I M P O R T A N T -- PLEASE PRINT THIS TEXT IF POSSIBLE (click 'Print' below).
Note: This text will be automatically displayed each time you start the hidden system until you start creating the decoy system.
How to Create Decoy System Safely and Securely
In order to achieve plausible deniability, you need to create the decoy operating system now. To do so, follow these steps:
1) For security reasons, shut down your computer and leave it powered off for at least several minutes (the longer, the better). This is required to clear the memory, which contains sensitive data. Then turn on the computer but do not boot the hidden system.
2) Install Windows on the partition whose content has been erased (i.e. on the partition where the original system, of which the hidden system is a clone, was installed).
IMPORTANT: WHEN YOU START INSTALLING THE DECOY SYSTEM, THE HIDDEN SYSTEM WILL *NOT* BE POSSIBLE TO BOOT (because the VeraCrypt Boot Loader will be erased by the Windows system installer). THIS IS NORMAL AND EXPECTED. PLEASE DO NOT PANIC. YOU WILL BE ABLE TO BOOT THE HIDDEN SYSTEM AGAIN AS SOON AS YOU START ENCRYPTING THE DECOY SYSTEM (because VeraCrypt will then automatically install the VeraCrypt Boot Loader on the system drive).
Important: The size of the decoy system partition must remain the same as the size of the hidden volume (this condition is now met). Moreover, you must not create any partition between the decoy system partition and the partition where the hidden system resides.
3) Boot the decoy system (which you installed in step 2 and install VeraCrypt on it).
Keep in mind that the decoy system must never contain any sensitive data.
4) On the decoy system, run VeraCrypt and select 'System' > 'Encrypt System Partition/Drive'. The VeraCrypt Volume Creation Wizard window should appear.
The following steps apply to the VeraCrypt Volume Creation Wizard.
5) In the VeraCrypt Volume Creation Wizard, do NOT select the 'Hidden' option. Leave the 'Normal' option selected and click 'Next'.
6) Select the option 'Encrypt the Windows system partition' and then click 'Next'.
7) If there are only the hidden system and the decoy system installed on the computer, select the option 'Single-boot' (if there are more than these two systems installed on the computer, select 'Multi-boot'). Then click 'Next'.
8) IMPORTANT: In this step, FOR THE DECOY SYSTEM, YOU MUST SELECT THE SAME ENCRYPTION ALGORITHM AND HASH ALGORITHM THAT YOU SELECTED FOR THE HIDDEN SYSTEM! OTHERWISE, THE HIDDEN SYSTEM WILL BE INACCESSIBLE! In other words, the decoy system must be encrypted with the same encryption algorithm as the hidden system. Note: The reason is that the decoy system and the hidden system will share a single boot loader, which supports only a single algorithm, selected by the user (for each algorithm, there is a special version of the VeraCrypt Boot Loader).
9) In this step, choose a password for the decoy operating system. This will be the password that you will be able to reveal to an adversary if you are asked or forced to disclose your pre-boot authentication password (the other password you can reveal is the one for the outer volume). The existence of the third password (i.e. of the pre-boot authentication password for the hidden operating system) will remain secret.
Important: The password you choose for the decoy system must be substantially different from the one you chose for the hidden volume (i.e. for the hidden operating system).
10) Follow the remaining instructions in the wizard so as to encrypt the decoy operating system.
After Decoy System Is Created
After you encrypt the decoy system, the whole process of creation of the hidden operating system will be completed and you will be able to use these three passwords:
1) Pre-boot authentication password for the hidden operating system.
2) Pre-boot authentication password for the decoy operating system.
3) Password for the outer volume.
If you want to start the hidden operating system, you will just need to enter the password for the hidden operating system in the VeraCrypt Boot Loader screen (which appears after you turn on or restart your computer).
If you want to start the decoy operating system, you will just need to enter the password for the decoy operating system in the VeraCrypt Boot Loader screen.
The password for the decoy system can be disclosed to anyone forcing you to reveal your pre-boot authentication password. The existence of the hidden volume (and of the hidden operating system) will remain secret.
The third password (for the outer volume) can be disclosed to anyone forcing you to reveal the password for the first partition behind the system partition, where both the outer volume and the hidden volume (containing the hidden operating system) reside. The existence of the hidden volume (and of the hidden operating system) will remain secret.
If you revealed the password for the decoy system to an adversary and he asked you why the free space of the (decoy) system partition contains random data, you could answer, for example: "The partition previously contained a system encrypted by VeraCrypt, but I forgot the pre-boot authentication password (or the system was damaged and stopped booting), so I had to reinstall Windows and encrypt the partition again."
If all the instructions are followed and if the precautions and requirements listed in the section "Security Requirements and Precautions Pertaining to Hidden Volumes" in the VeraCrypt User's Guide are followed, it should be impossible to prove that the hidden volume and hidden operating system exist, even when the outer volume is mounted or when the decoy operating system is decrypted or started.
If you save a copy of this text or print it (strongly recommended, unless your printer stores copies of documents it prints on its internal drive), you should destroy any copies of it after you have created the decoy system and after you have understood all the information contained in the text (otherwise, if such a copy was found, it might indicate that there is a hidden operating system on this computer).
WARNING: IF YOU DO NOT PROTECT THE HIDDEN VOLUME (for information on how to do so, refer to the section "Protection of Hidden Volumes Against Damage" in the VeraCrypt User's Guide), DO NOT WRITE TO THE OUTER VOLUME (note that the decoy operating system is NOT installed in the outer volume). OTHERWISE, YOU MAY OVERWRITE AND DAMAGE THE HIDDEN VOLUME (AND THE HIDDEN OPERATING SYSTEM WITHIN IT)!