Note: When the user attempts to encrypt the system partition with a cascade encryption
algorithm, VeraCrypt warns him or her that it can cause the following problems (and
implicitly recommends to choose a non-cascade encryption algorithm instead):
o For cascade encryption algorithms, the VeraCrypt Boot Loader is larger than normal and,
therefore, there is not enough space in the first drive track for a backup of the VeraCrypt
Boot Loader. Hence, whenever it gets damaged (which often happens, for example, during
inappropriately designed anti-piracy activation procedures of certain programs), the user
must use the VeraCrypt Rescue Disk to repair the VeraCrypt Boot Loader or to boot.
o On some computers, resuming from hibernation takes longer.
In contrast to a password for a non-system VeraCrypt volume, a pre-boot authentication
password needs to be typed each time the computer is turned on or restarted. Therefore, if
the pre-boot authentication password is long (which is required for security purposes), it
may be very tiresome to type it so frequently. Hence, you can answer that it was more
convenient for you to use a short (and therefore weaker) password for the system partition
(i.e. the decoy system) and that it is more convenient for you to store the most sensitive
data (which you do not need to access as often) in the non-system VeraCrypt partition (i.e.
in the outer volume) for which you chose a very long password.
As the password for the system partition is not very strong (because it is short), you do not
intentionally store sensitive data on the system partition. However, you still prefer the
system partition to be encrypted, because potentially sensitive or mildly sensitive data is
stored on it as a result of your everyday use of the computer (for example, passwords to
online forums you visit, which can be automatically remembered by your browser, browsing
history, applications you run, etc.)
When an attacker gets hold of your computer when a VeraCrypt volume is mounted (for
example, when you use a laptop outside), he can, in most cases, read any data stored on
the volume (data is decrypted on the fly as he reads it). Therefore, it may be wise to limit the
time the volume is mounted to a minimum. Obviously, this may be impossible or difficult if
the sensitive data is stored on an encrypted system partition or on an entirely encrypted
system drive (because you would also have to limit the time you work with the computer to a
minimum). Hence, you can answer that you created a separate partition (encrypted with a
different key than your system partition) for your most sensitive data and that you mount it
only when necessary and dismount it as soon as possible (so as to limit the time the
volume is mounted to a minimum). On the system partition, you store data that is less
sensitive (but which you need to access often) than data you store on the non-system
partition (i.e. on the outer volume).
Safety/Security Precautions and Requirements Pertaining to Hidden Operating Systems
As a hidden operating system resides in a hidden VeraCrypt volume, a user of a hidden operating
system must follow all of the security requirements and precautions that apply to normal hidden
VeraCrypt volumes. These requirements and precautions, as well as additional requirements and
precautions pertaining specifically to hidden operating systems, are listed in the subsection
Security Requirements and Precautions Pertaining to Hidden Volumes.
WARNING: If you do not protect the hidden volume (for information on how to do so, refer to the
section Protection of Hidden Volumes Against Damage), do not write to the outer volume (note that
the decoy operating system is not installed in the outer volume). Otherwise, you may overwrite and
damage the hidden volume (and the hidden operating system within it)!
