VeraCrypt is a free encryption utility that works in all versions of Windows from XP to 10 (Linux and Mac OS X are also supported). It is a fork of the once-popular and now abandoned TrueCrypt, plugging all known security holes and improving encryption methods. It is backwards-compatible with TrueCrypt volumes/containers.
VeraCrypt can create encrypted containers for securely storing files and folders, and it supports encrypting system drives or partitions so that no one can access your important files without knowing the correct password and PIN.
Please note that while VeraCrypt works well in Windows 10, its System Drive Encryption might fail version/milestone upgrades (for example, from Build 10166 to 10240). The problem appears right after the first reboot of Windows 10 upgrade: after entering your VeraCrypt password and PIM, screen flashes once or twice and your device restart again, this time reverting the upgrade.
Installing VeraCrypt in Windows
Go to https://veracrypt.codeplex.com/ and click the download button on the right.
Launch the downloaded file and follow the simple instructions. As VeraCrypt is completely free, you should consider donating some money to the project maintainer IDRIX if you like the security utility. Donation links are also on VeraCrypt's home page, linked above.
If you need to open VeraCrypt, its icon is probably on the Desktop and it certainly is on the Start menu or Start screen.
If set so in preferences, VeraCrypt icon is in Notification Area/System Tray. Right-click or tap and hold it to see available commands. The Show VeraCrypt command can then be used for opening program window.
Modifying important VeraCrypt preferences for better security in Windows
First, it is necessary to change some preferences to ensure your encrypted data will not be accidentally accessible to others. Open VeraCrypt from Start menu/Start screen or by right-clicking/touching and holding the program's icon in Taskbar Notification Area (aka System Tray) and clicking the Preferences command.
The same command is also available in VeraCrypt window: open Settings menu and click Preferences.
In the VeraCrypt - Preferences window, Actions to perform upon logon to Windows section tick the Start VeraCrypt Background Task check box. This ensures that VeraCrypt icon is available in Notification Area/System Tray. Those who need maximum security can leave this check box at its default.
In the Auto-Dismount section, always enable the User logs off and Force auto-dismount even if volume contains open files or directories options to prevent others from accessing your encrypted files. Those who have more at stake, should also enable the Screen saver is launched and Auto-dismount volume after no data has been read/written to it for 60 minutes check boxes for maximum security.
Please note that Auto-Dismount settings do not affect encrypted system drives or partitions.
Other settings are fine by default. Click OK.
Creating VeraCrypt volumes/file containers in Windows
VeraCrypt volumes are special encrypted containers that you can be mounted as virtual disks/drives. If you want to move your sensitive documents into a VeraCrypt volume, it must be large enough to contain these and preferably have some spare space for future expansion, too. The volume or container itself is actually a normal file and can be copied, moved or deleted as usual: you can even carry the volume with you on USB thumb drives or sync it using some cloud service.
Open the Volumes menu in VeraCrypt main window and choose Create New Volume.
VeraCrypt Volume Creation Wizard appears. Leave the default option, Create an encrypted file container selected and click Next.
In the Volume Type screen, click Next again to create a Standard VeraCrypt volume.
Click or tap the Select File button in the Volume Location screen to select a folder and create a new file. Do not select an existing files here - it will be overwritten during the volume creation process!
Those requiring enhanced security should enable the Never save history option here.
Now a standard Windows browsing dialog opens. Locate the folder you need and specify a new file name. To make the file automatically open with VeraCrypt after a double-click, add the extension ".hc" to the end of the file name - for example, "DoNotOpen.hc". To stay on safer side, add no extension to the file name or use some extension that makes people believe the file is not an encrypted volume - for example, ".avi" for larger encrypted volumes might trick others into thinking that this is a video file.
Again - do not select an existing file here - otherwise the file will be overwritten! You can move existing file to the encrypted volume later.
Click Save.
Back in the Volume Location screen, click Next to move on to the Encryption Options dialog.
In most cases, the defaults (AES for encryption and SHA-512 for hash) are fine as this is the fastest encryption-decryption option VeraCrypt offers. Those very concerned about security of their files can select even stronger algorithms for encryption and hashing, while sacrificing some speed of operation.
Click Next to move on.
In the Volume Size screen, specify the total capacity for the new volume/container. Amount of free space on the selected drive is shown below. Please remember to create a volume that has some spare capacity for future growth.
Click Next.
Next, create a strong password for the encrypted volume - and make the passphrase longer than usual (at least 20 characters). Just think of a sentence to make this easier.
After filling the Password and Confirm fields, tick the Use keyfiles check box and click the Keyfiles button. Keyfiles will serve as additional protection for the volume and make cracking the protection much harder.
Those requiring top security can also turn on the Use PIM option for even stronger encryption. You can use VeraCrypt's default PIM, or specify your own.
Keyfiles should never change. After modifying a keyfile's contents, you will lose all access to your encrypted volume (unless you have a valid backup of keyfiles). That's why you should create new keyfiles instead of selecting existing files.
Click or touch the Generate Random Keyfile button on the bottom right of the VeraCrypt - Keyfiles window.
VeraCrypt Keyfile Generator opens. Move your mouse randomly in the window for at least 1 minute, until the Randomness Collected From Mouse Movements progress bar turns green.
Tick the Random size check box to generate keyfiles of different length, then fill in the Keyfiles base name field. Finally, click the Generate and Save Keyfile button.
Create and save at least two keyfiles this way.
Please store encrypted volumes and keyfiles in different folders or on different drives/partitions to avoid easy guessing of your keyfile location. Do not use any variant of the word "keyfile" in the file name - use random names instead. If possible, save keyfiles to an external drive (USB thumb drive or a memory card) and keep a backup of the files.
Click Close after you are done.
After you've generated and stored all keyfiles, click Add Files back in the VeraCrypt - Keyfiles window. Then locate and select the keyfiles you just generated and click Open and OK.
If you specified a password shorter than 20 characters, VeraCrypt will warn you that such passwords are easy to crack. If your password is at least 12 characters long and you use at least 3 keyfiles and a PIM, it is pretty safe to click Yes here.
In the Volume Format window, select the file system type you need. If you will not store files larger than 4 gigabytes and the volume capacity will not exceed 8 terabytes, FAT is fine.
If you need to store huge files (videos, for example), or you need an encrypted container larger than 8 TB (terabytes), exFAT and NTFS are preferred for VeraCrypt containers. For additional file system security, select NTFS.
Default cluster size is fine.
Again, move your mouse pointer randomly inside the window until the progress bar turns green. Then click Format.
Depending on the size of the volume, it might take some time to create and format it. After the process is complete, click OK.
In the Volume Created window, click Exit if you do not want to create more encrypted volumes. If you do, click Next and start over.
Mounting VeraCrypt volumes
To mount an existing encrypted volume or container, open VeraCrypt main window using its Taskbar Notification Area (System Tray) icon or Start menu/screen.
Click an available drive letter in the upper part of the window and then click Select File. Those very concerned about the safety of their data should ensure that the Never save history check box is ticked.
In the standard Windows browse dialog, locate the volume file you want to mount and click Open. Back in VeraCrypt window, click Mount.
In the Enter password dialog, type the volume/container passphrase. Then tick the Use keyfiles check box and click or tap the Keyfiles button.
The VeraCrypt - Keyfiles window, familiar from volume creation wizard, appears. Click Add Files, locate the keyfiles associated with the selected VeraCrypt volume and click Open.
Back in the VeraCrypt - Keyfiles window, click OK.
If the volume uses PIM protection, tick the Use PIM check box first. Click OK.
If the password and keyfiles (and PIM) are correct, the volume appears mounted in VeraCrypt main window.
VeraCrypt icon in Taskbar Notification Area will change from VC logo to a drive icon with an open lock - this shows that a volume is mounted and encrypted files are usable.
You can now use the encrypted volume as any other drive - open it in Windows/File Explorer, create folders, copy, move and delete files, etc.
The mounted volume stays mounted as long as you log off Windows. If you have specified so in VeraCrypt preferences, the volume might be automatically dismounted when screen saver runs, or when no data has been read from or written to the volume within 60 minutes. The preferences are described in the beginning of this article.
Dismounting VeraCrypt volumes
If you want to manually dismount a VeraCrypt volume or container, open the program window and choose the volume letter you need to unmount. Then open the Volumes menu and choose Dismount volume. To unmount all encrypted volumes at once, choose Dismount All Mounted Volumes instead.
The same commands are also available if you right-click VeraCrypt icon in Taskbar Notification area.
A notification about this appears in Notification Area. If you dismounted all volumes, VeraCrypt icon displays its VC logo. If you still have mounted volumes, the icon displays a drive icon with an open lock.