Operation Manual

ManualsBrandsVeraCrypt ManualsSoftware1.16

(e.g. the value of a timer or counter) that can be used to determine that a block had

been written earlier than another block and/or to determine how many times a block has

been written/read. Therefore, do not store hidden volumes on such devices/filesystems.

To find out whether a device/system saves such data, please refer to documentation

supplied with the device/system or contact the vendor/manufacturer.

A VeraCrypt volume resides on a device that is prone to wear (it is possible to determine

that a block has been written/read more times than another block). Therefore,

do not store hidden volumes on such devices/filesystems. To find out

whether a device is prone to such wear, please refer to documentation supplied with the

device or contact the vendor/manufacturer.

You back up content of a hidden volume by cloning its host volume or create a new

hidden volume by cloning its host volume. Therefore, you must not do so. Follow the

instructions in the chapter How to Back Up Securely and in the section Volume Clones.



Make sure that Quick Format is disabled when encrypting a partition/device within which you

intend to create a hidden volume.



On Windows, make sure you have not deleted any files within a volume within which you intend

to create a hidden volume (the cluster bitmap scanner does not detect deleted files).



On Linux or Mac OS X, if you intend to create a hidden volume within a file-hosted VeraCrypt

volume, make sure that the volume is not sparse-file-hosted (the Windows version of VeraCrypt

verifies this and disallows creation of hidden volumes within sparse files).



When a hidden volume is mounted, the operating system and third-party applications may write

to non-hidden volumes (typically, to the unencrypted system volume) unencrypted information

about the data stored in the hidden volume (e.g. filenames and locations of recently accessed

files, databases created by file indexing tools, etc.), the data itself in an unencrypted form

(temporary files, etc.), unencrypted information about the filesystem residing in the hidden

volume (which might be used e.g. to identify the filesystem and to determine whether it is the

filesystem residing in the outer volume), the password/key for the hidden volume, or other types

of sensitive data. Therefore, the following security requirements and precautions must be

followed:

Windows: Create a hidden operating system (for information on how to do so, see the

section Hidden Operating System) and mount hidden volumes only when the hidden

operating system is running. Note: When a hidden operating system is running, VeraCrypt ensures

that all local unencrypted filesystems and non-hidden VeraCrypt volumes are read-only (i.e. no files can be

written to such filesystems or VeraCrypt volumes).

Data is allowed to be written to filesystems within

hidden VeraCrypt volumes. Alternatively, if a hidden operating system cannot be used, use a

"live-CD" Windows PE system (entirely stored on and booted from a CD/DVD) that

ensures that any data written to the system volume is written to a RAM disk. Mount

hidden volumes only when such a "live-CD" system is running (if a hidden operating

system cannot be used). In addition, during such a "live-CD" session, only filesystems

that reside in hidden VeraCrypt volumes may be mounted in read-write mode (outer or

unencrypted volumes/filesystems must be mounted as read-only or must not be

mounted/accessible at all); otherwise, you must ensure that applications and the

operating system do not write any sensitive data (see above) to non-hidden

volumes/filesystems during the "live-CD" session.

This does not apply to filesystems on CD/DVD-like media and on custom, untypical, or non-standard devices/media.