OCS banner and logo
Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category

powered by pmc2m


Veracrypt: Securing files

Many of us should secure a few of our files. Perhaps some client or employee information, or our accounting, or taxes. Possibly you have communications with credit agencies or lawyers you'd like secured. Veracrypt provides a simple way for us to do that. It has state-of-the-art protection, is free, open source and was independently audited. There are versions for Windows, Mac and Linux. The container with the encrypted files can be transferred and opened on another computer. You just need the key to unlock it.

It has many features including full drive encryption, but I will only discuss how to use it to encrypt some of your files, like your accounting or taxes.

The basic concepts

You create a big file to hold your stuff. I call mine "stuff.hc". .hc is the default extension for Veracrypt and will allow Windows to know what to use to open the file. The .hc extension also enables a cute icon.

This is like a grocery store that is closed and locked. In addition, it is surrounded by a moat, has machine gun turrets and 10,000 armed guards. Nothing gets in or out.

When you want to use the stuff inside, you "mount it". Then it is like an open grocery store where people freely go in and out. Windows will see it as a drive (I use V for Veracrypt). Your accounting program can write into the volume, you can copy files back and forth, you could backup individual files or print them. The Veracrypt mounted volume will work exactly like a regular drive.

When you are done using it, you will close the store by "dismounting" it. The store will then return to its closed impenetrable fortress persona.

Some consultants will object to my use of the .hc extension because it gives away security information. This is generally a bad idea. They prefer using a .jpg or .iso extension so no one can see it is a secure vault with valuable information in it. This is a reasonable objection. I ignore it because my password is so good that the NSA couldn't break into my vault in 1,000 years. Plus, I add a PIM (Personal Iteration Multiplier), to make breaking even more impossible. So for my purposes the added convenience is worth the negligible increased risk. Besides, if the NSA wants my tax information, they can simply ask the IRS.

How to do it

Before you download and run the program, determine what you will want to protect and how much space your files require. Next, determine how big a container you want to make to hold them and also give you plenty of room to grow. Make it big enough you won't outgrow the container soon, but small enough that you don't waste space or make backups more difficult by having an unnecessarily huge container that must be backed up. Remember, your backup needs to copy the entire file, and if you keep previous versions, you might have many copies of the full volume.

I have 160 MB of stuff I wanted saved securely so made a 500 MB volume. I'm sure 300 MB or 400 MB would have been fine, but 500 MB is still very manageable. Next open your password safe and create an entry and a secure password. Mine is a random creation by Keepass which is 31 characters long and includes all 4 character types. I have no idea what it is.

Remember, if you lose your password, you cannot retrieve your data. Veracrypt is totally secure. There is no backdoor. Without your password, it cannot be accessed. If your password is good, then it is impossible to get into.

When you open the program, choose Volumes and then Create New Volume....

There are three options. Choose Create an encrypted file container.

I will not go into the full drive encryption options here.
  • Choose Select File... and go to the folder you want and create a new file.
  • You can add the .hc extension if you like.
  • The never save history option requires you to find that file each time. I never choose that option, so I recommend leaving it unchecked.
  • Click Next.

Leave the standard encryption options. They are fine. Click Next.

Enter the size in KB or MB or GB or TB and click Next.

Copy your password from your password safe and confirm it.

I have automated my KeePass entry to enter my password. I can mount my Veracrypt volume automatically with CTRL-ALT-A when Keepass is open.

Choose a file format. FAT is good if your file isn't too big. It will be able to be read on Macs and PCs and Linux computers. However for very large containers which will have lots of files, and only needs to be read on Windows, the NTFS Filesystem is more efficient. Also, if any single file inside the container might be over 4 GB, then it needs to be NTFS (for windows users).

Next you are to move your mouse around chaotically, for a minute until the green line fills, so that Veracrypt can use the randomness of your mouse movements to create a more random starting point for encryption. When it is done, Exit out of the volume creation module.

You can then mount your new container to a drive letter.

  1. Select a drive letter to use: I use V for Veracrypt
  2. Find the file you created and encrypted with Veracrypt
  3. Mount the file to the drive letter.
The contents of the file will now be decrypted and will appear as the V drive. You will see the new V drive in file manager.

If I open my new V drive, it looks and acts like any other drive.

and also in your system tray, show that you have an open volume.

I put a shortcut on my desktop to my file in my documents folder.

Closing the volume

While you are using the Veracrypt volume and it is acting like a drive, there is no encryption, and the files can be accessed normally. There is also no security, like the grocery store that is open. When you are done using the volume, you need to Dismount it. Be sure you have closed any programs and files that were using the temporary drive. Click on the Veracrypt icon in the system tray and dismount the volume. Some backup programs like Spideroak One may have grabbed that drive in case it needed to back it up, so you may get a warning that something has a hold on it. If you are sure nothing does, just force a dismount. However, if you told Spideroak to back up files inside that drive, then make sure it isn't trying to do so before you dismount.

Enable backup

Most of the other default settings are fine, but I always change one critical setting. To conceal the fact that the file is being used, Veracrypt defaults to preserving the file's timestamp. This means that when you use the file, its modification date remains the same. So after two years, the file would appear to be unchanged. However, backup programs often use that modification date to determine whether the file needs to be backed up. So I always uncheck the Preserve modification timestamp in the Veracrypt preferences. You'll find preferences under settings.

More Information

  • good video tutorial
  • The manual - accessible under help menu. It is very good.
  • I'll be happy to set it up for you and train you.

Date: April 2018

Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

  Please direct questions/suggestions about website to the webmaster