VeraCrypt Volume with Cascade/Single Encryption (password + keyfile)

This third level of protection adds a keyfile or multiple keyfiles to the cascade encryption of Lvl 2 to make it even harder for brute force attacks to crack the encryption. With Lvl 3 protection, the volume can be mounted only if you can provide the location of the keyfile along with the correct password. The keyfile can be copied and/or moved to a different location, but cannot be modified in any way, otherwise VeraCrypt will be unable to mount the volume.

ADVANTAGES:

• Hard to brute force (like Lvl 2).
• Low-to-Medium probability of losing access to your data.
• The volume is impossible to open without the keyfile(s).

RISKS:

• Your data is lost if you lose your password.
• Your data is lost if you lose your keyfile(s).
• Your data is lost if you modify your keyfile(s).

IMPORTANT: To reduce the risk of data loss, please consider having a copy or backup of your keyfile(s) available somewhere safe.

1. Open VeraCrypt and click on the Create Volume button (red box).

2. Select the voice Create an encrypted file container (red box), then click on Next (red box).

3. Select Standard VeraCrypt volume in the next window. Click Next to move to the next window.

4. Now you can choose the name of the volume you are about to create and the location where it will be stored. Click on Select File and navigate to where you want your volume to be stored. WARNING: Please keep in mind that selecting an existing file will DELETE it and create a new file (your volume) with the same name!! (blue box).

5. Make sure to select VeraCrypt Volumes (*.hc) in the option Save as type, then click Save. If you wish to hide the fact that the new file is a VeraCrypt volume, leave the Save as type option as it is.

6. The path to your new volume should now appear in the box underlined in blue. Click Next to move to the next window.

7. Now you will have to select what type of encryption you want to have for your volume. To create a cascade encryption for your volume, select AES(TwoFish(Serpent)) as underlined in blue. Should you wish to know more about how the encryption scheme works, please consult the VeraCrypt manual. The Hash Algorithm you want is also shown in the picture and underlined in blue. Click Next if you do not wish to change anything here. NOTE: Since you chose to go a step further than the Lvl 2 protection, this manual is going to assume that you would like to add the keyfiles on top of the cascade encryption provided at Lvl 2. The guide will show how to do so from here on forth. Should you want to use Keyfiles with a single encryption, that is also possible by selecting AES in the Encryption Algorithm section instead of AES(TwoFish(Serpent)). The advantage of single encryption over cascade encryption, is that encrypting and decrypting is significantly faster for the single encryption.

8. You now have to decide how much space you require to store your data. Write the number in the upper red box and make sure that you have the correct unit (KB, MB, GB, TB). Pick a reasonable size that you know you won’t be able to fill when you have collected and analyzed your sample. Click Next to move to the next screen.

9. Before you choose the password for your volume, select Use keyfiles (red underlined) and click Keyfiles… (red box) as shown in the image.

10. VeraCrypt will now open the keyfiles window. Here you can select an existing file to use as a keyfile or let VeraCrypt generate a keyfile. We suggest you let VeraCrypt generate a keyfile out of convenience. Read and remember the warning in the blue box! There’s a brief explanation of what a keyfile can be in the yellow box. Click the button in the red box to generate your new random keyfile.

11. The Mixing PRF (red underlined) can be left as the default choice, but remember to move your mouse randomly until the entire lower bar is filled (blue underlined). You can also set the file size to random (yellow box, not necessary but recommended) and provide a base name for your keyfile in the blue box. When ready, click the red box to be prompted to indicate where you would like to store your keyfile.

12. Navigate to where you would like to store your keyfile, then select Ok. Warning: DO NOT store your keyfile in the same directory as the VeraCrypt volume. It should be somewhere else to make it hard to find. Using a USB-stick is also an option, but keep in mind that if you lose it, you won’t be able to mount the encrypted volume anymore. Another important point is to NOT NAME your keyfile with the word ‘keyfile’ or the name of the VeraCrypt volume it opens. Also be sure to add an extension like ‘.txt’ to make it even more ambiguous.

​​​​​​​

13. If VeraCrypt managed to create the keyfile without error, it will display “Keyfiles have been successfully created”. Click Ok, then Close in the top right corner to continue your creation of the VeraCrypt volume.

​​​​​​​

14. Now that the random keyfile is generated, you need to add it to the list of keyfiles. Click Add Files (red box) to open the next window.

​​​​​​​

15. Navigate to where you stored your keyfile and select it. After having done so, the path of the keyfile should be displayed as underlined in red in the picture. If you want, you can add multiple keyfiles to a volume. When you are done selecting the keyfile(s), click the Ok button to go back to the volume creation with the new keyfile(s) assigned. N.B.: A keyfile can both be moved or copied to another location. DO NOT MODIFY THE KEYFILE! Modifying it will prevent VeraCrypt from mounting your volume!

​​​​​​​

16. You now need to choose the password for your volume. Keep Use keyfiles selected, read the instructions in the blue box and choose the password accordingly, then click Next at the bottom of the window.

​​​​​​​

1. Should you choose a password that is considered weak, VeraCrypt will prompt you to confirm that you wish to proceed. You can then go back by selecting No and choose a stronger password.

​​​​​​​

17. The next window will ask you to move the mouse inside it in a random pattern in order to make the encryption as hard as possible to crack. We advise you to fill the bar in the blue box fully before proceeding by clicking Format.

​​​​​​​

18. VeraCrypt is now going to create the encrypted volume. Please consider that depending on the size you chose and your machine properties, this will take some time. Once again, select No when prompted by VeraCrypt to disable Windows Fast Startup. We will discuss later how to avoid problems when using VeraCrypt while this feature is enabled.

​​​​​​​

19. Once VeraCrypt is done with the volume creation, this message will appear. Click Ok to finish the installation.

​​​​​​​

20. VeraCrypt will now ask you if you wish to create a new volume. If so, select Next (blue box) and repeat the procedure, otherwise select Exit (red box).

​​​​​​​​​​​​​​