o Linux: Download or create a "live-CD" version of your operating system (i.e. a "live"
Linux system entirely stored on and booted from a CD/DVD) that ensures that any data
written to the system volume is written to a RAM disk. Mount hidden volumes only when
such a "live-CD" system is running. During the session, only filesystems that reside in
hidden VeraCrypt volumes may be mounted in read-write mode (outer or unencrypted
volumes/filesystems must be mounted as read-only or must not be mounted/accessible
at all). If you cannot comply with this requirement and you are not able to ensure that
applications and the operating system do not write any sensitive data (see above) to
non-hidden volumes/filesystems, you must not mount or create hidden VeraCrypt
volumes under Linux.
o Mac OS X: If you are not able to ensure that applications and the operating system do
not write any sensitive data (see above) to non-hidden volumes/filesystems, you must
not mount or create hidden VeraCrypt volumes under Mac OS X.
When an outer volume is mounted with hidden volume protection enabled (see section
Protection of Hidden Volumes Against Damage), you must follow the same security
requirements and precautions that you are required to follow when a hidden volume is mounted
(see above). The reason is that the operating system might leak the password/key for the
hidden volume to a non-hidden or unencrypted volume.
If you use an operating system residing within a hidden volume (see the section Hidden
Operating System), then, in addition to the above, you must follow these security requirements
and precautions:
o You should use the decoy operating system as frequently as you use your computer.
Ideally, you should use it for all activities that do not involve sensitive data. Otherwise,
plausible deniability of the hidden operating system might be adversely affected (if you
revealed the password for the decoy operating system to an adversary, he could find
out that the system is not used very often, which might indicate the existence of a
hidden operating system on your computer). Note that you can save data to the decoy
system partition anytime without any risk that the hidden volume will get damaged
(because the decoy system is not installed in the outer volume).
o If the operating system requires activation, it must be activated before it is cloned
(cloning is part of the process of creation of a hidden operating system — see the
section Hidden Operating System) and the hidden operating system (i.e. the clone)
must never be reactivated. The reason is that the hidden operating system is created by
copying the content of the system partition to a hidden volume (so if the operating
system is not activated, the hidden operating system will not be activated either). If you
activated or reactivated a hidden operating system, the date and time of the activation
(and other data) might be logged on a Microsoft server (and on the hidden operating
system) but not on the decoy operating system. Therefore, if an adversary had access to
the data stored on the server or intercepted your request to the server (and if you
revealed the password for the decoy operating system to him), he might find out that the
decoy operating system was activated (or reactivated) at a different time, which
might indicate the existence of a hidden operating system on your computer.
For similar reasons, any software that requires activation must be installed and
activated before you start creating the hidden operating system.
o When you need to shut down the hidden system and start the decoy system, do not
restart the computer. Instead, shut it down or hibernate it and then leave it powered off
for at least several minutes (the longer, the better) before turning the computer on and
