Operation Manual

use the Linux native kernel cryptographic services or make sure VeraCrypt volumes are not

located on drives that use the trim operation.

To find out whether a device uses the trim operation, please refer to documentation supplied with

the device or contact the vendor/manufacturer.

Wear-Leveling

Some storage devices (e.g., some solid-state drives, including USB flash drives) and some file

systems utilize so-called wear-leveling mechanisms to extend the lifetime of the storage device or

medium. These mechanisms ensure that even if an application repeatedly writes data to the same

logical sector, the data is distributed evenly across the medium (logical sectors are remapped to

different physical sectors). Therefore, multiple "versions" of a single sector may be available to an

attacker. This may have various security implications. For instance, when you change a volume

password/keyfile(s), the volume header is, under normal conditions, overwritten with a re- encrypted

version of the header. However, when the volume resides on a device that utilizes a

wear-

leveling mechanism, VeraCrypt cannot ensure that the older header is really overwritten. If an

adversary found the old volume header (which was to be overwritten) on the device, he could use it

to mount the volume using an old compromised password (and/or using compromised keyfiles that

were necessary to mount the volume before the volume header was re-encrypted). Due to security

reasons, we recommend that VeraCrypt volumes are not created/stored on devices (or in file

systems) that utilize a wear-leveling mechanism (and that VeraCrypt is not used to encrypt any

portions of such devices or filesystems).

If you decide not to follow this recommendation and you intend to use in-place encryption on a

drive that utilizes wear-leveling mechanisms, make sure the partition/drive does not contain any

sensitive data before you fully encrypt it (VeraCrypt cannot reliably perform secure in-place

encryption of existing data on such a drive; however, after the partition/drive has been fully

encrypted, any new data that will be saved to it will be reliably encrypted on the fly). That includes

the following precautions: Before you run VeraCrypt to set up pre-boot authentication, disable the

paging files and restart the operating system (you can enable the paging files after the system

partition/drive has been fully encrypted). Hibernation must be prevented during the period between

the moment when you start VeraCrypt to set up pre-boot authentication and the moment when the

system partition/drive has been fully encrypted. However, note that even if you follow those steps, it

is not guaranteed that you will prevent data leaks and that sensitive data on the device will be

securely encrypted. For more information, see the sections Data Leaks, Paging File, Hibernation

File, and Hibernation File.

If you need plausible deniability, you must not use VeraCrypt to encrypt any part of (or create

encrypted containers on) a device (or file system) that utilizes a wear-leveling mechanism.

To find out whether a device utilizes a wear-leveling mechanism, please refer to documentation

supplied with the device or contact the vendor/manufacturer.

Reallocated Sectors

Some storage devices, such as hard drives, internally reallocate/remap bad sectors. Whenever the

device detects a sector to which data cannot be written, it marks the sector as bad and remaps it to

a sector in a hidden reserved area on the drive. Any subsequent read/write operations from/to the

bad sector are redirected to the sector in the reserved area. This means that any existing data in

the bad sector remains on the drive and it cannot be erased (overwritten with other data). This may