Manualshelf

Operation Manual

ManualsBrandsVeraCrypt ManualsSoftware1.16
41424344454647484950
49
after the hidden system has been created. Afterwards, in order to achieve plausible deniability,
VeraCrypt will prompt you to install a new system on the partition and encrypt it using VeraCrypt.
Thus, you will create the decoy system and the whole process of creation of the hidden operating
system will be completed.
Plausible Deniability and Data Leak Protection
For security reasons, when a hidden operating system is running, VeraCrypt ensures that all local
unencrypted filesystems and non-hidden VeraCrypt volumes are read-only (i.e. no files can be
written to such filesystems or VeraCrypt volumes).
*
Data is allowed to be written to any filesystem
that resides within a hidden VeraCrypt volume (provided that the hidden volume is not located in a
container stored on an unencrypted filesystem or on any other read-only filesystem).
There are three main reasons why such countermeasures have been implemented:
1.
It enables the creation of a secure platform for mounting of hidden VeraCrypt volumes.
Note that we officially recommend that hidden volumes are mounted only when a hidden
operating system is running. For more information, see the subsection Security
Requirements and Precautions Pertaining to Hidden Volumes.
2.
In some cases, it is possible to determine that, at a certain time, a particular filesystem was
not mounted under (or that a particular file on the filesystem was not saved or accessed
from within) a particular instance of an operating system (e.g. by analyzing and comparing
filesystem journals, file timestamps, application logs, error logs, etc). This might indicate
that a hidden operating system is installed on the computer. The countermeasures prevent
these issues.
3.
It prevents data corruption and allows safe hibernation. When Windows resumes from
hibernation, it assumes that all mounted filesystems are in the same state as when the
system entered hibernation. VeraCrypt ensures this by write-protecting any filesystem
accessible both from within the decoy and hidden systems. Without such protection, the
filesystem could become corrupted when mounted by one system while the other system is
hibernated.
If you need to securely transfer files from the decoy system to the hidden system, follow these
steps:
1.
Start the decoy system.
2.
Save the files to an unencrypted volume or to an outer/normal VeraCrypt volume.
3.
Start the hidden system
4.
If you saved the files to a VeraCrypt volume, mount it (it will be automatically mounted as
read-only).
5.
Copy the files to the hidden system partition or to another hidden volume.
Possible Explanations for Existence of Two VeraCrypt Partitions on Single Drive
An adversary might ask why you created two VeraCrypt-encrypted partitions on a single drive (a
system partition and a non-system partition) rather than encrypting the entire disk with a single
encryption key. There are many possible reasons to do that. However, if you do not know any
*
This does not apply to filesystems on CD/DVD-like media and on custom, atypical, or non-standard devices/media.