Guide to VeraCrypt – Safely Encrypt Files

VeraCrypt is a piece of open-source software that enables anyone to effectively and safely protect their files, such as entire drives or system partitions, against prying eyes. In this article, we'll show you what VeraCrypt is capable of, and how you can use it to encrypt your data. Should you be asking yourself why it's necessary to do so in the first place, we recommend starting out with our article on encrypting Windows, Mac, and external hard drives.

Using VeraCrypt, you can encrypt files in one of three ways:

• File container: With this method, you'll create a digital vault in which sensitive data is stored. This container can be made available both online and offline, and on hard drives or removable storage devices like USB sticks, network drives, or even in the cloud.
• Encrypt a non-system partition/drive: Should your hard drive or solid state drive (SSD) be divided into partitions, you can use this option to encrypt it in its entirety. The same method can be used for removable storage devices like USB sticks or smart cards.
• Encrypt the system partition or entire system drive: Finally, you can also encrypt your system partitions using Veracrypt.

To get started, download the latest version of Veracrypt from its developer ⇱. Then, decide whether you want to install the program or use its portable version. VeraCrypt is compatible with Windows, macOS, Linux, Raspberry Pi, and FreeBSD. Below, we'll walk you through the Windows version.

Below, we've provided a step-by-step guide detailing how you can encrypt sensitive data using VeraCrypt. To start, open the program and click on Create volume.

Make sure that Create an encrypted file container is selected and click on Next.

In the next step, select Standard VeraCrypt Volume, which should be the default option. Alternatively, you can create a Hidden VeraCrypt Volume. For this, no one, apart from you, will know that the volume exists. In this way, you won't be vulnerable to pressure about revealing the password.

To continue, click on Next.

Click on the File button and input the volume's name and where it should be saved to. When finished, click on Save.

Note: Don't select an existing file since this will be deleted and replaced with the container file.

The previously empty volume form should show the location you've specified. After clicking on Next, you'll be taken to the Encryption Options page.

Now select the encryption and hash algorithms you'd like to use. The default settings for these, AES and SHA-512, are considered to be highly secure and don't need to be changed. 

Click on Next and specify the size for your file container, from 292 KB (depending on the file system, this can be slightly larger) all the way up to multiple terabytes.

The upper limit depends largely on the storage medium you're using. Dynamic sizes are also possible, however, this has some disadvantages, particularly in terms of performance and security.

Confirm your selection by clicking on Next.

In the next step, you'll assign your VeraCrypt volume a secure password. Make sure that the password is long enough and comprised of a random mix of upper- and lower-case letters, numbers, and special characters (for more detailed instructions on creating a secure password, check out our comprehensive password manager assessment). VeraCrypt recommends a minimum length of 20 characters for passwords.

Should your password be too short, VeraCrypt will explicitly warn you:

Once you've set your password, you'll need to specify what sort of file type your container file should be: FAT, exFAT, or NTFS. After this, you'll be prompted to move your mouse randomly for at least 30 seconds in order to create as much entropy as possible. While this sounds odd, it will enhance the encryption. Once the Randomness Collected From Mouse Movements bar at the bottom of the dialogue box turns green, you can stop.

By clicking on Format at the bottom of the dialogue box, your VeraCrypt volume will be created. Should you not want to create any additional volumes, you can click on Done to leave the program.

Now, open VeraCrypt's main screen, and look for the drive letters. Select one of these (for example, K), and click on the Select File button to check through its contents to locate the folder where you've saved your VeraCrypt container. 

Select the file and click on Mount, entering your password in the pop-up window that opens. Once you've input this, confirm your password by clicking on OK.

The process can take a few moments, depending upon how large the file container is, so it's important to be patient.

Once the container has been mounted, you can use it in Windows like you would a regular drive. In the event that you no longer need your file vault, for security reasons, unmount it. In this way, no one will be able to access it. To do this, click on the volume and select Disconnect. To unmount multiple VeraCrypt containers, click on Disconnect All.

To encrypt a hard drive or another type of storage device, select Encrypt a non-system partition/drive and confirm your choice with Next in VeraCrypt's main window. A Windows pop-up will open requesting administrator rights. Confirm these with Yes.

Leave the default Standard VeraCrypt Volume option and click on Next.

On the next page, click on Select Device. In the pop-up that opens, specify the drive that you'd like to encrypt and confirm your choice with OK. Once the pop-up closes, click on Next.

At this point, you'll be able to select between Create encrypted volume and format it or Encrypt partition in place. 

Select the second option if you want to encrypt an entire drive and all of the data that it contains. You should note that these drives will have to be compatible with the NTFS file system. Should your drive use another data system, you'll have to utilize a somewhat tedious workaround, which VeraCrypt elaborates upon in a warning notification.

We're going to move forward here with the first option, Create encrypted volume and format it. It's important to note that when proceeding, all existing data on the volume will be deleted! For that reason, should the drive contain important information, make sure that you first transfer it to another storage device.

Once the storage device is ready, click on Next, which will bring you to the Encryption Options page. As in the first example, the program's encryption and hash algorithm presets (AES and SHA-512, respectively) are secure, and can be left as they are.

After clicking on Next, you'll be able to view the size of your storage medium and specify how large you'd like the file container to be.

After clicking on Next again, you'll be prompted to create a password and confirm it by re-entering it. The password should be as secure as possible.

Click on Next and specify which file system your storage device uses (NTFS, FAT, exFAT, or ReFS). Alternatively, you can leave the program's presets. Next, move your mouse around randomly to create entropy, ensuring solid encryption for your device. 

When the bar below turns green, click on Format after which a pop-up will open with a warning that details the consequences of formatting the drive in question. If you're certain that you want to begin this process, click on Yes.

Depending on the drive's size and speed, formatting and encryption can take a few minutes, so it's important to be patient. Once the process is finished, you'll receive a notification that the storage device can't be mounted with the same drive letter as previously.

Click OK and the pop-up will disappear. Should you not want to encrypt any additional devices or drives, you can conclude the process by clicking on Done.

Now, open the program's main window and choose one of the free drive letters (i.e. "J") and click on Select File. In the pop-up window that opens, select the data storage device that you've just created an encrypted file container in by clicking on its internal drive name (for example, Device\Harddisk3\Partition1 LW I:). 

By clicking on Mount you'll be able to access your encrypted drive after inputting the correct password. It can be readily accessed in Windows Explorer via the drive letter that you selected earlier.

Your new file vault is now ready: Should you not need it, make sure to unmount it in the VeraCrypt main window.

Should you want to encrypt a system partition, select Create a Volume in VeraCrypt's main window, followed by Encrypt the system partition or entire system drive.

Click on Next and grant VeraCrypt administrator rights. After this, confirm the system encryption presets (Normal) and click on Next again.

The preset, Encrypt the Windows system partition, should also be left as is. Click on Next.

Unless you want to encrypt multiple operating systems at the same time, make sure that Single Boot is selected and click on Next.

In the next step, you can specify the encryption and hash algorithms, however, we recommend leaving these as they are (AES und SHA-512). When finished, click on Next.

Now, assign your system partition a secure password and confirm it by re-entering it. Make sure that VeraCrypt uses the US-keyboard layout, since no other keyboards are available in the pre-boot environment (directly after turning on your computer). You can continue by clicking on Next.

At this point, VeraCrypt should have returned your keyboard layout to how it was before the last step. Start moving your mouse randomly until VeraCrypt has generated solid encryption. When the bar at the bottom of the interface turns green, you can click on Next.

VeraCrypt lets you know once the key has been generated. After this, click on Next.

Now you'll be asked to create a VeraCrypt rescue disk, which is important in the event that critical VeraCrypt data is damaged or if Windows has problems when booting up.

You can leave the program's default path or select your own. After clicking on Next a ZIP file will be created containing all of the rescue disk's essential data.

The content of this file can be copied into the root directory (the highest folder level) of a USB stick that has been formatted with FAT or FAT32.

Once you've transferred the rescue disk, click on Next and VeraCrypt will check if the disk has been successfully created. If it has, disconnect it from your system and remove the storage drive from your computer. After that, click on Next.

Now, in Wipe Mode, you can safely delete any overwritten files on the system partition without having to worry about losing the data. Should this not be necessary, click on Next.

Before the system partition is encrypted, VeraCrypt will perform a pretest to make sure that everything is working correctly. After clicking on Test, a pop-up window will open that you should read carefully. Confirm that you want to proceed by clicking on Yes.

Read the next security note as well and click on OK. Once finished, confirm that you'd like to restart your computer and Windows will restart. Input your password, leaving the PIM field empty, and confirm by pressing Enter. 

Should there be a problem when inputting your password, and you be unable to login, press the Escape key on your keyboard. 

After this, Windows will start as usual. Once loaded, the VeraCrypt assistant will ask if it should perform the test again, or if the pre-boot authentication component should be uninstalled.

If logging in worked as usual, Windows will boot normally. Once your computer has loaded, VeraCrypt will launch, informing you that it has successfully completed its pre-test.

Click on Encrypt and grant VeraCrypt administrator rights again. Although it can take a few minutes, the ensuing encryption process can be interrupted or paused at any time. The VeraCrypt assistant will let you know once the process has concluded, after which you'll only have to click on Close.

You can revert your system partition's encryption at any time. To do this, click on System in VeraCrypt's menu and then on Permanently Decrypt System Partition/Drive.

VeraCrypt is well-suited for encrypting files and entire drives, being both user-friendly and easy to find one's way around. 

Encryption does take a while, meaning that a large drive with multiple terabytes of stored files can require several days to encrypt. The process can be sped up by encrypting an empty drive and saving or transferring data to it afterwards.

One of VeraCrypt's biggest advantages is its open-source code, which can be viewed by anyone. To compare, the popular tool offered by Microsoft, BitLocker, doesn't have open-source code, meaning that you'll have to trust Microsoft with the security of your files. Understandably, not everyone is ready or willing to do this. With VeraCrypt, you won't have to worry about the developer's security owing to their transparency.