Menu

Seeking application advice and inquiring about the 1.27 update

Igor Ulvov
2026-05-30
2026-05-31
  • Igor Ulvov

    Igor Ulvov - 2026-05-30

    Hello.

    TL;DR:

    • have system with 2 SSDs, need hidden os. how to structure setup (one SSD for system and another for VC volume or is there a more optimal way)?
    • "System" -> "Create Hidden Operating System..." is greyed out with no context/clear reasoning. why?
    • what's the progress on 1.27 (is there an ETA? at least a rough one) and will the above point (issue?) be addressed?

    I'm drafting my new VeraCrypt setup and I've ran into some issues. Summarizing my requirements, I need a hidden OS setup with some (separate or joined) volume for actual long-term large storage. I have two SSDs to use and while I understand that the setup is possible on a single physical disk, is it possible to instead split my setup across the two (while maintaining plausible deniability) or should I just use one as a system drive with hidden OS and the other as a fully encrypted VeraCrypt volume? What's the best practice here?

    I tried entering the hidden OS creation menu/wizard (just to explore it a bit before actually making changes to my current system), but was unable to do so due to the "Create Hidden Operating System" entry being disabled (greyed out). I've read the relevant hidden OS docs in full, as this is something new to me, but I couldn't find any relevant information (prerequisites) in there, only that I should have a partition ready, but I'm supposed to be warned about the absence of one only after launching the wizard, but I haven't even gotten to that point yet. Searching online, I found some people claiming it to be because of UEFI and VeraCrypt's lack support for it, but those answers are from almost a decade ago and I assume the situation has improved since then (I see that 1.27 focuses on UEFI improvements, so I assumed that this will probably be addressed regardless (if it hasn't been already) - can someone confirm?). If UEFI isn't the culprit, what is, and what steps/workarounds should I take to realize my desired setup? Additionally, I suggest that instead of greying out the item and providing no context to the user, a tooltip or message-box appears and informs the user of what went (or is being done) wrong. In the current setup, I have no idea why the functionality is disabled (unsupported on my hardware/partitioning table/disk/firmware? disabled due to lack of permissions? ...).

    Running 1.26.24 on Windows 10 (the System tab is absent on Linux, why?).

    Let me know if you need any more context to fully answer my questions and concerns and thank you in advance.

    Regards,
    Igor

     

    Last edit: Igor Ulvov 2026-05-30
  • Mounir IDRASSI

    Mounir IDRASSI - 2026-05-31

    Hello Igor,

    The current VeraCrypt GUI wizard for creating a hidden operating system supports only the legacy BIOS/MBR flow, so it is intentionally disabled for EFI/GPT systems. The Linux build also doesn't show the System menu because VeraCrypt system encryption and hidden OS support are Windows pre-boot features.

    For EFI/GPT, the available path today is the advanced manual VeraCrypt DCS procedure described in disk_encryption_v1_2.pdf that is present in VeraCrypt installation directory.

    For a two-SSD machine, I recommend keeping the decoy/hidden OS layout on one physical SSD. In the manual EFI hidden OS flow, the relevant GPT layout should be contiguous on the same disk. In particular, don't split OUTER_START / H_ESP / H_OS / OUTER_END across both SSDs unless you are prepared to modify and test the DCS boot configuration manually.

    Use the second SSD as a separate VeraCrypt data volume. If plausible deniability is also needed for that disk, create an outer/hidden VeraCrypt volume on it and mount the hidden volume only from the hidden OS. Be careful not to later write to the outer volume in a way that could damage the hidden volume.

    A practical single-system-SSD layout is:

    ESP / MSR / decoy Windows / OUTER_START / H_ESP / H_OS / OUTER_END / recovery

    The important points for the current DCS flow are:

    1. Install the hidden Windows instance into H_OS, using H_ESP as its EFI partition. Make sure Windows Setup really uses H_ESP and does not reuse the visible ESP.
    2. Start VeraCrypt system encryption from that hidden Windows installation and stop at the stage where the bootloader/header exists but actual in-place encryption has not started.
    3. Boot an EFI shell USB containing EFI\VeraCrypt.
    4. Use:

    EFI\VeraCrypt\DcsCfg.dcs -dl d

    then:

    EFI\VeraCrypt\DcsCfg.dcs -ds <diskN> -pl

    The GPT partition indexes shown by DCS are zero-based. This is a common source of destructive mistakes.

    1. Run:

    EFI\VeraCrypt\DcsCfg.dcs -rnd 2 -oshideprep

    Select the zero-based indexes for OUTER_START and OUTER_END.

    1. Continue with the security-region USB steps from the PDF, then set the relevant DcsProp options, such as:
       SecRegionSearch=1
       DcsBootForce=0
    

    Very important: -oshideprep must be run before H_OS in-place encryption starts. In header terms, EncryptedAreaLength must still be 0. If DCS reports “Encrypted already”, stop and restore from backup; continuing from that state isn't safe.

    Please practice this procedure in a VM first. On the real system, take a full sector-level backup before starting.
    This procedure writes GPT data and volume headers directly, so a wrong disk number or partition index can make the system unbootable or destroy data.

    I don't have an ETA for 1.27 yet. I will resume work on 1.27 and hidden OS UI improvements after finalizing the upcoming 1.26.x release.

     

Log in to post a comment.

Auth0 Logo