This is a simplified version of the VeraCrypt user manual created by the DCC using a Windows 10 system and is meant to guide the user through the installation of VeraCrypt, help decide what level of security is needed, and provide an easy to use, step-by-step diagram on how to obtain said security. Should there be any doubt on how to create an encrypted volume or how to manage it, please contact us at dcc@rug.nl.

IMPORTANT: Please note that VeraCrypt provides a level of security that is determined by the user’s behavior as much as by the program itself.
Read through the guide carefully and take note of what kind of behavior should be avoided or followed.

• DO NOT leave your machine unattended (especially when a VeraCrypt volume is mounted),
• DO NOT cache your passwords or keyfiles needed to mount a VeraCrypt volume, and
• FOLLOW THE GUIDELINES provided in this manual or the original VeraCrypt manual to the letter. You can find the original manual here: https://www.veracrypt.fr/en/Documentation.html

Should you decide not to do so, VeraCrypt cannot guarantee the security of your data (nor can the DCC).

Throughout this manual, we will assume that you are going to install VeraCrypt on a Windows machine. There are versions of VeraCrypt available for Linux and MacOS as well, but they are beyond the scope of this guide. Should you want to install VeraCrypt on Linux or MacOS, please refer to the original VeraCrypt manual for more information. If you still have questions, contact us at ddc@rug.nl.

VeraCrypt is able to provide both encrypted volumes as well as encrypted operating systems. The idea behind such tools is to make it impossible to determine what data is stored in the volume/system and how big the data volume is. In order to do so, however, VeraCrypt needs the user to follow some basic conduct rules in order to prevent potential attackers from guessing the hidden information.
VeraCrypt also allows you to create a hidden volume/system inside a decoy volume/system in order to hide information from an attacker, should they have managed to get access to your password/machine. This procedure requires assistance from the DCC, as there are some risks to take into account when setting this up.
The way VeraCrypt encrypts and decrypts data is explained in detail in its manual. The short version of it is that the encrypted volume appears to contain random data and is inaccessible until the user provides a password and the volume is mounted by VeraCrypt. The data contained in the volume is decrypted on the fly by VeraCrypt and stored in your RAM. This prevents sensitive data from ever being written to disk, where it might be left unprotected should anyone gain access to your machine.

Go to the VeraCrypt website (https://www.veracrypt.fr/en/Downloads.html) to download the Windows installer. Since you will be securing sensitive data, VeraCrypt points out that an attacker might have found a way to modify or replace the installer in order to gain access to your data. It is thus good practice to verify if the installer is legitimate or not. To do so, you want to verify the digital signature of the installer by following these steps:

1. Download the .exe installer.

​​

2. After having downloaded the installer, right-click the VeraCrypt Setup[...].exe file and select properties from the context menu.

​

3. In Properties, select the Digital Signatures tab.

4. In Digital Signatures, under Signature list, double-click the line saying IDRIX or IDRIX SARL.

5. The Digital Signature Details dialog window should appear. Look for the sentence “This digital signature is OK.” on the top of the dialog window. If the sentence is not displayed, then the file is very likely corrupted.

IMPORTANT: On some older, obsolete versions of Windows, some of the necessary certificates are missing, which is the reason the signature verification fails. Please consider using up-to-date versions of Windows.

For more information on this or a different way of verifying the digital signature of the installer, refer to the “Digital Signatures” section in the VeraCrypt manual.

1. Launch the VeraCrypt Setup.exe file.
2. Select your preferred language. Keep in mind that this manual is written in English for the English version of VeraCrypt.
3. Carefully read and accept the VeraCrypt License Agreement. NB: The license states among other things that the user is responsible for the data and the correct working of the software.
4. This installation procedure expects you to want to install VeraCrypt on your machine. Should you want/need to have it in portable mode (in order to not provide hints that you are storing encrypted data on your machine), please consult with the DCC (dcc@rug.nl).
5. Follow the installation instructions in the pictures below:

Unselect the Install for all users option (underlined in blue) if you would like to only have it available for one user, but we don’t recommend you do so.

Click Finish (red box) and select NO for all options prompted by the installer. Should you need to adapt your Windows configuration for VeraCrypt, you will do so with assistance from an expert (as it is required mainly for System Encryption).

IMPORTANT: Please take into account that you can use VeraCrypt yourself up to what we call Lvl 3 Protection without the risk of losing important data or access to your system. As long as you follow the encryption guide provided here and are careful about the things we warn you about, you should not need assistance in setting this up.

From Lvl 4 Protection onwards, we suggest that you talk to someone at the DCC for assistance. These higher levels of protection ensure that your data is harder to find and leaves less traces, but they also carry the risk of losing data by overwriting it or losing access to your operating system, IF THEY ARE SET UP INCORRECTLY. You will also have to be told about clear practices that you need to follow in order to ensure plausible deniability and the best level of protection.

In our consultation with you we have advised you on a level of protection that is ultimately just a suggestion. You can decide to get higher protection for your data, of course. Be aware, once again, that in getting a higher protection level the risk you face shifts from data leakage to actual data loss. We would ask that you follow our guidelines unless you really need a higher level of protection for your data, in which case you should request a follow up consultation with us.

In order for VeraCrypt to provide effective security, the user needs to be aware and follow a number of guidelines that are listed here in short form and in their entirety in the VeraCrypt manual. Please refer to the VeraCrypt manual (pp.90-99 in the pdf or the Security requirements and precautions section of the online documentation) for a more detailed explanation.

Before we go into detail, there are four golden rules you want to follow:

1. Mount your VeraCrypt volumes only when you work with them. Once you are done, make sure you dismount your volume(s). If you do not require a specific volume to be mounted, never mount it in the first place.
2. Always lock your machine when you are not working with it. If you are about to leave your machine unattended for more than ~5 min (bathroom break, quick coffee grab, etc.), dismount EVERY VeraCrypt volume and mount them again when you come back.
3. Never take sensitive data out of the VeraCrypt volume. If you have to copy or create a new file, make sure that you move files or create them in a VeraCrypt volume. Files taken or created outside of the volume might leave traces of information on unencrypted parts of Windows.
4. When you are done working with a VeraCrypt volume, always dismount it, turn off your machine, and leave it turned off for a few minutes. If you have to continue working on non-sensitive data later, you can safely resume your work after the computer has been shut off for said period of time. This is to ensure that information on the VeraCrypt volume doesn’t stay stored in RAM.

Hereafter are some practical steps you should take to ensure that information on your data or the VeraCrypt volume does not accidentally get left unencrypted. Click here to display the list of precautions and their step-by-step guides.

Based on the recommendation you received from the DCC or on what you would like to have for your encryption level, you can follow the links below to set up your VeraCrypt volume.

IMPORTANT: Please keep in mind when deciding on your Protection level that higher encryption does not always mean higher data safety. Depending on the encryption you choose, you might need to follow certain guidelines to secure your data. If you're uncertain, please contact the DCC (dcc@rug.nl).

Lvl 1 Protection (single encryption)

Lvl 2 Protection (cascade encryption)

Lvl 3 Protection (cascade encryption with keyfile)

1. In order to use a VeraCrypt volume, you need to first mount it. Open VeraCrypt and choose the drive you would like the volume to be mounted on. Keep in mind that you can only assign the volume to an unused drive. A good choice for said drive are the letters M:, N:, O:, or P: (red box), as Windows will most likely not be using them. In any case, the list of drives VeraCrypt offers to mount your volume on consists of only unused drives, so you should not run into any conflict when mounting.

2. Click Select File and navigate to the location of your VeraCrypt volume. Select the volume and make sure that the path is displayed like in the example (blue underlined). Then click Mount.

3. VeraCrypt is now going to ask you for the password to your volume. Leave the PKCS-5 PRF section on autodetect (blue underlined). Make sure to insert the password correctly, then click Ok. If you used keyfiles to encrypt your volume (Lvl 3 Protection), be sure to select Use keyfiles and navigate to where the keyfiles are located (purple cross and box). We recommend you DO NOT CACHE your password and keyfiles (leave the yellow underlined box unchecked).

4. If your password was correct and the mounting is successful, you will now see the blue highlighted text in the VeraCrypt Window.

5. To use your mounted volume, simply navigate to the My Computer/My PC/This PC section of the Windows File Explorer and double-click the drive letter assigned to your VeraCrypt volume (red box). After it opens, you can treat it as any other Windows drive. Here you can also see the size of the volume and the free space remaining.

6. The VeraCrypt volume you mounted functions exactly as a normal Windows drive. You can open files situated in it, navigate the file system in the volume, copy files from outside into the volume or create files directly in the volume. An important note on how to use the volume is that internal files that you would like to keep encrypted should never be taken out of the volume. Whatever you need to do to the files, it should happen inside the volume. If this is not done, then information on the files you have stored in the volume might be recorded and kept by Windows on unencrypted parts of your system. NOTE: Files that you generated outside of the volume, but that you then encrypted, need to be securely deleted. You can look up the VeraCrypt manual for more information on how to do so.
7. To dismount your volume when you are done using it, simply select it in the VeraCrypt window and click Dismount. Dismounting your volume every time you are finished using it will ensure that data stored inside the volume will not be kept stored in RAM when you shut down your computer. We also advise to keep your computer running for a few minutes before turning it off, to allow for the RAM to clear. WARNING: Simply exiting the VeraCrypt window does NOT DISMOUNT the volume!

As a good practice when it come to protecting your data, it is always a good idea to change your password about every 6 months. This is important not only for shorter or weaker passwords, but also for strong ones. You might also want to change your password when you suspect someone might have gained access to your current password. No matter which case applies to you, this short section is going to show you how to change your password to a VeraCrypt volume.

1. Select the volume you wish to modify by clicking Select File..., then click on Volume Tools... as shown in the figure.

2. A drop-down menu will appear. Select Change Volume Password...

3. A new window will open, asking you to input the old password, then the new one. You can leave the values in the blue box unchanged. Please note that the OK button will not activate until you have input the old password and twice the new one in the provided fields. Should the new password not be the same in both fields, then the OK button will also not activate. This will ensure that the change in password is correct and that you have not made any typing mistake when inputting the new password.

4. Last but not least, VeraCrypt will ask you to create randomness before setting the new password. As for the steps you took before in creating a VeraCrypt volume, please make sure to fill the green bar, before clicking Continue.

IMPORTANT: If you have separate backups of a VeraCrypt volume, you need to change the password on all of them. If you don't, some of the versions of the volume will still require the old password to decrypt.