementation guide for a broader approach to backups.
Next step
Encryption as part of a broader approach
- Backup implementation guide — how to structure backups so encrypted files are not lost
- Secure laptop guide — VeraCrypt as part of a secure desktop setup
Evaluate VeraCrypt as a product
- VeraCrypt review — if you want to compare technical properties and alternatives
Use this in context
- Profile: journalist and activist — VeraCrypt for sensitive source material and field work
- Profile: lawyer, notary or politician — encrypted storage for professional confidentiality and client files