23.06.2025
7 min
898
VeraCrypt Hidden Volume is a tool that allows you to protect your data even in the most difficult situations, when you may be forced to reveal the password to an encrypted partition. Thanks to the special principle of operation, the program creates two levels of access: an outer volume with files that can be shown to anyone, and a hidden volume where the real confidential information is stored. It is important that the free space inside such a partition looks like random data, and it is impossible to prove the presence of a hidden volume.
There is a possibility that someone will force you to reveal the password to an encrypted volume. In some cases, you simply cannot refuse to do so (for example, in the event of extortion). A so-called hidden volume allows you to safely get out of such situations without revealing the password to the volume with your data.
The principle of operation of hidden volumes in VeraCrypt is that one volume is created inside another. In other words, the hidden volume is located in the “free space” of the outer volume. The most important thing is that this free space is filled with random data during creation, and it is impossible to distinguish it from the real hidden volume. That is why, even if the outer volume is mounted, it is unrealistic to prove that there is another hidden volume inside. The file system of the outer volume is not changed in any way – VeraCrypt leaves no signatures or traces.
For the plausible deniability system to work correctly, the password for the hidden volume must be significantly different from the password for the outer one. Before creating a hidden volume, it is recommended to place several files in the outer volume that look meaningful and can be perceived as something confidential. This is necessary to mislead outsiders: in case of pressure, you will only reveal the password for the outer volume, and the accessible files will give the impression of “real data”. The real valuable information will remain protected in the hidden volume, to which the password should never be revealed.
Mounting a hidden volume is the same as for a regular one: the user selects a file or device where the outer volume is located (it is important that it is not mounted), clicks “Mount” and enters the password. It is the entered password that determines which volume will be opened. If you enter the password for the outer volume, the outer volume will be mounted, if for the hidden volume, the hidden volume will be mounted.
Technically, the process looks like this: VeraCrypt first tries to decrypt the header of the regular volume. If this fails, it goes to the area where the header of the hidden volume could potentially be located (this is the range of bytes 65,536–131,071). If there is no hidden volume, this area looks like a random set of data. If there is, the program tries to decrypt it using the entered password. It is important to understand that the headers of hidden volumes look like random data, so it is impossible to determine the fact of their existence.
A hidden volume can be created both in a file container and in a volume based on a physical device (this requires administrator rights). In the program, just click the “Create Volume” button and select the “Create VeraCrypt Hidden Volume” option. The wizard explains each creation stage step by step and helps to avoid mistakes.
One of the main problems is choosing the size of the hidden volume. If you make it too large, you can damage the data already stored in the outer volume. To avoid this, the wizard automatically scans the cluster map of the outer volume and determines the maximum possible size for the hidden volume. Thus, even an inexperienced user can safely create a hidden volume without the risk of data loss.
This mechanism allows you to combine a regular volume available for demonstration and a hidden one that remains invisible to outsiders. Thanks to its clever architecture and the use of random data as a “mask”, a hidden volume is indistinguishable from empty space. This creates the basis for plausible deniability in VeraCrypt.
VeraCrypt provides the ability to plausibly deny the existence of encryption, which is especially important in cases where the user can be forced to reveal the password. There are two mechanisms for this: hidden volumes and hidden operating systems. Both options are based on the fact that until the moment of decryption, any partition or device looks like a set of random data without any signatures, so it is impossible to prove the fact of their encryption. The user can always explain that this data is just the result of overwriting the disk with random information.
In the case of system encryption, the situation is more complicated. The first track of the disk contains the VeraCrypt boot loader, which is easy to identify. That is why plausible deniability is achieved here by creating a hidden operating system that exists alongside the regular one and is activated with a different password. Thus, in case of forced disclosure, the user can provide the password for the “regular” OS without revealing the hidden one.
As for volumes in file format (containers), they also have no identifying features and look like a random set of bytes. However, the existence of the file itself can arouse suspicion, and explaining its presence is much more difficult. Therefore, for plausible deniability, it is recommended to create a hidden volume inside a regular container. This allows you to have an open part with harmless files and a hidden part containing really important information.
When the system partition or the entire disk is encrypted using VeraCrypt, the user is faced with a mandatory pre-boot procedure – you need to enter a password before loading the operating system itself. It is at this stage that dangerous situations can arise: someone can force the user to give out the password or even forcibly decrypt the system. In such cases, it is almost impossible to refuse, and this is where the hidden operating system mechanism, which is a unique feature of VeraCrypt, comes in handy.
The hidden OS is installed inside the hidden VeraCrypt volume. Externally, it is impossible to prove that a hidden volume exists, since it looks like a random set of data without any signatures. This means that it is also unrealistic to prove the existence of a hidden OS, if you follow the recommendations for use.
At the same time, the VeraCrypt boot loader (Boot Loader) is necessarily located on the system disk – it is it that indicates that the system is encrypted. This may raise questions from the attacker, and in order to provide a plausible explanation, VeraCrypt offers to create a fake operating system.
The rogue operating system is installed in the usual way on an external volume. It does not contain confidential information and is designed to be able to safely reveal the password under duress. If you are forced to reveal the password, you enter the password for the rogue OS – and it starts. Its existence is not a secret, and it can be demonstrated to anyone quite legally.
In contrast, the hidden OS is located not on an external volume, but on a hidden one. When running, it seems that it is installed on the same system partition as the rogue OS. In fact, all read and write operations are transparently redirected to the hidden volume. No program and the OS itself have any idea about this – encryption and decryption are performed on the fly, using a separate key.
As a result, the user has three different passwords at once, each of which has its own role:
The password for the hidden OS is the most important, it should always remain secret. It is what opens access to your real protected system.
The password for the fake OS – it can be safely disclosed to anyone. It is used as a “distraction maneuver”, demonstrating an unimportant system.
The password for the outer volume – is a regular password for the VeraCrypt partition, which contains several files that look like confidential ones. It can also be disclosed to outsiders without the risk of revealing the hidden OS.
This three-stage scheme creates the most reliable protection. You have something to show the enemy – both the fake OS and the external volume with files look convincing. At the same time, the real system remains inaccessible.
To ensure that the plausibility of the protection is not in doubt, the fake OS should be used regularly. Ideally, it should be used for normal everyday work that is not related to confidential data. If this is not done, the attacker may notice that the fake OS is practically not used and suspect the existence of a hidden one.
The user can safely store any data in the fake OS without fear of damaging the hidden volume. This is possible because the fake OS is not installed in an external volume, but occupies its own space independently.
When the computer starts, the VeraCrypt boot loader first tries to decrypt the system partition header using the entered password. If this is successful, the corresponding system starts. If the password for the fake OS is entered, a regular system with fake files is mounted. If the password for the hidden OS is entered, the system that is physically located in the hidden volume is loaded.
No one can ever prove the existence of a hidden volume or hidden OS, because their headers look like a set of random data.
Thus, the user gets a unique combination of protection: one system for display, the other for real work with confidential data. Two passwords can be revealed under pressure, and the third remains only in your head. This is the essence of the plausible deniability mechanism in VeraCrypt.
Creating a hidden operating system in VeraCrypt begins through the System > Create Hidden Operating System menu. The wizard checks whether there is a suitable partition on the disk to accommodate the hidden OS. This must be the first partition after the system one, and it must be larger than the system one: at least 5% for most file systems or 110% (2.1 times) if NTFS is used. The reason for this limitation is that NTFS places its service data in the center of the volume, and the hidden volume cannot overlap it.
In the following stages, two encrypted volumes are created – outer and hidden. It is in the hidden volume that the hidden OS is located. Its size is always equal to the system partition, because it is necessary to completely clone the original system. In the outer volume, the user must create several “dummy” files that look confidential, but are actually not important. This is done to mislead in case the password from the outer volume has to be revealed. The wizard determines the maximum possible amount of space for such files in order to leave room for the hidden OS.
VeraCrypt copies the contents of the system partition to the hidden volume using a new encryption key. This process is performed in a pre-boot environment, without Windows running, and can take from several hours to several days depending on the size of the partition and the performance of the computer. If the process is interrupted, it will have to be started again, because the data cannot change during cloning. Upon completion, the user receives a hidden OS that is an exact encrypted clone of the original.
To prevent information leakage, VeraCrypt overwrites the original system after creating the hidden OS, filling it with random data. This is necessary because traces of VeraCrypt use may remain in the log, swap, or hibernation files. The user is then prompted to install a new operating system on this partition and re-encrypt it. This system becomes a fake OS. It is created specifically for demonstration under pressure and should not contain any sensitive files.
As a result, the user has three passwords:
for hidden OS (primary and secret),
for fake OS (can be revealed safely),
for external volume (can also be reported to outsiders).
This allows any questions about random data on the system partition to be explained by the fact that it was previously encrypted with VeraCrypt, but the password was forgotten or the system was corrupted. This creates a plausible explanation and removes suspicion.
While running the hidden OS, VeraCrypt applies several security restrictions:
all unencrypted local file systems and regular VeraCrypt volumes are read-only;
writing to file systems is prohibited to avoid inconsistencies in logs and metadata that could reveal the existence of a hidden system;
safe wake-up from hibernation is provided: Windows restores data only to the state it was in when you logged in, which prevents corruption.
To safely transfer files from a fake system to a hidden one, you need to:
Load the fake OS and save the files to a regular VeraCrypt volume or to an unencrypted disk.
Reboot the computer and load the hidden OS.
Mount the same volume (it will be read-only).
Copy files to the hidden system or to another hidden volume.
This mechanism makes it impossible to leak data and allows you to maintain the illusion that there is only one encrypted system on the computer – a fake one.
Thus, the process of creating a hidden operating system in VeraCrypt combines several steps: cloning an existing OS, erasing its traces, creating a fake system and implementing special countermeasures. As a result, the user receives a powerful tool for plausible deniability and reliable data protection.
The situation when two encrypted VeraCrypt partitions (system and non-system) exist on the system disk at the same time may seem suspicious at first glance. After all, it is logical to ask the question: “Why create two separate encrypted partitions when you could simply encrypt the entire disk with one key?” However, there are a number of plausible explanations that help to dispel any doubts.
First, VeraCrypt technically does not allow you to encrypt several partitions on a disk with one key at once. That is, you can encrypt either one specific partition or the entire disk. If you need to protect only two partitions (for example, the system partition and the one immediately following it), then you will have to apply two separate encryptions. Thus, two adjacent encrypted partitions will appear on the disk – a completely normal situation that can be explained even without mentioning the hidden OS.
Secondly, the division into system and non-system partitions is convenient from a practical point of view. It is often recommended to separate non-system data (documents, work files) from system data. This is done for several reasons:
Load the fake OS and save the files to a regular VeraCrypt volume or to an unencrypted disk.
Reboot the computer and load the hidden OS.
Mount the same volume (it will be read-only).
Copy files to the hidden system or to another hidden volume.
Another explanation is the use of different encryption algorithms. For example, the system partition can be encrypted with a simple AES algorithm for maximum speed, since the system is used daily and requires performance. On the other hand, the non-system partition (external volume), where more confidential data is stored, can be encrypted with the cascaded AES-Twofish-Serpent algorithm. This way you can explain that you wanted to achieve a balance: speed for the system and maximum protection for especially important files.
This decision is easily justified by the fact that VeraCrypt itself warns: it is better not to encrypt the system partition with cascaded algorithms. This can cause problems with the size of the boot loader, recovery from damage, and also slow down the exit from hibernation. Therefore, choosing different algorithms for different partitions seems quite logical and practical.
Another reason is different password requirements. For the system partition, it is convenient to use a shorter password, since it must be entered every time the computer boots. Instead, for the non-system partition, which is mounted less frequently, you can set a long and complex password. This allows you to explain that the system partition contains only moderately important data, while truly confidential documents are protected separately.
In addition, the non-system partition can be mounted only when you need to work with sensitive information. This minimizes the time when the data is available in the open. For a mobile user (for example, with a laptop), this is especially important: if the device falls into the wrong hands while working, the likelihood of compromise is reduced.
When using a hidden OS, it is important to remember the rules for working with hidden volumes. If protection against damage to the hidden volume is not enabled, writing to the external one can destroy the hidden system. Therefore, VeraCrypt officially recommends adhering to the restrictions: mount hidden volumes only while the hidden OS is running and avoid any uncontrolled writing to the external one.
If you follow the instructions and be careful, it is impossible to prove the existence of a hidden OS, even if an external volume is mounted or a fake system is running.
Thus, the presence of two encrypted VeraCrypt partitions on one disk can always be explained without mentioning hidden mechanisms. The reasons may be different: the convenience of separating system and personal data, the balance between speed and security, different algorithms for different needs, practicality when reinstalling the OS, or the desire to minimize the availability time of especially important files. All these arguments look natural and do not arouse suspicion.
VeraCrypt provides unique protection mechanisms – hidden volumes and hidden operating systems. They allow not only to store data in encrypted form, but also to plausibly deny the very fact of the existence of critical information. Thanks to the competent use of external and hidden volumes, a fake OS, different algorithms and encryption levels, the user receives multi-level protection. In case of pressure, passwords to non-essential parts of the system can be safely provided, while real confidential data remains inaccessible.
