Tag Archives: VeraCrypt

VeraCrypt On The Command Line for Windows


This is part of my ongoing series on the VeraCrypt encryption utility. If you’ve not kept up, in my first post of the series, “VeraCrypt – A Powerful Encryption Utility“, I covered the basics of VeraCrypt including how to get it, use it through the GUI, and how the series was inspired by the Grumpy Old Bens podcast.

In the second post, “Creating and Using Hidden Containers in VeraCrypt“, I covered how to create a hidden container, adding an extra level of security to your containers.

My previous post, “VeraCrypt on the Command Line for macOS“, showed how to call VeraCrypt from within a script on the macOS platform.

The commands to call VeraCrypt from the command line are very different for each platform, As such, I’ve broken them out into individual blog posts.

In this entry you’ll see how to call VeraCrypt on Windows 10.


Obviously, you’ll need to have VeraCrypt installed. My first post in the series, “VeraCrypt – A Powerful Encryption Utility“, covers where to get it from.

For this post, we’ll also be using the CMD mode to execute the commands. Do note that on most installations of Windows these days, PowerShell has replaced CMD as the default terminal shell. If you open up a command window and see PowerShell, all you have to do is type in CMD and it enter, and you’ll be switched to CMD mode.

Code Samples

While I will be providing samples here, you should also check out the project I have on GitHub that goes with this post, VeraCrypt-CommandLine-Examples.

I’ll update it over time as needed, and it may be easier for you to download, or cut and paste from it.

One item I want to mention, unlike the macOS version, the Windows version of VeraCrypt lacks the ability to list containers. So for this post we’ll only be able to include creation, mounting and dismounting of containers.

OK, let’s get started!

Creating a Container

Let’s begin by looking at the full command to create a container, then we will break it down to it’s individual components. While your blog reader or webpage may wrap the line, in your script (or command line) it should all be entered as a single line of text.

"C:\Program Files\VeraCrypt\VeraCrypt Format.exe" /create "C:\temp\vctest.vc" /size "200M" /password MySuperSecurePassword1! /encryption AES /hash sha-512 /filesystem exfat /pim 0 /silent

First up is the command to call. If you installed VeraCrypt to the default folder, you’ll find it in C:\Program Files\VeraCrypt\

The command to create a new volume is actually a separate executable than the rest of VeraCrypt. It is “VeraCrypt Format.exe

Note there is indeed a space in the file name! Thus you have to enclose the entire thing in double quotes.

"C:\Program Files\VeraCrypt\VeraCrypt Format.exe"

Next is the command to create a volume, /create. You follow it with the path and file name to create. If you omit the path it will create the volume in the current directory you are running the script from.

As with all file names, if it has a space you must include double quotes. Otherwise they are optional, but it doesn’t hurt to have them.

/create "C:\temp\vctest.vc"

We now need to tell VeraCrypt how big to make the volume. VeraCrypt includes shortcuts for M (Megabytes), G (Gigabytes), T (Terabytes) and
K (Kilobytes). If you omit a letter, it assumes bytes.

For this demo we are making it small, so will use 200M to indicate 200 Megabytes.

/size "200M"

Next up is the password to use to encrypt the volume. In a “real world” situation, you should probably pass it into the script or get it using an alternate method.

To keep this demo simple, I’m just going to embed the password using the “super secure” password I’ve used throughout this series of blog posts.

As with file names, if your password has spaces you’ll need to enclose it in double quotes.

/password MySuperSecurePassword1!

Now we need to provide the encryption algorithm to use. VeraCrypt supports a vast array of algorithms, see their documentation for the supported list.

For this demo, we’ll use the popular AES.

/encryption AES

Many algorithms require you to provide an encryption hashing method. For AES, we’ll use the strong SHA-512.

/hash sha-512

In order to keep this container portable across OS’s we’ll format using exfat. Be aware though that to use exfat on a Mac, you’ll have to install macFUSE (see my previous post on macOS for more info).

/filesystem exfat

The PIM is a special number that allows you to specify the number of times the hashing algorithm executes. It’s a bit more complex than that, if you want full details see the VeraCrypt documentation at:


For now, we can pass it the value of 0, which tells it to use the default value.

/pim 0

The final parameter is /silent. By default VeraCrypt will display dialogs notifying you of its progress, as well as when it is complete.

In a scripting situation you would normally not want this, so we add the silent switch to suppress the messages.

Note this does have one side affect, if there are any errors those too are also suppressed, so you won’t be aware of them. The most common of these would be the attempt to create a volume name that already exists.


You now have everything you need to create a VeraCrypt volume. Note that there is one more parameter that we didn’t use in the example, but you may want to know about.


Normally, if you are trying to create a new volume and that file already exists, VeraCrypt will pop up a dialog (assuming you’ve not used /silent) warning you the volume you are trying to create already exists. It will then give you the choice of canceling or overwriting the existing file.

The /force parameter suppresses the message and always overwrites the file.

So hopefully you’ve now created your own volume using the commands in this section. Let’s now see how to mount it.

Mounting a VeraCrypt Volume

Mounting is very simple, here is the full command, then we’ll take a look at each part. As before, it should be all a single line.

"C:\Program Files\VeraCrypt\VeraCrypt.exe" /volume "C:\temp\vctest.vc" /letter x /password MySuperSecurePassword1! /quit /silent

We start with the command to VeraCrypt. This assumes you have installed to the default folder.

"C:\Program Files\VeraCrypt\VeraCrypt.exe"

Next we provide the /volume parameter, with the path to and the file name of the file to mount.

/volume "C:\temp\vctest.vc"

Volumes in VeraCrypt appear as a drive letter to Windows. As such we need to provide a letter to use. Note if you use a drive letter
already in use, you’ll get an error.

The letter can be provided in either or upper or lower case.

If you don’t know a drive letter, or don’t care what letter is used, then you can omit this parameter completely. When you do, VeraCrypt will use the first available drive letter it finds.

/letter x

Next up is the password to use to encrypt the volume. In a “real world” situation, you should probably pass it into the script, or get it using an alternate method.

To keep this demo simple, I’m just going to embed the password using the “super secure” password I’ve used throughout this series of blog posts.

As with file names, if your password has spaces you’ll need to enclose it in double quotes.

/password MySuperSecurePassword1!

Next we provide the quit parameter. By default, if you omit it then the VeraCrypt dialog will remain on the screen. Using quit will close the
VeraCrypt dialog, something usually desired if you are running a script.


Finally we’ll add the /silent parameter. This has the same affect as it did in the create function, suppressing any dialogs. Be aware, that for /silent to work, you must also have used the /quit parameter.


At this point hopefully all went well, and you have created a volume as well as mounted it. Once you are done with a volume, you’ll need to dismount it, the subject of the next section.

Dismounting VeraCrypt Volumes

The command to dismount a volume is the simplest of all.

"C:\Program Files\VeraCrypt\VeraCrypt.exe" /dismount H /quit /silent /force

Let’s look at the individual components of the command.

We start with the command to VeraCrypt. This assumes you have installed to the default folder.

"C:\Program Files\VeraCrypt\VeraCrypt.exe"

Next is the dismount parameter. You pass in the drive letter associated with the volume to dismount. As with mounting, the case of the drive letter does not matter.

If you omit the drive letter, VeraCrypt will dismount ALL currently mounted volumes.

/dismount X

We now provide the quit parameter. By default, if you omit it then the VeraCrypt dialog will remain on the screen. Using quit will close the
VeraCrypt dialog, something usually desired if you are running a script.


Now we append the /silent parameter, to suppress any dialogs as we did in the previous sections. As with mounting, for /silent to work we must also include /quit.


Finally we provide the force parameter. If some app is accessing the volume, for example Windows File Explorer, it will prevent VeraCrypt from dismounting.

The force parameter tells VeraCrypt to shut down, no matter what. Your inclusion of force is up to you, depending on your situation.

For the demo, we’ll include it.


And that’s all there is to it. It’s a best practice to dismount all of your volumes when you are done with them, and especially before shutting down your computer.

This will ensure any operations that are copying data to your encrypted volume have completed, ensuring the data does not get corrupted.


This post covered how to create, mount and dismount VeraCrypt volumes in Windows 10. The technique should also be applicable to Windows 7 and 8, if you are still on those platforms.

VeraCrypt on the Command Line for macOS


Automation is the key to success, especially in the DevOps world. In addition, security is an ever increasing need in today’s world of hacks and ransomware.

In my last two posts I showed how to use the encryption utility, VeraCrypt, to create encrypted containers and drives to securely store data. In this, and the next two posts, we’ll see how we can automate VeraCrypt from the command line.

We’ll cover the basics. Creating a container, mounting a container (aka volume), getting a list of mounted volumes, and finally dismounting your volumes.

As it turns out, the command line syntax is a bit different for all the major operating systems. In this post we’ll focus on macOS, in the next two posts we’ll cover Windows and Linux.


Naturally, you’ll have to have VeraCrypt installed. You can find out more in my first post of the series, VeraCrypt – A Powerful Encryption Utility.

The next requirement applies to macOS. In order for macOS to be able to read the variety of filesystems VeraCrypt supports, you need to install a free utility, macFUSE.

It’s free, fast to install and takes very little in the way of system resources. It’s compatible with macOS BigSur and Catalina, and probably older versions too, check their site if you have that need.

Code Samples

While I will be providing samples here, you should also check out the project I have on GitHub that goes with this post, VeraCrypt-CommandLine-Examples.

I’ll update it over time as needed, and it may be easier for you to download, or cut and paste from it.

OK, let’s get started!

Creating a Container

First off, let’s look at the long line of code needed to create a container. Please note that while your blog reader may wrap the command below, it should be one line in your shell script.

/Applications/VeraCrypt.app/contents/MacOS/VeraCrypt --text --create "/Users/arcanecode/Documents/temp/vctest.vc" --size "200M" --password MySuperSecurePassword1! --volume-type normal --encryption AES --hash sha-512 --filesystem exfat --pim 0 --keyfiles "" --random-source /Users/arcanecode/Documents/temp/randomdata.txt

OK, that’s a bit hard to read, so let me break it out into each part below.

The first item is the path to the VeraCrypt application, assuming you installed it in the default location.


The --text parameter says we want to use VeraCrypt in text mode, not GUI. Note, the –text parameter must be the FIRST parameter you pass in, or it will not work.


We next tell VeraCrypt we want to create a new file container, and where it is to be stored at. For this demo, I’ve created a temp folder in my Documents directory.

You’ll want to change this to the location where you store your volumes. In addition, you’ll also want to change the user folder from arcanecode to your username.

--create "/Users/arcanecode/Documents/temp/vctest.vc"

Next we indicate how big we want our container to be. If you just list a number, VeraCrypt assumes you mean bytes, but you can also affix M for megabytes, G gigabytes, K kilobytes, and so on.

Here I’m going to keep it small for demo purposes and use 200 megabytes.

--size "200M"

Now we provide our password. Normally you would not want to hard code it, but rather pass it into your script as a parameter.

I wanted to keep this demo simple though, and focus on VeraCrypt so I’ve just hard coded it I’m using the same “super secure” password I’ve used in my last few posts.

--password MySuperSecurePassword1!

Next is the volume type, normal or hidden. My previous blog post talks about hidden types, and if you are going to do a hidden volume I would suggest using the GUI in order to assure it is done right.

For this demo we’ll go with a normal volume

--volume-type normal

Now we pick the encryption type. There are quite a few, so refer to the VeraCrypt documentation for a full list. Here we’re using AES.

--encryption AES

Next up, for the encryption method we picked it needs to know the hashing algorithm. For AES I suggest SHA-512.

--hash sha-512

In order to keep this container portable across other OS’s (Windows and Linux) we’ll format using exfat. Be aware though that to use exfat on a Mac, you’ll have to install macFUSE (see the prerequisites section above.)

--filesystem exfat

The PIM is a special number that allows you to specify the number of times hashing algorithm executes. It’s a bit more complex than that, if you want full details see the VeraCrypt documentation.

For now, we can pass it the value of 0 (zero), which tells it to use the default value for the PIM.

--pim 0

You can mount a volume in VeraCrypt using a keyfile, as opposed to a password. We’ve not done that here, so we’ll just pass in an empty string to indicate we won’t use a keyfile.

--keyfiles ""

As a final parameter, you need to provide random data for VeraCrypt to use when generating its hashes. It needs at least 320 characters, but you can give more.

I’ve provided a sample one as part of this demo (see the GitHub code samples), I just randomly smacked keys on my keyboard with my eyes closed. I’d suggest creating one of your own for production, but for just testing and learning (I’m assuming you’ll throw away the vault when you are done) then the one here will be OK.

--random-source /Users/arcanecode/Documents/temp/randomdata.txt

OK, that’s everything you need to create a volume. Now that it’s created, let’s mount it.

Mounting a VeraCrypt Volume

Here is the full command line to mount. (As before, it should be on a single line, ignore any wrapping done by your browser).

/Applications/VeraCrypt.app/contents/MacOS/VeraCrypt --text --mount "/Users/arcanecode/Documents/temp/vctest.vc" /Volumes/vctest --password MySuperSecurePassword1! --pim 0 --keyfiles "" --protect-hidden no --slot 1 --verbose

Let’s start breaking it down. First, as before, is the full path to the VeraCrypt app.


As with all of these commands, the --text parameter must come first to let VeraCrypt know we want to use text mode and not the GUI


The mount parameter actually has two values that need to be passed in.

First we pass in the name of the file to mount.

Second we need to provide a mount point. This will let macOS treat it like any other drive you might plug in.

In macOS, use /Volumes then add on a name. For simplicity I usually use the name of the file (without any extension), but it doesn’t have to be.

In reality though, it doesn’t make a real difference as macOS overrides the name you provide, and instead uses “Untitled”, “Untitled 2”, and so on.

--mount "/Users/arcanecode/Documents/temp/vctest.vc" /Volumes/vctest

Next is our “super secure” password. If your password has spaces, you’ll need to wrap this in double quote marks.

--password MySuperSecurePassword1!

If you overrode the default PIM when creating your volume, you’ll need to provide it. Otherwise, we can pass it the value of 0 (zero), which tells it to use the default value

--pim 0

If you created your volume using a keyfile or files, provide them here. Otherwise, you can just pass in an empty string to indicate no keyfile is needed.

--keyfiles ""

If this volume contained a hidden volume, you would need to let VeraCrypt know by using a value of yes, plus some other parameters.

In this case there is no hidden partition in our volume, so we can just give a value of no.

--protect-hidden no

Slot is an optional parameter. If you look at the VeraCrypt GUI in macOS, down the left side are a series of slot numbers. If you omit this parameter, VeraCrypt will mount in the first empty slot.

However you can specify a slot, which can be useful if you want to make sure certain volumes always mount in a specific slot. You can then use the slot number when you want to dismount your volumes.

--slot 1

Verbose is also an optional parameter, but I often include it just to see what is going on under the covers. You can use it with any of the commands in this post, I just included it on this one for example purposes.

If you intend to make this into a script then I would suggest omitting it once your script is debugged and working.


OK, hopefully all is going well, and you’ve created and mounted your volume. Let’s next see how to get a list, from the command line, of all your mounted volumes.

Listing Mounted Volumes

Here’s the command line to see what is mounted on your Mac.

/Applications/VeraCrypt.app/contents/MacOS/VeraCrypt --text --list

As with other commands you have seen, we start with the full path to the VeraCrypt application. We then use --text to let VeraCrypt know not to use the GUI.

We finish with --list, which tells VeraCrypt to display a list of all mounted containers. This will include the slot number, volume name, and mount directory.

Mom always taught me to put away my toys when I was done playing with them, so in the next section we’ll see how to unmount your volumes once you are done with them.

Dismounting VeraCrypt Volumes

There are four ways to dismount a volume. Three of them will dismount a specific volume, the final will dismount all volumes.

All ways follow the same pattern. Give the path to the VeraCrypt app, followed by the --text parameter to tell VeraCrypt not to launch the GUI.

Finally we give the --dismount to let VeraCrypt know we want to unload our volume. The value passed into the –dismount parameter varies, and will be explained below.

Method 1: Slot Number

/Applications/VeraCrypt.app/contents/MacOS/VeraCrypt --text --dismount --slot 1

With the first method, you provide the slot number. If you mounted a volume and used the slot number parameter, for example your personal file vault is always in slot 5, then this can be an easy way to dismount.

On the other hand, if you let VeraCrypt load in the first available slot, you’ll either have to look at the GUI, or run the list command in the previous section, to learn the slot number.

Method 2: Volume Name

/Applications/VeraCrypt.app/contents/MacOS/VeraCrypt --text --dismount "/Volumes/Untitled"

Using the volume list command or looking at the “Mount Directory” column in the GUI, you can pass in that value to unmount. Because this is typically “Untitled”, “Untitled 1” and so on, it can be of an issue trying to be reliable in unmounting the right volume.

Method 3: Volume File Name

/Applications/VeraCrypt.app/contents/MacOS/VeraCrypt --text --dismount "/Users/arcanecode/Documents/temp/vctest.vc"

This method is the most reliable. Since you know the name of the file you mounted, you can just provide the same file name to unmount.

VeraCrypt doesn’t care what slot it is loaded into, it uses the file name to find it.

The winner – Method 3!

For the reasons above, I highly suggest Method 3 be your go to method for dismounting volumes in your scripts. It is the most reliable, and easiest to understand when looking at the scripts.

But wait, there’s more!

Dismounting ALL Volumes

There is one final method, you can dismount all of the VeraCrypt volumes you have mounted.

/Applications/VeraCrypt.app/contents/MacOS/VeraCrypt --text --dismount

If you use just the --dismount parameter, and pass in no values, then VeraCrypt will attempt to dismount ALL volumes you have loaded.

This can be a useful command to run when you’re shutting down your Mac, to ensure all volumes are properly shutdown.

If you don’t have any volumes mounted, then VeraCrypt basically shrugs it’s shoulders, does nothing, and ends.


In this post, we learned how to create, mount, and dismount VeraCrypt volumes from the command line in macOS. In addition, we also saw how to get a listing of volumes currently mounted.

In the next two posts we’ll see how to do the same things, but in Windows, then Linux.

Creating and Using Hidden Containers in VeraCrypt


In my previous post I explained the fundamentals of the powerful encryption tool, VeraCrypt. If you are not familiar with VeraCrypt, I’d suggest going back and reading it first so that this post will make some sense.

In this post I’ll cover how to use VeraCrypt’s hidden containers feature, explaining what it is for then seeing step by step screen shots on how to set it up and use it.

What Are Hidden Containers For?

Let’s say you have a Bitcoin wallet with a sizable amount of money. You travel a lot, and are concerned with someone tampering with your data.

Often times a countries border agents will want to search your computer. I’m not casting aspersions on anyone’s honesty, but you never know.

Now you could setup a standard VeraCrypt container, but what if a tech savvy person noticed it? They could demand you give up your password to the vault. At some point you would wind up giving in, giving access to data you didn’t want shared (your Bitcoin wallet). This is where hidden containers come into play.

VeraCrypt allows you to create a container inside a container. Into what VeraCrypt refers to as the “outer” container, you can place information that looks important, but in reality isn’t.

You can then create the inner or “hidden” container, giving it a different password. To anyone who inspects the outer container, there is no way to tell it contains a hidden container.

In the above scenario, you simply give up, after some fake complaining of course, the password to the outer container. You interrogator will have no way to tell there’s more in there.

When you want to get to the hidden area, you mount it using the password to your hidden container. Let’s see how to setup a hidden container, then how to use it.

Setting up a Hidden Container

Let’s start by opening VeraCrypt.

Begin the process by clicking the Create Volume button.

For this demo I’ll use an encrypted file container, but these steps will also work when you encrypt a non-system partition/drive, as we did in my previous post using a USB thumb drive.

I’m going to take the default of the encrypted file container and click the Next button.

Now we begin creating a hidden container by changing the option to Hidden VeraCrypt Volume and clicking Next.

Now we begin specifying how we’ll be creating our container. In Normal Mode it assumes we have no container. This is the most common method, and what we’ll use here.

In Direct Mode, VeraCrypt will let us add a hidden container to an already existing container. The steps are similar, although since a container already exists it will skip over the next few screens picking up where we start configuring the hidden container.

For this demo we’ll keep the default of Normal Mode and click Next.

Now we need to specify where to store the new file container. Here I just typed in C:\Temp\DemoHidden.hc and clicked Next.

Now we begin the process of configuring the Outer volume. Just click Next to proceed.

Here we’ll select the encryption method. These were discussed in the previous post, so for this demo I’ll just take the default of AES and click Next.

Now we need to specify how big to make the entire container. This will need to be big enough to hold the data we want to put in our hidden container, as well as the space to put our “fake” data we are willing to give up.

For this demo I’m making it a small 250 megabytes, just to go quickly, but you can make this any size you need.

Now we’ll enter the password for the outer container. Follow the same rules for password generation you normally would. Also keep in mind the outer and (when you create it in just a moment) hidden passwords will need to be different.

I’ve checked on the Display Password box so you can see it, and am using the same MySuperSecurePassword1! password I used in the previous post. Once the password is entered, click Next.

Now you jiggle the mouse around to generate some random data VeraCrypt can use to create the real encryption key. Keep going until the bar at the bottom goes green all the way across. Once it does, you can click Format.

When formatting is complete, VeraCrypt is ready for you to copy your fake data into it. Click on the Open Outer Volume button and a file manager for your operating system will open.

Here in Windows it’s the Windows File Explorer, on macOS it will be Finder, and on Linux it will be the file manager for your particular distro.

Once it has opened, copy some fake files you’ve prepared to put in here. Remember this should be data that looks realistic, but isn’t.

One idea might be an Excel Spreadsheet with a family budget, only with fake numbers. Another might be a text file with some realistic looking but fake credit card numbers. Again, data that looks real but isn’t so if someone takes it you won’t be hurt financially or otherwise.

For this demo I’m simply using the same pic I currently (at the time of this writing) use on my Twitter account so you can easily see what is in the outer container.

Be aware this isn’t your only chance, at the end of this post I’ll show how to open the outer container again so you can add, remove or update files in it.

Once done, close the file explorer, return to VeraCrypt and click Next.

Now VeraCrypt lets you know it’s time for configure the hidden volume. Simply click Next to proceed.

You are now asked what encryption method to use on the hidden volume. It is indeed possible to use a different encryption method for the hidden area than you did on the outer container. Doing so isn’t a bad idea, as it can make it more difficult for an advanced hacker to break in.

For this demo I’ll stick to AES, but feel free to pick something different if you wish, then click Next.

Next you need to let VeraCrypt know how much space you want to reserve for the hidden container.

VeraCrypt examines what you have in the outer area, then lets you know how much of the free space you can use for the hidden area. Typically you don’t want to max it out, so you can go update the outer area from time to time.

Here I’m going to use half of my space for the hidden area, in this case 125 megabytes. I enter that, then click Next.

It’s time to enter a password for your hidden volume. Please note, the password for the hidden volume must be different than the outer volume!

Here I will use MySuperSecurePassword2! for illustration purposes, changing the number 1 used in the outer volume to a 2. In real life this would be very easy for someone to guess, so be sure to pick a password that is wildly different from the outer one.

Next we need to format the hidden area. As usual, jiggle the mouse around until the green bar is all the way across the bottom and click Format.

When formatting is complete you are presented with the above informational message. In short, it says if you open the outer volume without taking precautions (which I’ll show in a moment) you can accidentally overwrite the hidden partition.

Simply click OK to dismiss the message.

OK, you are all done with the creation. Simply click Exit to leave the wizard.

Now let’s see how to use the hidden container.

Accessing A Hidden Container

Accessing a hidden container is no different than accessing a regular container that doesn’t have a hidden one. Simply enter the path to the file (or select the device, such as a thumb drive), pick an unused drive letter, and click Mount.

Enter the hidden volumes password, as I did here using the MySuperSecurePassword2!, and click OK.

You can now open the drive letter (in this example W:) in your file explorer and copy files into your hidden container. Here I’ve copied in a photo I took of the historic Boll Weevil Monument from my old home town of Enterprise AL.

Note that this is the only picture here. The photo I use for Twitter doesn’t appear, as it is part of the outer volume.

When you are done, you can close your file explorer, return to VeraCrypt and Dismount the hidden container.

Accessing the Outer Container

What if you need to access the files in the outer container? For example, you may wish to copy updated fake data into it in order to keep it looking realistic.

It is possible to get to the outer container, but you need to take a few extra steps to prevent over writing the data in your hidden container.

As normal, enter the file name for your container (or select the device), pick a drive letter, then click Mount.

When the mount dialog appears, enter your password to the outer container. But WAIT!

Before you click OK, you need to click on the Mount Options button.

Go down to the bottom and check the box that says “Protect hidden volume against damage caused by writing to the outer volume“.

Now enter the password to the hidden volume, then click OK.

Now it displays another message warning against updating the hidden volume. It is possible, but not recommended, to have both the outer and hidden volume at the same time. Writing data to the hidden area could corrupt both the outer and inner areas.

As such I have a personal rule never to have both volumes open at the same time, and I highly suggest you stick to that rule.

Now you can click OK to mount the outer volume. With the outer volume now mounted, you can now access it in your file explorer.

Here you can see my Twitter photo I copied in originally. I can now update it, or copy in a few more files, up to the amount I have space for.

In my case, I have a 250 MB container, but I’ve reserved 125 MB for the hidden space, leaving me roughly 125 MB to put data in the outer area (VeraCrypt does use a little space in the container for its data).

Backup To Prevent Unintentional Damage

Remember how I said you could give the password to the outer container to an agent, or perhaps a bad guy?

Obviously you aren’t going to tell them about the hidden container, as such they won’t use the Mount Options to prevent overwriting the hidden area. Thus it is possible they could wind up destroying your hidden info.

To prevent this, be sure to make a backup of your container. Store it in a safe place away from home, such as a relatives house or your safety deposit box. This way a bad guy could go so far as to destroy your device and your data will still be safe.

Containers in Containers

One last thing, be aware VeraCrypt has no problems storing encrypted containers inside other containers.

For example, you could use VeraCrypt to encrypt a thumb drive. Then you could create a second file container, perhaps one with a hidden volume, and store it on the encrypted thumb drive.

You could go so far as to give it a different extension, perhaps using .dat instead of the default .hc, so a casual observer would not know it is a VeraCrypt container. When you select a file to mount, VeraCrypt doesn’t care what the extension is.

While this may seem a little paranoid, it is possible you may have a need for this level of protection so I just wanted you to be aware this option exists.


In this post I covered how to use the hidden container feature of VeraCrypt, one of it’s advanced options. Using it you can protect your most sensitive data.

In the next and final post we’ll see how to write scripts so you can automate the process of mounting and dismounting containers.

Veracrypt – A Powerful Encryption Utility


I’m a huge podcast junkie. I’m subscribed to almost 200 podcasts on a variety of subjects, the majority of which are tech related.

One podcast I listen to is Grumpy Old Bens. The hosts discuss technology in relation to current news events. In an episode earlier this year they were discussing how to protect the data on your computer should, for example, you need to bring your laptop to a computer repair shop, forget it is there, and the owner decide to look through your drive.

One of the tools they mentioned is VeraCrypt. I’ve used VeraCrypt for years, and before that its predecessor, TrueCrypt.

Multi Platform

As with the other tools I’ve described in this series, VeraCrypt is multi platform with versions for Windows, macOS, and a wide variety of Linux distros.

Sadly there are no versions for portable devices such as iOS or Android.

Be aware what you encrypt is portable between platforms. If I encrypt something using VeraCrypt on macOS, I can later open it on Linux for example, or Windows.

Open Source

VeraCrypt is an open source application. Their website allows you to download all the source code. This allows you to inspect the source code and even build your own version of VeraCrypt from it.

How VeraCrypt Works

VeraCrypt has two modes of operation. First, it can encrypt an entire drive. This can be your main hard drive, a secondary drive, or one you plug in such as an external USB hard drive, USB thumb drive, or even an SD or MicroSD card you’ve placed in your computers card reader.

It uses industry standard encryption methods, and there are a wide variety you can select from, to scramble the contents of the drive to make it unreadable.

As a matter of fact, if you plug in an encrypted USB drive Windows will pop up an error message that you must format the drive for it to be used. Naturally you will want to cancel out of it, but this makes the drive more secure. An unknowing person will pop it in, and just assume the drive is bad. They’ll either throw it away or just reformat it, either way your data is kept out of their hands.

To use the encrypted drive, you’ll need to open the VeraCrypt software and select the drive to mount. Provide your password, and it will make it available. We’ll cover the steps more closely in a moment.

The second mode will let you create an encrypted file container. This is a single, encrypted file on your hard drive. Once you mount it, VeraCrypt will add a new drive letter to your system (on Windows) or mount point on other platforms.

You can move files in and out of this “drive”, create folders, or use it like any other drive. When you Unmount it, the files are no longer accessible.

How to Encrypt a Drive – Step 1

I’ll assume you’ve gone to the VeraCrypt Downloads page, and have downloaded VeraCrypt for your operating system. For this demo, I’ll be using Windows.

Begin by opening VeraCrypt. (As with all my posts, you can open the image to see the full sized view).

Begin the process by clicking on Create Volume. This will launch the VeraCrypt Volume Creation Wizard.

Step 2 – Pick the item to encrypt

For this demo, I want to encrypt an entire drive, specifically an 8 GB thumb drive I’ve plugged into a USB port. As such, I need to pick the second option, Encrypt a non-system partition/drive, then click Next.

Step 3 – Volume Type

We’re now asked if we want a standard volume or a hidden one. I’ll take about hidden volumes later in this post, so for now we’ll go with a Standard VeraCrypt volume and click Next.

Step 4 – Volume Location

Now we need to select the drive to encrypt, in this case our thumb drive. Click on the Select Device button so we can get its exact ID.

The laptop I’m writing this post on is configured to dual boot between Windows 10 and Kubuntu 21.04. It has two physical drives. The first one listed is a second 1 TB drive I use for storing VMs.

The second drive, listed as Hard Disk 1, is the 2 TB drive with its various partitions. I have one partition for Windows (C:), one for Kubuntu (listed as Partition 5). The remaining 1.2 TB partition is shared between Kubuntu and Windows. There’s a few other partitions for the GRUB booter and other recovery items.

Now here’s where we need to be careful. There is a listing for Harddisk 2, of 8 GB, and as your recall my thumb drive that I want to encrypt is 8 GB. This partition though is actually a recovery partition.

Any external drives I want to encrypt will be listed as a Removeable Disks. In the image above (surrounded by the red square) is my 8 GB thumb drive. I’d previously formatted for NTFS it and it is empty.


You take full responsibility for picking the right drive, if you pick the wrong one I take no responsibility.

So with the thumb drive now picked, I’ll click on OK. Then back on the Volume Location screen I’ll click Next.

Step 5 – Volume Creation Mode

Next you are given a choice. In the first option, it will delete the contents of the drive and create an encrypted drive. If your drive is empty this is by far the fastest method.

If there is data on the drive you want to keep, then you should pick the second option. It will retain the files and put them into the drive once it is encrypted.

Because this option is slow, I would suggest moving any files to another drive, encrypting it, then moving them back when done. Even if you choose this option, I would highly suggest you backup everything just in case something catastrophic occurs such as a power outage or blue screen during the process.

Because my drive is empty, I’ll take the default and click Next.

Step 6 – Encryption Option

In this step you are asked what encryption algorithm you want to use. I’ve clicked the drop down so you can see the long list. For most instances, the default of AES using the SHA-512 is sufficient, but I have encountered clients who require a specific encryption algorithm be used.

The good part is that all of these are industry standards that have been vetted by security experts. For this demo I will use the default of AES and click Next.

Step 7 – Volume Size

If we were creating a container we would have the opportunity to select a size for it. In this case we are doing an entire drive, so VeraCrypt just informs us of the device name and the size of it as a confirmation we’ve picked the drive we wanted.

This is correct for this demo, so we’ll just click Next.

Step 8 – Volume Password

In the next screen you’ll enter the password that will be used to decrypt the drive. You can also check the Display password box so you can see what you are typing, which I highly recommend.

Because this is a demo, I’ve used a trivial password of MySuperSecurePassword1! but obviously you will want to use something much stronger.

I’d also suggest storing the password in your password manager. I use LastPass (which I’ll blog about in the near future). It has a Secure Note feature which I store my drive passwords in. You could also put them in Standard Notes, the subject of my previous blog post.

Once you have entered your super secure password, click Next.

Step 9 – Large Files

If the drive or container you are creating is larger that 4 GB then you will be asked if you want to store files bigger than 4 GB on it. (If the container or drive is 4 GB or smaller this step is skipped.)

This will determine how VeraCrypt formats the drive. The default is No, but I almost always change it to Yes, just in case.

After changing it to Yes, I clicked Next.

Step 10 – Format it!

Without getting too technical, one of the key factors for good encryption is having a random pool of data that can be used in generating the encryption key.

VeraCrypt gets this from the movement of your mouse around the window. As you jiggle your mouse around randomly, the bar at the bottom will change color from red, to yellow, then green. For best results, keep moving your mouse around until the bar is solid green all the way across the bottom.

Once it is solid green you can click on Format to begin the process.

After clicking format, you are given the warning that any data on the drive will be lost, are we sure we want to proceed?

If you are sure, take a deep breath then click on Yes.

The Volume Format screen now updates to show the progress. You’ll find it in the center, highlighted by the red rectangle in the above image.

The green is a progress bar, and you can see the exact percentage and speed below. To the very right is the time left, 21 minutes when I took this screen shot.

Be aware even on a fast computer this type of encryption can be a slow process. This small 8 GB drive takes about 20 minutes. A multi-terabyte drive can spend several hours encrypting. For that reason, on large drives, I’d suggest kicking off the process then going to bed.

When formatting is done, you will be provided this informational message:

My thumb drive was assigned drive F when it was plugged in, this message just says be sure to pick a drive letter other than F (or another used one) when you go to mount it. Just click OK to dismiss the message.

When you do, VeraCrypt will let you know the volume was created successfully.

You’re then returned to the wizard, where you can create another drive or exit. In our case we’ll click Exit.

All done, let’s use it!

Now that formatting is complete, let’s see how to mount our new drive.

As I mentioned before, when you plug in the VeraCrypt encrypted drive, Windows and other operating systems will complain the device needs to be formatted before it can be used.

Be sure to cancel out of it!

Once you’ve told your operating system to go away and that you know what you are doing, bring up VeraCrypt.

Because we’ll be mounting a thumb drive, we’ll need to click on the Select Device button.

We will need to scroll down to our list of removable disks, and pick our thumb drive then click OK.

With the device filled out, next go to the list of drive letters above and pick out a drive letter that is unused. for this demo I’ve picked the Z: drive. (Note this will differ for other operating systems.)

Now just click on Mount.

Note I check on the Display password box so we can see what we’re typing, and I’ve entered our super secure password. Before we click OK, I just want to call your attention to the Mount Options button.

One option that may be useful is the mount as read only. This is also where you can setup hidden volume protection, which we’ll talk about later. For now we can cancel, then back on the password entry window click OK to mount our drive.

As you can see VeraCrypt now updates to show our Z drive is now mapped to our thumb drive! It shows up as the Z drive in explorer and we can begin to use it like any other drive.

We can now copy files into our encrypted drive using your operating systems file explorer.

Creating an Encrypted Container

As previously described, an encrypted container is a single file which can be used to store data securely. As the steps to create one are almost identical to encrypting a drive, we’ll only highlight the differences here.

We’ll start on the main screen by clicking Create Volume.

On the VeraCrypt Volume Creation Wizard this time take the Create an encrypted file container option and click Next.

In the Volume Type screen, pick Standard VeraCrypt volume and click Next.

On the Volume Location screen, I’ve entered C:\Temp\demo.hc for the file to store my encrypted data in. VeraCrypt uses hc for its default extension, although if you wanted added protection you could give it a different extension. Once that was entered I clicked Next.

The next step is the Encryption Options, I’ll take the default of AES and click Next.

Next up is the volume size, how big do we want our container. You can size it in terms of kilobytes, megabytes, gigabytes, or terabytes.

For this demo, I am making it 100 MB in size. I’ve created containers of several hundred gigabytes for storing client data. I’ve also created some as small as 10 MB because I wanted to securely email information to someone (who I’d given the password to over the phone).

For now, we’ll go with the 100 MB and click Next.

Next up is the Volume Password screen, I’ll be using the same MySuperSecurePassword1! that I used in the previous demo and clicking next.

The final step is the Volume Format, where I’ll jiggle the mouse around a while to create a random data pool to be used in encryption. Once it is green I’ll click Format and let it format my encrypted file.

Because this is so small formatting goes very fast. When done I’ll just click Exit to end the wizard.

Mounting a File

Start with the main VeraCrypt dialog. Then click Select File to locate the C:\Temp\demo.hc file (or whatever your file name is).

I’ll then pick an unused drive letter, in this case the Y drive, and click Mount.

I’ll enter my super secure password and click OK and my encrypted file container will now be mounted as a drive!

Your Y drive will now appear in your file explorer, ready to use.

Dismount Your Drives

When you are done using your encrypted drive or container, be sure to dismount it when you are done. This will ensure the container is safely shut down and you won’t lose any data.

Hidden Containers

Hidden VeraCrypt containers is an advanced subject I’ll save for a future blog post as this has already gotten very long.

In short though, VeraCrypt lets you embed one container in another. Let’s take our 8 gig thumb drive as an example.

In the wizard, when you select the hidden container option, it will first walk you through the creation of a regular container. In this case our 8 gig thumb drive.

You could then copy some files into it that look like something sensitive. Perhaps some spread sheets with your family budget, or images of receipts. Stuff you might want to plausibly remain hidden, but if it got out wouldn’t be overly damaging.

It would then walk you through creating a hidden container. You could specify you wanted 5 of the 8 gig devoted to the hidden partition. Into it you could place your important data such as copies of birth certificates, marriage licenses, that kind of thing.

The idea is if a bad guy forces you to give up your password, you give them the password to the “outer” or regular drive. All they see is the spreadsheets and receipts you placed there.

The bad guys think they have the info, and have no way of telling you have a hidden partition setup.

When you want to use the hidden partition, you simply supply the password to the hidden area instead of the regular one.

As I said this is a bit of an advanced topic, so we’ll cover it more in the near future.

VeraCrypt Version

Please note the information in this post is valid as of the date I wrote the post. For it I used VeraCrypt Version 1.24-Update 7.

The interface and functionality of VeraCrypt has remained steady over the years so I don’t expect any significant changes, but things on the internet stay forever. If you are reading this five years into the future expect some minor differences between the post and what you see in your version of VeraCrypt.


With the proliferation of hackers and other bad guys, keeping data secure is more important than ever. I create containers for each of my clients to keep their data secure, and separate from other clients.

Additionally I have containers for my family documents such as copies of birth certificates, social security cards, and the like. Made small enough these can be easily stored in places like OneDrive or DropBox for easy retrieval.

As stated, in upcoming posts I’ll cover hidden containers, as well as how to script the mounting and unmounting of your containers.