How-To Geek

How to Secure Sensitive Files on Your PC with VeraCrypt

hard-drive-656128_1920

If you’re looking for a simple and powerful way to encrypt everything from system drives to backup discs to everything in between, VeraCrypt is an open-source tool that will help you lock up your files. Read on as we show you how to get started.

What Is TrueCrypt/VeraCrypt and Why Should I Use It?

The best way to secure files you don’t want others seeing is encryption. Encryption essentially uses a secret key to turn your files into unreadable gibberish—unless you use that secret key to unlock them.

TrueCrypt was a popular open source, on-the-fly encryption application that allowed you to work with encrypted files as you would work on files located on a regular drive. Without on-the-fly encryption, actively working with encrypted files is an enormous pain and the outcome is usually either that people simply do not encrypt their files or they engage in poor security practices with their encrypted files because of the hassle of decrypting and encrypting them.

TrueCrypt is now discontinued, but the project has been continued by a new team under a new name: VeraCrypt.

With VeraCrypt’s on-the-fly system, you can create an encrypted container (or even an entirely encrypted system drive). All the files within the container are encrypted, and you can mount it as a normal drive with VeraCrypt to view and edit the files. When you’re done working with them, you can just unmount the volume. VeraCrypt takes care of everything, keeping the files temporarily in the RAM, sweeping up after itself, and ensuring your files remain uncompromised.

VeraCrypt can encrypt your entire drive too, at least on some PCs, but we generally recommend Windows’ built-in Bitlocker for this purpose instead. VeraCrypt is ideal for creating encrypted volumes for groups of files, rather than encrypting your entire boot drive. Bitlocker is a better choice for that.

Why Use VeraCrypt Instead of TrueCrypt?

Technically, you can still use older versions of TrueCrypt if you like, and you can even follow along with this very guide, since TrueCrypt and VeraCrypt are nearly identical in interface. VeraCrypt has fixed some of the minor problems brought up in TrueCrypt’s code audit, not to mention audits of its own code. It’s improvements to TrueCrypt’s base have set the stage for it to be a real successor, and while it’s a bit slower than TrueCrypt, but plenty of security experts like Steve Gibson say it’s a good time to make the jump.

If you’re using an old version of TrueCrypt, it isn’t incredibly urgent that you switch—it’s still pretty solid. But VeraCrypt is the future, so if you’re setting up a new encrypted volume, it’s probably the way to go.

How to Install VeraCrypt

For this tutorial, you’ll only need a few simple things:

  • A free copy of VeraCrypt.
  • Administrative access to a computer.

That’s it! You can grab a copy of VeraCrypt for Windows, Linux, or Mac OS X and then settle in at a computer that you have administrative access to (you can’t run VeraCrypt on a limited-privilege/guest account). For this tutorial we’ll be using the Windows version of VeraCrypt and installing it on a Windows 10 machine.

Download and install VeraCrypt as you would any other application. Just double-click the EXE file, follow the instructions in the wizard, and select the “Install” option (The extract option is of interest to those who wish to extract a semi-portable version of VeraCrypt; we will not be covering that method in this beginner’s guide.) You’ll also be given a battery of options like “Install for all users” and “Associate .hc file extension with VeraCrypt”. We left all of them checked for the sake of convenience.

screenshot.1

How to Create an Encrypted Volume

Once the application finishes installing, navigate to the Start Menu and launch VeraCrypt. You’ll be greeted with the screen below.

screenshot.2

The very first thing you’ll need to do is create a volume, so click on the “Create Volume” button. This will launch the Volume Creation Wizard and prompt you to choose one of the follow volume types:

screenshot.3

Volumes can be as simple as a file container you place on a drive or disk or as complex as a whole-disk encryption for your operating system. We’re going to keep things simple for this guide and focus on getting you set up with an easy-to-use local container. Select “Create an encrypted file container”.

Next, the Wizard will ask you if you want the create a Standard or a Hidden volume. Again, for the sake of simplicity, we’re going to skip messing around with Hidden Volumes at this point. This is no way lowers the encryption level or security of the volume we’re creating as a Hidden Volume is simply a method of obfuscating the location of the encrypted volume.

screenshot.4

Next, you’ll need to pick a name and location for your volume. The only important parameter here is that your host drive have enough space for the volume you with to create (i.e. if you want a 100GB encrypted volume you’d better have a drive with 100GB of free space). We’re going to throw our encrypted volume on a secondary data drive in our desktop Windows machine.

screenshot.5

Now it’s time to pick your encryption scheme. You really can’t go wrong here. Yes there are a lot of choices, but all of them are extremely solid encrypt schemes and, for practical purposes, interchangeble. In 2008, for example, the FBI spent over a year trying to decrypt the AES encrypted hard drives of a Brazilian banker involved in a financial scam. Even if your data-protection-paranoia extends up the level of acronym agencies with deep pockets and skilled forensics teams, you can rest easy knowing your data is secure.

screenshot.6

In the next step, you’ll select the volume size. You can set it in KB, MB, or GB increments. We created a 5GB test volume for this example.

screenshot.7

Next stop, password generation. There is one important thing to keep in mind here: Short passwords are a bad idea. You should create a password at least 20 characters long. However you can create a strong and memorable password, we suggest you do it. A great technique is to use a passphrase instead of a simple password. Here’s an example: In2NDGradeMrsAmerman$aidIWasAGypsy. That’s better than password123 any day.

screenshot.8

Before you create the actual volume, the creation Wizard will ask if you intend to store large files. If you intend to store files larger than 4GB within the volume, tell it so—it will tweak the file system to better suite your needs.

screenshot.9

On the Volume Format screen, you’ll need to move your mouse around to generate some random data. While just moving your mouse is sufficient you could always follow in our footsteps—we grabbed our Wacom tablet and drew a picture of Ricky Martin as an extra on Portlandia. How’s that for random? Once you’ve generated enough random goodness, hit the Format button.

screenshot.10

Once the format process is complete, you’ll be returned to the original VeraCrypt interface. Your volume is now a single file wherever you parked it and ready to be mounted by VeraCrypt.

How to Mount an Encrypted Volume

Click the “Select File” button in VeraCrypt’s main window and navigate to the directory where you stashed your VeraCrypt container. Because we’re extraordinarily sneaky, our file is in D:\mysecretfiles. Nobody will ever think to look there.

Once the file is selected, pick from one of the available drives in the box above. We selected J. Click Mount.

screenshot.11

Enter your password and click OK.

screenshot.12

Let’s go take a look at My Computer and see if our encrypted volume was successfully mounted as a drive…

screenshot.13

Success! One 5GB volume of sweet encrypted goodness, just like the kind mom used to make. You can now open the volume and pack it full of all the files you’ve been meaning to keep from prying eyes.

Don’t forget to securely wipe the files once you’ve copied them into the encrypted volume. Regular file system storage is insecure and traces of the files you’ve encrypted will remain behind on the unencrypted disk unless you properly wipe the space. Also, don’t forget to pull up the VeraCrypt interface and “Dismount” the encrypted volume when you aren’t actively using it.

Jason Fitzpatrick is a warranty-voiding DIYer who spends his days cracking opening cases and wrestling with code so you don't have to. If it can be modded, optimized, repurposed, or torn apart for fun he's interested (and probably already at the workbench taking it apart). You can follow him on if you'd like.


Whitson Gordon is a writer, Windows geek, PC builder, metalhead, chopstick-using potato chip eater, and Midwest-to-Southern California transplant. You can follow his nerdy exploits on Twitter and Facebook.

  • Published 03/13/12

Comments (19)

  1. Huseyin

    Excellent write up. Next, incorporate dropbox/sugarsync, etc..

  2. Jay

    Great article!!! thanks so much guys!

  3. Josh B.

    Hear Hear… now, how about how to encrypt an entire bootable drive in linux?

  4. shekharshekhar3

    Thank you very much. On this site I always find good detailed articles from beginner’s point of view. Going step by step and on each step right suggestion is what a newbie look for. How To Geek Is the best.

  5. darylgriffiths

    How about a How-To for securely sending a file/files (by email or CD/USB stick) to someone who doesn’t have Truecrypt installed AND have it autorun and unencrypt when the correct password is entered – as the recipient is not particularly computer literate?

  6. Banyu

    TrueCrypt another method to hide porn files

  7. Marg

    Once I install TrueCrypt with Admin priviledges can a limited-privilege/guest account run it? My supervisor is convinced this can be done but in all my testing I’m finding it impossible..

  8. Colin

    Only problem with TrueCrypt: You can delete the container that the files are in, it doesn’t matter if they are protected or not they can still be deleted.

  9. bob

    Great read. thank you HTG.
    Can you please write about TruCrypt and Dropbox combo article.
    I’m trying to find a way to use truecrypt on my dropbox.

    thank you,

    Bob.

  10. moin sayed

    Thanks

  11. robert

    Good to know the Guide to Getting Started with TrueCrypt.

  12. Benoît

    I’ve been using truecrypt for a while and I’m really happy with the results!! Good post.

  13. Benoît

    Forgot to mention that the software is running smoothly on Linux!

  14. Arland

    Does truecrypt formats the contents on the host device or only the folder or container(you’ve mentioned)?

  15. jonrichco

    Truecrypt works well. It does annoy me telling me every time I create a container that short passwords are bad. I think that my 8 character password, with different character types is 99.99% ok if not more. HTG could maybe explain why a 20 character password is needed. Can you set up a brute force password cracker in TC as you can for MS Office password protected files? Even if possible, it would take 2287 years to break a 96 charset 8 character password at 100,000 passwords per second (http://lastbit.com/psw.asp). So why do HTG and TA want me to waste my time typing a 20 character password?

  16. Jehanne

    Be sure to disable the Firewire port on your PC and all autoplay options. Choose a 30+ length passphase consisting of upper and lower case letters, numbers and some “special characters” atop the number keys. Also, create a FAT32 (to prevent journaling) hidden file container (even if you are using system encryption) which uses triple cascading encryption along with several obscure keyring files on your PC’s hard drive which you should use with your hidden file container.

  17. BSquared

    Thanks for the great write up! Would you use the above instructions to create a encrypted container on a USB flash drive?

  18. ITJoe

    Great article! Thanks!

    In response to jonrichco:

    Check out this CNN article:
    http://articles.cnn.com/2010-08-20/tech/super.passwords_1_passwords-character-websites?_s=PM:TECH

    and (if you’re interested) the original article from GTRI:
    http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System

    I work IT for a law firm and needed this info for whiny users who didn’t want to have to change their password from their initials to a 12 char complex password (at least one each upper, lower, number, and symbol). The preceding articles are soon two years old. If anyone can find an article with newer research, I would love to read it!

    Thanks,
    Joe

  19. Graham

    A 12-character alphanumeric password being attacked with smart bruteforce involving sequence frequency prioritising will have about 50 effective bits of entropy. That amounts to an average 420,000,000,000,000 tested passwords before it gets cracked. A reasonable scale attack using several high-end GPU-assisted cracking machines could test 1,000,000,000 passwords per second, so that’s 420,000 seconds – less than 5 days.

    Every time you add a character, you multiply the cracking length by about 20.

More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!