System Encryption
VeraCrypt can on-the-fly encrypt a system partition or entire system drive, i.e. a partition or drive
where Windows is installed and from which it boots.
System encryption provides the highest level of security and privacy, because all files, including
any temporary files that Windows and applications create on the system partition (typically, without
your knowledge or consent), hibernation files, swap files, etc., are always permanently encrypted
(even when power supply is suddenly interrupted). Windows also records large amounts of
potentially sensitive data, such as the names and locations of files you open, applications you run,
etc. All such log files and registry entries are always permanently encrypted as well.
System encryption involves pre-boot authentication, which means that anyone who wants to gain
access and use the encrypted system, read and write files stored on the system drive, etc., will
need to enter the correct password each time before Windows boots (starts). Pre-boot
authentication is handled by the VeraCrypt Boot Loader, which resides in the first track of the boot
drive and on the VeraCrypt Rescue Disk (see below).
Note that VeraCrypt can encrypt an existing unencrypted system partition/drive in-place while the
operating system is running (while the system is being encrypted, you can use your computer as
usual without any restrictions). Likewise, a VeraCrypt-encrypted system partition/drive can be
decrypted in-place while the operating system is running. You can interrupt the process of
encryption or decryption anytime, leave the partition/drive partially unencrypted, restart or shut
down the computer, and then resume the process, which will continue from the point it was
stopped.
The mode of operation used for system encryption is XTS (see the section Modes of Operation).
For further technical details of system encryption, see the section Encryption Scheme in the
chapter Technical Details.
To encrypt a system partition or entire system drive, select System > Encrypt System
Partition/Drive and then follow the instructions in the wizard. To decrypt a system partition/drive,
select System > Permanently Decrypt System Partition/Drive.
Note: By default, Windows 7 and later boot from a special small partition. The partition contains files
that are required to boot the system. Windows allows only applications that have administrator
privileges to write to the partition (when the system is running). VeraCrypt encrypts the partition
only if you choose to encrypt the whole system drive (as opposed to choosing to encrypt only the
partition where Windows is installed).
Hidden Operating System
It may happen that you are forced by somebody to decrypt the operating system. There are many
situations where you cannot refuse to do so (for example, due to extortion). VeraCrypt allows you
to create a hidden operating system whose existence should be impossible to prove (provided that
certain guidelines are followed). Thus, you will not have to decrypt or reveal the password for the
hidden operating system. For more information, see the section Hidden Operating System in the
chapter Plausible Deniability.
