VeraCrypt Hidden Volumes

VeraCrypt Full Disk Encryption VeraCrypt Volume Level Encryption VeraCrypt External Media Encryption VeraCrypt Hidden Volumes

Another feature of VeraCrypt that may offer some utility for some users is called “hidden” volumes. VeraCrypt hidden volumes allow you to create encrypted file containers that are truly cryptographically hidden…with some very big caveats. Today I will discuss these more fully, and you can decide if they are an important aspect of your digital security plan.

VeraCrypt Hidden Volumes – Basics

A hidden volume is an encrypted file container that is stored inside another encyrpted file container. When you create a standard VeraCrypt container, the entire container is filled to capacity. Let’s say you have a 1 GB container and you had 100 MB of files to it. This leaves 900 MB of the container unused, so VeraCrypt fills this space with pseudorandom data. When you dismount the volume, your files are indistinguishable from the pseudorandom data. This prevents your adversary from seeing how full (or empty) the volume is.

Before you can create a hidden volume you must create an “outer volume” to hide it within. When you create the hidden volume will be concealed in the pseudorandom data. Because the two sets of pseudorandom data are indistinguishable, there is no way to to prove whether a hidden volume exists or not. This means that an attacker can “rubber hose decrypt” the outer volume (by beating you until you open it) but he or she can never prove that a hidden volume exists. There are three states that a standard/hidden volume can be in.

  • Dismounted: while dismounted it is impossible to tell that a hidden volume exists. The entire outer volume is just a jumble of encrypted data and pseudorandom data, and the two are impossible to tell apart.
  • Mounted – Standard: : while the standard volume is mounteed it is impossible to tell that a hidden volume exists. The size does not appear reduced because of the presence of the hidden volume. The volume behaves no differently whether it has a hidden volume installed or not.
  • Mounted – Hidden: The hidden volume is exposed. This is the only way for an attacker to know that a hidden volume exists.

Is it really impossible to prove that hidden volumes exist? In a vacuum, yes. In the real world it is a lot more complicated. This paper [PDF] on defeating deniable file systems is really old but the ideas behind it are still completely valid. Creating truly deniable file systems is hard. While the encryption might work just fine there are other factors to consider.

Using VeraCrypt Hidden Volumes

There are two ways to create a VeraCrypt hidden volume. You can add one to a pre-existing standard volume. Alternatively, you can create a standard volume for the express purpose of installing a hidden volume. Functionally there is no difference. Open the Volume Creation Wizard. Select “Create an encrypted file container”. On the next sceen choose “Hidden VeraCrypt Volume”.

The following screen will ask you if you want to do this in “Normal Mode” or “Direct Mode”. If you already have a standard volume to which you would like to add a hidden volume, click “Direct Mode”. If you do not, click “Direct Mode”, and you will be required to create an outer volume first. I will not belabor the volume creation process since I have covered it before.

Mounting a hidden volume is no different than mounting a standard volume, with one exception. When mounting the standard volume, you use the standard volume password. When mounting the hidden volume, you use the hidden volume password.

Hidden Volume Considerations

If you truly need a hidden volume, you really need it to work for you. There are some things you should consider before building your real-world hidden volume.

Strong password and keyfiles! These are the only things that separate your outer volume from the hidden volume. The password should be radically different. If you use keyfiles, you should use different ones for this volume.

Hidden volume corruption: If you overfill the outer volume, the hidden volume will collapse and you will forever lose access to it. This means you must track the amount of space consumed by the hidden volume, and never fill the outer volume beyond that point. Let’s do an example. Let’s say I have a 1 GB outer volume with a 25 MB hidden volume. I can only use 975 MB of the outer volume (it’s actually a tiny bit less than that). If I put 976 MB into the outer volume, my hidden volume will be collapsed without warning. If VeraCrypt offered a warning, it would reveal the presence of the hidden volume to your adversary.

You can mitigate this through a couple steps. First, make your hidden volume a very small percentage of your outer volume. This lessens the chance of overfilling. Second, if you are using your hidden volume to protect “life or liberty” information, don’t use the outer volume for daily use. Put a few files in it and leave them alone.

Do you need VeraCrypt Hidden Volumes?

Do you really need one? In the purest sense, the answer is probably “no”. Few of us will face a situation where we are forced to decrypt the outer volume. If you really do need it, you really do it right as outlined above. There is one other consideration when choosing whether or not to install a VeraCrypt hidden volume. It’s called “hidden volume game theory”.  I didn’t come up with this – you can read the original article HERE.

The short version is this: put a hidden volume in ALL your VeraCrypt volumes. Make the password for them “password”. Now when you are the recipient of a rubber hose decryption session you can prove that you aren’t hiding anything in the hidden volume. But, you should only do this if you don’t use ANY hidden volumes to protect real information, for obvious reasons.

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

2 thoughts on “VeraCrypt Hidden Volumes”

  1. Hi Justin,

    I know this post is over a year old but I wanted to chat regarding this.

    Essentially, from what I’ve read, having a hidden encrypted volume within a standard encrypted volume gives you what is known as “plausible deniability” in the event of being subject to revealing passwords.

    Am I right that the attacker would be given the password of the standard volume, see a load of “semi-sensitive” media and never know about the hidden volume?

    Because, and I can’t seem to wrap my head around this so please bear with me, In the case of an external HDD or USB drive, wouldn’t it be obvious that there is significant differential in used space in the standard volume, and the total space available of the drive itself?

    If you have a 20gb drive, have 10gb of media in your hidden volume, and 5gb of semi-sensitive media in the standard volume, that leaves 5gb of free space and 10gb missing and unaccounted for.

    Wouldn’t the attacker then think that there’s more here than they can see?

    Sorry if it’s a silly question and i’ve missed something.

    Great article by the way – as a quick question, would you say VeraCrypt is still the best successor to TrueCrypt a year down the line?

    1. Parker,
      That’s not a silly question at all. You’re correct about the premise of hidden volumes – show the attacker some sensitive looking files, and he goes away satisfied that he’s gotten everything.
      The thing I didn’t explain clearly is that there doesn’t appear to be any missing space. If you made the 20 GB volume in your example and mounted it, it would show 10 GB of used space, and 10GB of free space, so as not to tip you hand. It would even let you (or the attacker) overwrite that free space. Of course anything in the hidden volume would be lost in the process, but better to lose it than be caught with it.
      Yes, I would definitely still say VeraCrypt is far and away the best TrueCrypt successor.
      Thanks for writing in!

Leave a Reply

Your email address will not be published.