ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Create a Virtual Machine inside a VeraCrypt Hidden Volume

One of the most ingenious and unique features of VeraCrypt is the ability to create hidden volumes (as is was of TrueCrypt before it). This means that, in addition to creating a "regular” VeraCrypt encrypted volume, you can also create a second "hidden” volume inside it.

If you enter the password of the outer volume then you open the outer volume, but if you enter the password of the hidden volume then you open that one instead. The beauty of this system is that is impossible for an adversary to know (let alone prove) that a second volume actually exists. This allows you plausible deniability. Please be aware that there are also some potential dangers associated with this.

In addition to hiding data, a VeraCrypt hidden volume can hide an entire Operating System (OS) running on a Virtual Machine (VN). This is a great way to keep all your computer use very secure (as long as you limit your activity to the VM).

What you will need

This tutorial assumes that you are familiar with the content of my VeraCrypt & how-to basics and VeraCrypt hidden volumes guides. You will also need:

  • The latest version of VeraCrypt (FOSS)
  • The latest version of Oracle VM VirtualBox (FOSS)
  • An Operating System (I use Linux Mint for this tutorial, but feel free to use your favorite). Note that it is not possible to run Mac OSX under a VM.

Step A – Create a VeraCrypt hidden volume

To do this, simply follow the steps outlined in my VeraCrypt hidden volumes guide. Ensure that the volume size is large enough to contain both the hidden OS and any decoy files placed in the outer folder.

How to Create a VM inside a VeraCrypt Hidden Volume

Step B – Install your OS using VM VirtualBox and VeraCrypt

1. Ensure that all VeraCrypt volumes are unmounted, then mount the encrypted volume that you just created.

How to Create a VM inside a VeraCrypt Hidden Volume

Be sure to enter the password for your hidden volume

 

How to Create a VM inside a VeraCrypt Hidden Volume

Your hidden volume should now be mounted

2. Fire up VirtualBox and hit "New” to create a new VM.

VirtualBox 1

3. Name and select your OS.

VirtualBox 2

4. Choose how much RAM you want the VM OS to use. The more the better, but it takes away from the RAM available to your primary OS.

VirtualBox 3

My PC rocks 16 GB of RAM, so I can afford to be generous with my VM!

5. You now have the option to create a virtual hard disk.

VirtualBox 4

This step is not strictly necessary, but I will create one for demonstration purposes.

VirtualBox 5

Stick with the defaults unless you have a good reason not to

 

VirtualBox 7

A dynamically allocated virtual drive is fine. Remember that its maximum size will anyway be limited by the space that you allocated for your hidden folder

 

VirtualBox 8

You can leave maximum file size high for the same reason (although some people recommend setting it just slightly smaller than the space reserved for your hidden volume). Be sure to save the virtual drive file in your mounted hidden folder. Hit "Create”.

6. In the VirtualBox Manager screen, select your newly created Virtual Machine, then hit "Start”.

VirtualBox 9

7. Select your OS, then hit "Start”.

VirtualBox 10

In my case this is the Linux Mint .iso file that I have downloaded

8. Yay! Once it boots up, you are running your new OS inside a Virtual Machine! Close it down…

VirtualBox 11

… but be sure not to Save the machine state (as saving complicates the next step).

 

VirtualBox 12

9. Back at the Virtual Box Manager window, select your OS -> Settings -> Advanced. Change the Snapshot Folder to your mounted hidden folder.

VirtualBox 13

This should be the same folder that you saved your virtual disk to in Step B-5 above

10. Manually move the new VM’s .vbox file to your hidden folder. This file is usually located your home directory. For example, in Windows it is located by default in C:/Users/[name]/VirtualBox MS.

Step C – How to use you new hidden OS inside a VPM

1. Mount your hidden volume using VeraCrypt.

2. Double-click the .vbox file to launch VirtualBox. Select the VM, and hit "Start”.

3. When you are done using your hidden OS, be sure to right click -> Remove it in the VirtualBox Manager window. Make sure you select "Remove only” (i.e. do not "Delete all files”!).

VirtualBox 14

Notes

1. When using the VM be careful to not create a shared folder between the VM and the host PC, as this could compromise the privacy of your data.

2. Windows users have the option of downloading a portable version of VirtualBox from vbox.me. This can itself be installed inside the hidden VeraCrypt folder. This is a great way to hide the fact that you might use a VM at all!

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

13 Comments

Corey
on December 19, 2018
Hey GREAT article but one question I just read over the "Security Requirements and Precautions Pertaining to Hidden Volumes" & are you aware that Veracrypt Documentation says: “ When the hidden operating system is running, the computer should not be connected to any network, including the internet ” pretty much makes using a VM in a hidden VC "unsafe" and i'm pretty bummed out they advise against this cause i wanted to use my VM exactly like you stated in this article.
Lazlo replied to Corey
on June 25, 2019
Read the rest: "Therefore, if an adversary had access to the data stored on the server or intercepted your request to the server (and if you revealed the password for the decoy operating system to him), he might find out that the connection was not made from within the decoy operating system, which might indicate the existence of a hidden operating system on your computer. " So you CAN connect it to the internet but theoretically if the pursuer has access to the server you are connecting to AND you gave them access to the decoy OS they could tell that MAYBE you had a hidden system. Possible scenario but not likely
Marc
on January 10, 2018
I was wondering if you could answer the following, or point me in a direction for an answer (no luck searching web): Can you run this hidden VM at the same time as one installed on your main OS? I.e. Can I run ubunut or something from a VM on my windows build, and simultaneously mount this hidden VM from another drive and have them run concurrently? I tried this before but had issues with the .vbox files migrating from the crypt drive to the C: install folder.
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
Douglas Crawford replied to Marc
on January 11, 2018
Hi Marc, It is normally possible to run two or more VirtualBox VMs at the same time, so I can't really see why the setup you describe should cause problems. The hidden volume should act as just another regular drive for your main OS once mounted. But I haven't tried it, and you have (and encountered problems). I know what you can't do (because I have tried it) is run one VM inside another VM. This means you can't install VeraCrypt in the VM and then setup a hidden volume with a .vbox inside that (well, you can, but it won't load).
helbert jodl
on September 3, 2017
We want a video explanation of this article
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
Douglas Crawford replied to helbert jodl
on September 4, 2017
Hi helbert, That is a great idea, but I am no expert at making videos (and don't really have the time to learn). Is there anything in particular you find about about the web tutorial that is hard to understand?
Eli
on July 4, 2017
Awesome article! Very informative. Would you mind going into a little more detail/clarification on how one could install vbox.me (portable) inside the veracrypt container? What would you be saving to the hidden partition?
jack buck replied to Eli
on November 10, 2020
You made some good points there. I did a search on the issue and found most people will consent with your site.
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
Douglas Crawford replied to Eli
on July 4, 2017
Hi Eli, To install vbox.me to the VM: 1. Run VeraCrypt and mount the hidden volume. 2. Follow these instructions, choosing the hidden folder as the destination to extract the files to. 3. (Optional) Delete the vbox.exe download file from your downloads folder and then empty your recycle bin. Or just also transfer the file to your hidden volume (this helps to hide the fact that might have a VM on your system). This means that all files relating to having a VM on your system are stored inside the hidden volume (vbox.exe is portable version of VM VirtualBox, so it is self-contained i.e. it does not install any other system files, registry entries, or other giveaways on your system.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service