Beginner's Tutorial

How to Create and Use a TrueCrypt Container

This chapter contains step-by-step instructions on how to create, mount, and use a TrueCrypt
volume. We strongly recommend that you also read the other sections of this manual, as they
contain important information.

Step 1:

If you have not done so, download and install TrueCrypt. Then launch TrueCrypt by double-
clicking the file TrueCrypt.exe or by clicking the TrueCrypt shortcut in your Windows Start
menu.

Step 2:

The main TrueCrypt window should appear. Click Create Volume (marked with a red
rectangle for clarity).
Step 3:

The TrueCrypt Volume Creation Wizard window should appear.

In this step you need to choose where you wish the TrueCrypt volume to be created. A
TrueCrypt volume can reside in a file, which is also called container, in a partition or drive. In
this tutorial, we will choose the first option and create a TrueCrypt volume within a file.

As the option is selected by default, you can just click Next.

Note: In the following steps, the screenshots will show only the right-hand part of the Wizard
window.

Step 4:
In this step you need to choose whether to create a standard or hidden TrueCrypt volume. In
this tutorial, we will choose the former option and create a standard TrueCrypt volume.

As the option is selected by default, you can just click Next.

Step 5:

In this step you have to specify where you wish the TrueCrypt volume (file container) to be
created. Note that a TrueCrypt container is just like any normal file. It can be, for example,
moved or deleted as any normal file. It also needs a filename, which you will choose in the
next step.

Click Select File.

The standard Windows file selector should appear (while the window of the TrueCrypt
Volume Creation Wizard remains open in the background).

Step 6:

In this tutorial, we will create our TrueCrypt volume in the folder D:\My Documents\ and the
filename of the volume (container) will be My Volume (as can be seen in the screenshot
above). You may, of course, choose any other filename and location you like (for example, on
a USB memory stick). Note that the file My Volume does not exist yet – TrueCrypt will create
it.

IMPORTANT: Note that TrueCrypt will not encrypt any existing files (when creating a
TrueCrypt file container). If you select an existing file in this step, it will be overwritten
and replaced by the newly created volume (so the overwritten file will be lost, not
encrypted). You will be able to encrypt existing files (later on) by moving them to the
TrueCrypt volume that we are creating now.*

Select the desired path (where you wish the container to be created) in the file selector.
Type the desired container filename in the File name box.

Click Save.

The file selector window should disappear.

In the following steps, we will return to the TrueCrypt Volume Creation Wizard.

* Note that after you copy existing unencrypted files to a TrueCrypt volume, you should
securely erase (wipe) the original unencrypted files. There are software tools that can be used
for the purpose of secure erasure (many of them are free).

Step 7:

In the Volume Creation Wizard window, click Next.

Step 8:
Here you can choose an encryption algorithm and a hash algorithm for the volume. If you are
not sure what to select here, you can use the default settings and click Next (for more
information, see Chapters Encryption Algorithms and Hash Algorithms).

Step 9:

Here we specify that we wish the size of our TrueCrypt container to be 1 megabyte. You may,
of course, specify a different size. After you type the desired size in the input field (marked
with a red rectangle), click Next.
Step 10:

This is one of the most important steps. Here you have to choose a good volume password.

Read carefully the information displayed in the Wizard window about what is considered a
good password.

After you choose a good password, type it in the first input field. Then re-type it in the input
field below the first one and click Next.

Note: The button Next will be disabled until passwords in both input fields are the same.

Step 11:
Move your mouse as randomly as possible within the Volume Creation Wizard window at
least for 30 seconds. The longer you move the mouse, the better. This significantly increases
the cryptographic strength of the encryption keys (which increases security).

Click Format.

Volume creation should begin. TrueCrypt will now create a file called My Volume in the
folder D:\My Documents\ (as we specified in Step 6). This file will be a TrueCrypt container
(it will contain the encrypted TrueCrypt volume). Depending on the size of the volume, the
volume creation may take a long time. After it finishes, the following dialog box will appear:

Click OK to close the dialog box.

Step 12:
We have just successfully created a TrueCrypt volume (file container).

In the TrueCrypt Volume Creation Wizard window, click Exit.

The Wizard window should disappear.

In the remaining steps, we will mount the volume we just created. We will return to the main
TrueCrypt window (which should still be open, but if it is not, repeat Step 1 to launch
TrueCrypt and then continue from Step 13.)

Step 13:
Select a drive letter from the list (marked with a red rectangle). This will be the drive letter to
which the TrueCrypt container will be mounted.

Note: In this tutorial, we chose the drive letter M, but you may of course choose any other
available drive letter.

Step 14:
Click Select File.

The standard file selector window should appear.

Step 15:
In the file selector, browse to the container file (which we created in Steps 6-11) and select it.

Click Open (in the file selector window).

The file selector window should disappear.

In the following steps, we will return to the main TrueCrypt window.

Step 16:
In the main TrueCrypt window, click Mount.

Password prompt dialog window should appear.

Step 17:
Type the password (which you specified in Step 10) in the password input field (marked with
a red rectangle).

Step 18:
Click OK in the password prompt window.

TrueCrypt will now attempt to mount the volume. If the password is incorrect (for example, if
you typed it incorrectly), TrueCrypt will notify you and you will need to repeat the previous
step (type the password again and click OK). If the password is correct, the volume will be
mounted.

Final Step:
We have just successfully mounted the container as a virtual disk M:

The virtual disk is entirely encrypted (including file names, allocation tables, free space, etc.)
and behaves like a real disk. You can save (or copy, move, etc.) files to this virtual disk and
they will be encrypted on the fly as they are being written.

If you open a file stored on a TrueCrypt volume, for example, in media player, the file will be
automatically decrypted to RAM (memory) on-the-fly while it is being read.

Important: Note that when you open a file stored on a TrueCrypt volume (or when you
write/copy a file to/from the TrueCrypt volume) you will not be asked to enter the password
again. You need to enter the correct password only when mounting the volume.

You can open the mounted volume, for example, by double-clicking the item marked with a
red rectangle in the screenshot above.

You can also browse to the mounted volume the way you normally browse to any other types
of volumes. For example, by opening the 'Computer' (or 'My Computer') list and double
clicking the corresponding drive letter (in this case, it is the letter M).
You can copy files to and from the TrueCrypt volume just as you would copy them to any
normal disk (for example, by simple drag-and-drop operations). Files that are being read or
copied from the encrypted TrueCrypt volume are automatically decrypted on the fly (in
memory/RAM). Similarly, files that are being written or copied to the encrypted TrueCrypt
volume are automatically encrypted on the fly (right before they are written to the disk) in
RAM.

Note that TrueCrypt never saves any decrypted data to a disk – it only stores them temporarily
in RAM (memory). Even when the volume is mounted, data stored in the volume is still
encrypted. When you restart Windows or turn off your computer, the volume will be
dismounted and all files stored on it will be inaccessible (and encrypted). Even when power
supply is suddenly interrupted (without proper system shut down), all files stored on the
volume will be inaccessible (and encrypted). To make them accessible again, you have to
mount the volume. To do so, repeat Steps 13-18.

If you want to close the volume and make files stored on it inaccessible, either restart your
operating system or dismount the volume. To do so, follow these steps:
Select the volume from the list of mounted volumes in the main TrueCrypt window (marked
with a red rectangle in the screenshot above) and then click Dismount (also marked with a
red rectangle in the screenshot above). To make files stored on the volume accessible again,
you will have to mount the volume. To do so, repeat Steps 13-18.

How to Create and Use a TrueCrypt-Encrypted Partition/Device

Instead of creating file containers, you can also encrypt physical partitions or drives (i.e.,
create TrueCrypt device-hosted volumes). To do so, repeat the steps 1-3, but in the step 3
select the second or third option. Then follow the remaining instructions in the wizard. When
you create a device-hosted TrueCrypt volume within a non-system partition/drive, you can
mount it by clicking Auto-Mount Devices in the main TrueCrypt window. For information
pertaining to encrypted system partition/drives, see the chapter System Encryption.

Important: We strongly recommend that you also read the other chapters of this manual,
as they contain important information that has been omitted in this tutorial for simplicity.
Hidden Volume

It may happen that you are forced by somebody to reveal the password to an encrypted
volume. There are many situations where you cannot refuse to reveal the password (for
example, due to extortion). Using a so-called hidden volume allows you to solve such
situations without revealing the password to your volume.

The layout of a standard TrueCrypt volume before and after a hidden volume was created
within it.

The principle is that a TrueCrypt volume is created within another TrueCrypt volume (within
the free space on the volume). Even when the outer volume is mounted, it should be
impossible to prove whether there is a hidden volume within it or not*, because free space on
any TrueCrypt volume is always filled with random data when the volume is created** and
no part of the (dismounted) hidden volume can be distinguished from random data. Note that
TrueCrypt does not modify the file system (information about free space, etc.) within the
outer volume in any way.

The password for the hidden volume must be substantially different from the password for the
outer volume. To the outer volume, (before creating the hidden volume within it) you should
copy some sensitive-looking files that you actually do NOT want to hide. These files will be
there for anyone who would force you to hand over the password. You will reveal only the
password for the outer volume, not for the hidden one. Files that really are sensitive will be
stored on the hidden volume.

A hidden volume can be mounted the same way as a standard TrueCrypt volume: Click Select
File or Select Device to select the outer/host volume (important: make sure the volume is not
mounted). Then click Mount, and enter the password for the hidden volume. Whether the
hidden or the outer volume will be mounted is determined by the entered password (i.e., when
you enter the password for the outer volume, then the outer volume will be mounted; when
you enter the password for the hidden volume, the hidden volume will be mounted).

TrueCrypt first attempts to decrypt the standard volume header using the entered password. If
it fails, it loads the area of the volume where a hidden volume header can be stored (i.e. bytes
65536–131071, which contain solely random data when there is no hidden volume within the
volume) to RAM and attempts to decrypt it using the entered password. Note that hidden
volume headers cannot be identified, as they appear to consist entirely of random data. If the
header is successfully decrypted (for information on how TrueCrypt determines that it was
successfully decrypted, see the section Encryption Scheme), the information about the size of
the hidden volume is retrieved from the decrypted header (which is still stored in RAM), and
the hidden volume is mounted (its size also determines its offset).

A hidden volume can be created within any type of TrueCrypt volume, i.e., within a file-
hosted volume or partition/device-hosted volume (requires administrator privileges). To
create a hidden TrueCrypt volume, click on Create Volume in the main program window and
select Create a hidden TrueCrypt volume. The Wizard will provide help and all information
necessary to successfully create a hidden TrueCrypt volume.

When creating a hidden volume, it may be very difficult or even impossible for an
inexperienced user to set the size of the hidden volume such that the hidden volume does not
overwrite data on the outer volume. Therefore, the Volume Creation Wizard automatically
scans the cluster bitmap of the outer volume (before the hidden volume is created within it)
and determines the maximum possible size of the hidden volume.***

If there are any problems when creating a hidden volume, refer to the chapter Troubleshooting
for possible solutions.

Note that it is also possible to create and boot an operating system residing in a hidden
volume (see the section Hidden Operating System).

* Provided that all the instructions in the TrueCrypt Volume Creation Wizard have
been followed and provided that the requirements and precautions listed in the
subsection Security Requirements and Precautions Pertaining to Hidden Volumes
are followed.
** Provided that the options Quick Format and Dynamic are disabled and
provided that the volume does not contain a filesystem that has been encrypted
in place (TrueCrypt does not allow the user to create a hidden volume within such
a volume). For information on the method used to fill free volume space with
random data, see chapter Technical Details, section TrueCrypt Volume Format
Specification.
*** The wizard scans the cluster bitmap to determine the size of the
uninterrupted area of free space (if there is any) whose end is aligned with the
end of the outer volume. This area accommodates the hidden volume and
therefore the size of this area limits the maximum possible size of the hidden
volume. On Linux and Mac OS X, the wizard actually does not scan the cluster
bitmap, but the driver detects any data written to the outer volume and uses
their position as previously described.

Protection of Hidden Volumes Against Damage

If you mount a TrueCrypt volume within which there is a hidden volume, you may read data
stored on the (outer) volume without any risk. However, if you (or the operating system) need
to save data to the outer volume, there is a risk that the hidden volume will get damaged
(overwritten). To prevent this, you should protect the hidden volume in a way described in
this section.

When mounting an outer volume, type in its password and before clicking OK, click Mount
Options:

In the Mount Options dialog window, enable the option 'Protect hidden volume against
damage caused by writing to outer volume '. In the 'Password to hidden volume' input field,
type the password for the hidden volume. Click OK and, in the main password entry dialog,
click OK.
Both passwords must be correct; otherwise, the outer volume will not be mounted. When
hidden volume protection is enabled, TrueCrypt does not actually mount the hidden volume.
It only decrypts its header (in RAM) and retrieves information about the size of the hidden
volume (from the decrypted header). Then, the outer volume is mounted and any attempt to
save data to the area of the hidden volume will be rejected (until the outer volume is
dismounted). Note that TrueCrypt never modifies the filesystem (e.g., information about
allocated clusters, amount of free space, etc.) within the outer volume in any way. As
soon as the volume is dismounted, the protection is lost. When the volume is mounted
again, it is not possible to determine whether the volume has used hidden volume
protection or not. The hidden volume protection can be activated only by users who
supply the correct password (and/or keyfiles) for the hidden volume (each time they
mount the outer volume).

As soon as a write operation to the hidden volume area is denied/prevented (to protect the
hidden volume), the entire host volume (both the outer and the hidden volume) becomes
write-protected until dismounted (the TrueCrypt driver reports the 'invalid parameter' error to
the system upon each attempt to write data to the volume). This preserves plausible
deniability (otherwise certain kinds of inconsistency within the file system could indicate that
this volume has used hidden volume protection). When damage to hidden volume is
prevented, a warning is displayed (provided that the TrueCrypt Background Task is enabled –
see the chapter TrueCrypt Background Task). Furthermore, the type of the mounted outer
volume displayed in the main window changes to 'Outer(!) ':
Moreover, the field Hidden Volume Protected in the Volume Properties dialog window says:
'Yes (damage prevented!)'.

Note that when damage to hidden volume is prevented, no information about the event is
written to the volume. When the outer volume is dismounted and mounted again, the volume
properties will not display the string "damage prevented".

There are several ways to check that a hidden volume is being protected against damage:

1. A confirmation message box saying that hidden volume is being protected is displayed
after the outer volume is mounted (if it is not displayed, the hidden volume is not
protected!).

2. In the Volume Properties dialog, the field Hidden Volume Protected says 'Yes':

3. The type of the mounted outer volume is Outer:

Important: When an adversary asks you to mount an outer volume, you, of course, must
not mount the outer volume with the hidden volume protection enabled. You must mount it
as a normal volume (and then TrueCrypt will not show the volume type "Outer" but
"Normal"). Note that during the time when an outer volume is mounted with the hidden
volume protection enabled, the adversary can find out that a hidden volume exists within
the outer volume (he/she will be able to find it out until the volume is dismounted).

Warning: Note that the option 'Protect hidden volume against damage caused by writing to
outer volume' in the Mount Options dialog window is automatically disabled after a mount
attempt is completed, no matter whether it is successful or not (all hidden volumes that are
already being protected will, of course, continue to be protected). Therefore, you need to
check that option each time you attempt to mount the outer volume (if you wish the hidden
volume to be protected):

If you want to mount an outer volume and protect a hidden volume within using cached
passwords, then follow these steps: Hold down the Control (Ctrl) key when clicking Mount
(or select Mount with Options from the Volumes menu). This will open the Mount Options
dialog. Enable the option 'Protect hidden volume against damage caused by writing to outer
volume' and leave the password box empty. Then click OK.

If you need to mount an outer volume and you know that you will not need to save any data to
it, then the most comfortable way of protecting the hidden volume against damage is
mounting the outer volume as read-only (see the section Mount Options).

Security Requirements and Precautions Pertaining to Hidden Volumes

If you use a hidden TrueCrypt volume, you must follow the security requirements and
precautions listed below in this section. Disclaimer: This section is not guaranteed to contain a
list of all security issues and attacks that might adversely affect or limit the ability of
TrueCrypt to secure data stored in a hidden TrueCrypt volume and the ability to provide
plausible deniability.

• If an adversary has access to a (dismounted) TrueCrypt volume at several points over

time, he may be able to determine which sectors of the volume are changing. If you
change the contents of a hidden volume (e.g., create/copy new files to the hidden
volume or modify/delete/rename/move files stored on the hidden volume, etc.), the
contents of sectors (ciphertext) in the hidden volume area will change. After being
given the password to the outer volume, the adversary might demand an explanation
why these sectors changed. Your failure to provide a plausible explanation might
indicate the existence of a hidden volume within the outer volume.

Note that issues similar to the one described above may also arise, for example, in the
following cases:

o The file system in which you store a file-hosted TrueCrypt container has been
defragmented and a copy of the TrueCrypt container (or of its fragment)
remains in the free space on the host volume (in the defragmented file system).
To prevent this, do one of the following:
 Use a partition/device-hosted TrueCrypt volume instead of file-hosted.
 Securely erase free space on the host volume (in the defragmented file
system) after defragmenting.
 Do not defragment file systems in which you store TrueCrypt volumes.

o A file-hosted TrueCrypt container is stored in a journaling file system (such as

NTFS). A copy of the TrueCrypt container (or of its fragment) may remain on
the host volume. To prevent this, do one the following:
 Use a partition/device-hosted TrueCrypt volume instead of file-hosted.
 Store the container in a non-journaling file system (for example,
FAT32).

o A TrueCrypt volume resides on a device/filesystem that utilizes a wear-

leveling mechanism (e.g. a flash-memory SSD or USB flash drive). A copy of
(a fragment of) the TrueCrypt volume may remain on the device. Therefore, do
not store hidden volumes on such devices/filesystems. For more information
 on wear-leveling, see the section Wear-Leveling in the chapter Security
Requirements and Precautions.

o A TrueCrypt volume resides on a device/filesystem that saves data (or on a

device/filesystem that is controlled or monitored by a system/device that saves
data) (e.g. the value of a timer or counter) that can be used to determine that a
block had been written earlier than another block and/or to determine how
many times a block has been written/read. Therefore, do not store hidden
volumes on such devices/filesystems. To find out whether a device/system
saves such data, please refer to documentation supplied with the device/system
or contact the vendor/manufacturer.

o A TrueCrypt volume resides on a device that is prone to wear (it is possible to

determine that a block has been written/read more times than another block).
Therefore, do not store hidden volumes on such devices/filesystems. To find
out whether a device is prone to such wear, please refer to documentation
supplied with the device or contact the vendor/manufacturer.

o You back up content of a hidden volume by cloning its host volume or create a
new hidden volume by cloning its host volume. Therefore, you must not do so.
Follow the instructions in the chapter How to Back Up Securely and in the
section Volume Clones.

• Make sure that Quick Format is disabled when encrypting a partition/device within
which you intend to create a hidden volume.

• On Windows, make sure you have not deleted any files within a volume within which
you intend to create a hidden volume (the cluster bitmap scanner does not detect
deleted files).

• On Linux or Mac OS X, if you intend to create a hidden volume within a file-hosted

TrueCrypt volume, make sure that the volume is not sparse-file-hosted (the Windows
version of TrueCrypt verifies this and disallows creation of hidden volumes within
sparse files).

• When a hidden volume is mounted, the operating system and third-party applications
may write to non-hidden volumes (typically, to the unencrypted system volume)
unencrypted information about the data stored in the hidden volume (e.g. filenames
and locations of recently accessed files, databases created by file indexing tools, etc.),
or the data itself in an unencrypted form (temporary files, etc.), or unencrypted
information about the filesystem residing in the hidden volume (which might be used
e.g. to identify the filesystem and to determine whether it is the filesystem residing in
the outer volume). Therefore, the following guidelines and precautions must be
followed:

o Windows: Create a hidden operating system (for information on how to do so,

see the section Hidden Operating System) and mount hidden volumes only
when the hidden operating system is running.

Note: When a hidden operating system is running, TrueCrypt ensures that all
local unencrypted filesystems and non-hidden TrueCrypt volumes are read-
 only (i.e. no files can be written to such filesystems or TrueCrypt volumes).*
Data is allowed to be written to filesystems within hidden TrueCrypt volumes.

o Linux: Download or create a "live CD" version of your Linux operating system
(i.e. a "live" Linux system entirely stored on and booted from a CD/DVD) that
ensures that any data written to the system volume is written to a RAM disk.
Mount hidden volumes only when such a "live CD" system is running. During
the session, only filesystems that reside in hidden TrueCrypt volumes may be
mounted in read-write mode (outer or unencrypted volumes/filesystems must
be mounted as read-only or must not be mounted/accessible at all). If you
cannot use such a "live CD" version of the operating system or if you are not
able to ensure that applications and the standard version (as opposed to a "live
CD" version) of your operating system do not write the above types of
sensitive data to non-hidden volumes (or filesystems), you should not mount or
create hidden TrueCrypt volumes under Linux.

o Mac OS X: If you are not able to ensure that applications and the operating
system do not write the above types of sensitive data to non-hidden volumes
(or filesystems), you should not mount or create hidden TrueCrypt volumes
under Mac OS X.

• If you use an operating system residing within a hidden volume (see the section
Hidden Operating System), then, in addition to the above, you must follow these
security requirements and precautions:

o You should use the decoy operating system as frequently as you use your
computer. Ideally, you should use it for all activities that do not involve
sensitive data. Otherwise, plausible deniability of the hidden operating system
might be adversely affected (if you revealed the password for the decoy
operating system to an adversary, he could find out that the system is not used
very often, which might indicate the existence of a hidden operating system on
your computer). Note that you can save data to the decoy system partition
anytime without any risk that the hidden volume will get damaged (because the
decoy system is not installed in the outer volume).

o If the operating system requires activation, it must be activated before it is

cloned (cloning is part of the process of creation of a hidden operating system
— see the section Hidden Operating System) and the hidden operating system
(i.e. the clone) must never be reactivated. The reason is that the hidden
operating system is created by copying the content of the system partition to a
hidden volume (so if the operating system is not activated, the hidden
operating system will not be activated either). If you activated or reactivated a
hidden operating system, the date and time of the activation (and other data)
might be logged on a Microsoft server (and on the hidden operating system)
but not on the decoy operating system. Therefore, if an adversary had access to
the data stored on the server or intercepted your request to the server (and if
you revealed the password for the decoy operating system to him), he might
find out that the decoy operating system was activated (or reactivated) at a
different time, which might indicate the existence of a hidden operating system
on your computer.
 For similar reasons, any software that requires activation must be installed and
activated before you start creating the hidden operating system.

o When you need to shut down the hidden system and start the decoy system, do
not restart the computer. Instead, shut it down or hibernate it and then leave it
powered off for at least several minutes (the longer, the better) before turning
the computer on and booting the decoy system. This is required to clear the
memory, which may contain sensitive data. For more information, see the
section Unencrypted Data in RAM in the chapter Security Requirements and
Precautions.

o The computer may be connected to a network (including the internet) only

when the decoy operating system is running. When the hidden operating
system is running, the computer should not be connected to any network,
including the internet (one of the most reliable ways to ensure it is to unplug
the network cable, if there is one). Note that if data is downloaded from or
uploaded to a remote server, the date and time of the connection, and other
data, are typically logged on the server. Various kinds of data are also logged
on the operating system (e.g. Windows auto-update data, application logs,
error logs, etc.) Therefore, if an adversary had access to the data stored on the
server or intercepted your request to the server (and if you revealed the
password for the decoy operating system to him), he might find out that the
connection was not made from within the decoy operating system, which
might indicate the existence of a hidden operating system on your computer.

Also note that similar issues would affect you if there were any filesystem
shared over a network under the hidden operating system (regardless of
whether the filesystem is remote or local). Therefore, when the hidden
operating system is running, there must be no filesystem shared over a network
(in any direction).

o Any actions that can be detected by an adversary (or any actions that modify
any data outside mounted hidden volumes) must be performed only when the
decoy operating system is running (unless you have an alternative plausible
explanation, such as using a "live-CD" system to perform such actions). For
example, the option 'Auto-adjust for daylight saving time' option may be
enabled only on the decoy system.

o If the BIOS, EFI, or any other component logs power-down events or any
other events that could indicate a hidden volume/system is used (e.g. by
comparing such events with the events in the Windows event log), you must
either disable such logging or ensure that the log is securely erased after each
session (or otherwise avoid such an issue in an appropriate way).

In addition to the above precautions, you must follow the security requirements and
precautions listed in the following chapters:

• Security Requirements and Precautions

• How to Back Up Securely

Hidden Operating System

If your system partition or system drive is encrypted using TrueCrypt, you need to enter your
pre-boot authentication password in the TrueCrypt Boot Loader screen after you turn on or
restart your computer. It may happen that you are forced by somebody to decrypt the
operating system or to reveal the pre-boot authentication password. There are many situations
where you cannot refuse to do so (for example, due to extortion). TrueCrypt allows you to
create a hidden operating system whose existence should be impossible to prove (provided
that certain guidelines are followed — see below). Thus, you will not have to decrypt or
reveal the password for the hidden operating system.

Before you continue reading this section, make sure you have read the section Hidden
Volume and that you understand what a hidden TrueCrypt volume is.

A hidden operating system is a system (for example, Windows 7 or Windows XP) that is
installed in a hidden TrueCrypt volume. It should be impossible to prove that a hidden
TrueCrypt volume exists (provided that certain guidelines are followed; for more information,
see the section Hidden Volume) and, therefore, it should be impossible to prove that a hidden
operating system exists.

However, in order to boot a system encrypted by TrueCrypt, an unencrypted copy of the

TrueCrypt Boot Loader has to be stored on the system drive or on a TrueCrypt Rescue Disk.
Hence, the mere presence of the TrueCrypt Boot Loader can indicate that there is a system
encrypted by TrueCrypt on the computer. Therefore, to provide a plausible explanation for the
presence of the TrueCrypt Boot Loader, the TrueCrypt helps you create a second encrypted
operating system, so-called decoy operating system, during the process of creation of a
hidden operating system. A decoy operating system must not contain any sensitive files. Its
existence is not secret (it is not installed in a hidden volume). The password for the decoy
operating system can be safely revealed to anyone forcing you to disclose your pre-boot
authentication password.*

You should use the decoy operating system as frequently as you use your computer. Ideally,
you should use it for all activities that do not involve sensitive data. Otherwise, plausible
deniability of the hidden operating system might be adversely affected (if you revealed the
password for the decoy operating system to an adversary, he could find out that the system is
not used very often, which might indicate the existence of a hidden operating system on your
computer). Note that you can save data to the decoy system partition anytime without any risk
that the hidden volume will get damaged (because the decoy system is not installed in the
outer volume — see below).

There will be two pre-boot authentication passwords — one for the hidden system and the
other for the decoy system. If you want to start the hidden system, you simply enter the
password for the hidden system in the TrueCrypt Boot Loader screen (which appears after
you turn on or restart your computer). Likewise, if you want to start the decoy system (for
example, when asked to do so by an adversary), you just enter the password for the decoy
system in the TrueCrypt Boot Loader screen.
Note: When you enter a pre-boot authentication password, the TrueCrypt Boot Loader first
attempts to decrypt (using the entered password) the last 512 bytes of the first logical track of
the system drive (where encrypted master key data for non-hidden encrypted system
partitions/drives are normally stored). If it fails and if there is a partition behind the active
partition, the TrueCrypt Boot Loader (even if there is actually no hidden volume on the drive)
automatically tries to decrypt (using the same entered password again) the area of the first
partition behind the active partition where the encrypted header of a possible hidden volume
might be stored (however, if the size of the active partition is less than 256 MB, then the data
is read from the second partition behind the active one, because Windows 7 and later, by
default, do not boot from the partition on which they are installed). Note that TrueCrypt never
knows if there is a hidden volume in advance (the hidden volume header cannot be identified,
as it appears to consist entirely of random data). If the header is successfully decrypted (for
information on how TrueCrypt determines that it was successfully decrypted, see the section
Encryption Scheme), the information about the size of the hidden volume is retrieved from the
decrypted header (which is still stored in RAM), and the hidden volume is mounted (its size
also determines its offset). For further technical details, see the section Encryption Scheme in
the chapter Technical Details.

When running, the hidden operating system appears to be installed on the same partition as
the original operating system (the decoy system). However, in reality, it is installed within the
partition behind it (in a hidden volume). All read/write operations are transparently redirected
from the system partition to the hidden volume. Neither the operating system nor applications
will know that data written to and read from the system partition is actually written to and
read from the partition behind it (from/to a hidden volume). Any such data is encrypted and
decrypted on the fly as usual (with an encryption key different from the one that is used for
the decoy operating system).

Note that there will also be a third password — the one for the outer volume. It is not a pre-
boot authentication password, but a regular TrueCrypt volume password. It can be safely
disclosed to anyone forcing you to reveal the password for the encrypted partition where the
hidden volume (containing the hidden operating system) resides. Thus, the existence of the
hidden volume (and of the hidden operating system) will remain secret. If you are not sure
you understand how this is possible, or what an outer volume is, please read the section
Hidden Volume. The outer volume should contain some sensitive-looking files that you
actually do not want to hide.

To summarize, there will be three passwords in total. Two of them can be revealed to an
attacker (for the decoy system and for the outer volume). The third password, for the hidden
system, must remain secret.
Example Layout of System Drive Containing Hidden Operating System

Process of Creation of Hidden Operating System

To start the process of creation of a hidden operating system, select System > Create Hidden
Operating System and then follow the instructions in the wizard.

Initially, the wizard verifies that there is a suitable partition for a hidden operating system on
the system drive. Note that before you can create a hidden operating system, you need to
create a partition for it on the system drive. It must be the first partition behind the system
partition and it must be at least 5% larger than the system partition (the system partition is the
one where the currently running operating system is installed). However, if the outer volume
(not to be confused with the system partition) is formatted as NTFS, the partition for the
hidden operating system must be at least 110% (2.1 times) larger than the system partition
(the reason is that the NTFS file system always stores internal data exactly in the middle of
the volume and, therefore, the hidden volume, which is to contain a clone of the system
partition, can reside only in the second half of the partition).

In the next steps, the wizard will create two TrueCrypt volumes (outer and hidden) within the
first partition behind the system partition. The hidden volume will contain the hidden
operating system. The size of the hidden volume is always the same as the size of the system
partition. The reason is that the hidden volume will need to contain a clone of the content of
the system partition (see below). Note that the clone will be encrypted using a different
encryption key than the original. Before you start copying some sensitive-looking files to the
outer volume, the wizard tells you the maximum recommended size of space that the files
should occupy, so that there is enough free space on the outer volume for the hidden volume.

Remark: After you copy some sensitive-looking files to the outer volume, the cluster bitmap
of the volume will be scanned in order to determine the size of uninterrupted area of free
space whose end is aligned with the end of the outer volume. This area will accommodate the
hidden volume, so it limits its maximum possible size. The maximum possible size of the
hidden volume will be determined and it will be verified that it is greater than the size of the
system partition (which is required, because the entire content of the system partition will
need to be copied to the hidden volume — see below). This ensures that no data stored on the
outer volume will be overwritten by data written to the area of the hidden volume (e.g. when
the system is being copied to it). The size of the hidden volume is always the same as the size
of the system partition.

Then, TrueCrypt will create the hidden operating system by copying the content of the system
partition to the hidden volume. Data being copied will be encrypted on the fly with an
encryption key different from the one that will be used for the decoy operating system. The
process of copying the system is performed in the pre-boot environment (before Windows
starts) and it may take a long time to complete; several hours or even several days (depending
on the size of the system partition and on the performance of the computer). You will be able
to interrupt the process, shut down your computer, start the operating system and then resume
the process. However, if you interrupt it, the entire process of copying the system will have to
start from the beginning (because the content of the system partition must not change during
cloning). The hidden operating system will initially be a clone of the operating system under
which you started the wizard.

Windows creates (typically, without your knowledge or consent) various log files, temporary
files, etc., on the system partition. It also saves the content of RAM to hibernation and paging
files located on the system partition. Therefore, if an adversary analyzed files stored on the
partition where the original system (of which the hidden system is a clone) resides, he might
find out, for example, that you used the TrueCrypt wizard in the hidden-system-creation mode
(which might indicate the existence of a hidden operating system on your computer). To
prevent such issues, TrueCrypt will securely erase the entire content of the partition where the
original system resides after the hidden system has been created. Afterwards, in order to
achieve plausible deniability, TrueCrypt will prompt you to install a new system on the
partition and encrypt it using TrueCrypt. Thus, you will create the decoy system and the
whole process of creation of the hidden operating system will be completed.

Note: TrueCrypt will erase the content of the partition where the original system resides by
filling it with random data entirely. If you revealed the password for the decoy system to an
adversary and he asked you why the free space of the (decoy) system partition contains
random data, you could answer, for example: "The partition previously contained a system
encrypted by TrueCrypt, but I forgot the pre-boot authentication password (or the system was
damaged and stopped booting), so I had to reinstall Windows and encrypt the partition again."

Plausible Deniability and Data Leak Protection

For security reasons, when a hidden operating system is running, TrueCrypt ensures that all
local unencrypted filesystems and non-hidden TrueCrypt volumes are read-only (i.e. no files
can be written to such filesystems or TrueCrypt volumes).† Data is allowed to be written to
any filesystem that resides within a hidden TrueCrypt volume (provided that the hidden
volume is not located in a container stored on an unencrypted filesystem or on any other read-
only filesystem).

There are three main reasons why such countermeasures have been implemented:

1. It enables the creation of a secure platform for mounting of hidden

TrueCrypt volumes. Note that we officially recommend that hidden
volumes are mounted only when a hidden operating system is running. For
 more information, see the subsection Security Requirements and
Precautions Pertaining to Hidden Volumes.

2. In some cases, it is possible to determine that, at a certain time, a

particular filesystem was not mounted under (or that a particular file on
the filesystem was not saved or accessed from within) a particular instance
of an operating system (e.g. by analyzing and comparing filesystem
journals, file timestamps, application logs, error logs, etc). This might
indicate that a hidden operating system is installed on the computer. The
countermeasures prevent these issues.

3. It prevents data corruption and allows safe hibernation. When Windows

resumes from hibernation, it assumes that all mounted filesystems are in
the same state as when the system entered hibernation. TrueCrypt
ensures this by write-protecting any filesystem accessible both from within
the decoy and hidden systems. Without such protection, the filesystem
could become corrupted when mounted by one system while the other
system is hibernated.

If you need to securely transfer files from the decoy system to the hidden
system, follow these steps:

1. Start the decoy system.

2. Save the files to an unencrypted volume or to an outer/normal TrueCrypt
volume.
3. Start the hidden system
4. If you saved the files to a TrueCrypt volume, mount it (it will be
automatically mounted as read-only).
5. Copy the files to the hidden system partition or to another hidden volume.

Possible Explanations for Existence of Two TrueCrypt

Partitions on Single Drive

An adversary might ask why you created two TrueCrypt-encrypted partitions on a single drive
(a system partition and a non-system partition) rather than encrypting the entire disk with a
single encryption key. There are many possible reasons to do that. However, if you do not
know any (other than creating the hidden operating system), you can provide, for example,
one of the following explanations:

• If there are more than two partitions on a system drive and you want to
encrypt only two of them (the system partition and the one behind it) and
to leave the other partitions unencrypted (for example, to achieve the best
possible performance when reading and writing data, which is not
sensitive, to such unencrypted partitions), the only way to do that is to
encrypt both partitions separately (note that, with a single encryption key,
TrueCrypt could encrypt the entire system drive and all partitions on it, but
it cannot encrypt only two of them — only one or all of the partitions can
be encrypted with a single key). As a result, there will be two adjacent
TrueCrypt partitions on the system drive (the first will be a system
partition, the second will be a non-system one), each encrypted with a
 different key (which is also the case when you create a hidden operating
system, and therefore it can be explained this way).

If you do not know any good reason why there should be more than one
partition on a system drive at all:

It is generally recommended to separate non-system files (documents)

from system files. One of the easiest and most reliable ways to do that is
to create two partitions on the system drive; one for the operating system
and the other for documents (non-system files). The reasons why this
practice is recommended include:

o If the filesystem on one of the partitions is damaged, files on the

partition may get corrupted or lost, whereas files on the other
partition are not affected.
o It is easier to reinstall the system without losing your documents
(reinstallation of an operating system involves formatting the
system partition, after which all files stored on it are lost). If the
system is damaged, full reinstallation is often the only option.

• A cascade encryption algorithm (e.g. AES-Twofish-Serpent) can be up to

four times slower than a non-cascade one (e.g. AES). However, a cascade
encryption algorithm may be more secure than a non-cascade one (for
example, the probability that three distinct encryption algorithms will be
broken, e.g. due to advances in cryptanalysis, is significantly lower than
the probability that only one of them will be broken). Therefore, if you
encrypt the outer volume with a cascade encryption algorithm and the
decoy system with a non-cascade encryption algorithm, you can answer
that you wanted the best performance (and adequate security) for the
system partition, and the highest possible security (but worse
performance) for the non-system partition (i.e. the outer volume), where
you store the most sensitive data, which you do not need to access very
often (unlike the operating system, which you use very often, and
therefore you need it to have the best possible performance). On the
system partition, you store data that is less sensitive (but which you need
to access very often) than data you store on the non-system partition (i.e.
on the outer volume).

• Provided that you encrypt the outer volume with a cascade encryption
algorithm (e.g. AES-Twofish-Serpent) and the decoy system with a non-
cascade encryption algorithm (e.g. AES), you can also answer that you
wanted to prevent the problems about which TrueCrypt warns when the
user attempts to choose a cascade encryption algorithm for system
encryption (see below for a list of the problems). Therefore, to prevent
those problems, you decided to encrypt the system partition with a non-
cascade encryption algorithm. However, you still wanted to use a cascade
encryption algorithm (because it is more secure than a non-cascade
encryption algorithm) for the most sensitive data, so you decided to create
a second partition, which those problems do not affect (because it is non-
system) and to encrypt it with a cascade encryption algorithm. On the
system partition, you store data that is less sensitive than data you store
on the non-system partition (i.e. on the outer volume).
 Note: When the user attempts to encrypt the system partition with a
cascade encryption algorithm, TrueCrypt warns him or her that it can
cause the following problems (and implicitly recommends to choose a non-
cascade encryption algorithm instead):
o For cascade encryption algorithms, the TrueCrypt Boot Loader is
larger than normal and, therefore, there is not enough space in the
first drive track for a backup of the TrueCrypt Boot Loader. Hence,
whenever it gets damaged (which often happens, for example,
during inappropriately designed anti-piracy activation procedures of
certain programs), the user must use the TrueCrypt Rescue Disk to
repair the TrueCrypt Boot Loader or to boot.
o On some computers, resuming from hibernation takes longer.

• In contrast to a password for a non-system TrueCrypt volume, a pre-boot

authentication password needs to be typed each time the computer is
turned on or restarted. Therefore, if the pre-boot authentication password
is long (which is required for security purposes), it may be very tiresome to
type it so frequently. Hence, you can answer that it was more convenient
for you to use a short (and therefore weaker) password for the system
partition (i.e. the decoy system) and that it is more convenient for you to
store the most sensitive data (which you do not need to access as often) in
the non-system TrueCrypt partition (i.e. in the outer volume) for which you
chose a very long password.

As the password for the system partition is not very strong (because it is
short), you do not intentionally store sensitive data on the system
partition. However, you still prefer the system partition to be encrypted,
because potentially sensitive or mildly sensitive data is stored on it as a
result of your everyday use of the computer (for example, passwords to
online forums you visit, which can be automatically remembered by your
browser, browsing history, applications you run, etc.)

• When an attacker gets hold of your computer when a TrueCrypt volume is

mounted (for example, when you use a laptop outside), he can, in most
cases, read any data stored on the volume (data is decrypted on the fly as
he reads it). Therefore, it may be wise to limit the time the volume is
mounted to a minimum. Obviously, this may be impossible or difficult if the
sensitive data is stored on an encrypted system partition or on an entirely
encrypted system drive (because you would also have to limit the time you
work with the computer to a minimum). Hence, you can answer that you
created a separate partition (encrypted with a different key than your
system partition) for your most sensitive data and that you mount it only
when necessary and dismount it as soon as possible (so as to limit the
time the volume is mounted to a minimum). On the system partition, you
store data that is less sensitive (but which you need to access often) than
data you store on the non-system partition (i.e. on the outer volume).
Safety/Security Precautions and Requirements
Pertaining to Hidden Operating Systems

As a hidden operating system resides in a hidden TrueCrypt volume, a user of a hidden

operating system must follow all of the security requirements and precautions that apply to
normal hidden TrueCrypt volumes. These requirements and precautions, as well as additional
requirements and precautions pertaining specifically to hidden operating systems, are listed in
the subsection Security Requirements and Precautions Pertaining to Hidden Volumes.

WARNING: If you do not protect the hidden volume (for information on how to do so, refer
to the section Protection of Hidden Volumes Against Damage), do not write to the outer
volume (note that the decoy operating system is not installed in the outer volume). Otherwise,
you may overwrite and damage the hidden volume (and the hidden operating system within
it)!

If all the instructions in the wizard have been followed and if the security requirements and
precautions listed in the subsection Security Requirements and Precautions Pertaining to
Hidden Volumes are followed, it should be impossible to prove that the hidden volume and
hidden operating system exist, even when the outer volume is mounted or when the decoy
operating system is decrypted or started.

* It is not practical (and therefore is not supported) to install operating systems in

two TrueCrypt volumes that are embedded within a single partition, because
using the outer operating system would often require data to be written to the
area of the hidden operating system (and if such write operations were
prevented using the hidden volume protection feature, it would inherently cause
system crashes, i.e. 'Blue Screen' errors).
† This does not apply to filesystems on CD/DVD-like media and on custom,
atypical, or non-standard devices/media.