SoulsForge - 2024-10-05

So I have kicked around with VeraCrypt for a couple of days now and read about it online to see if it would fit my needs. On the face of it, it does and then some, so thank you all for creating an amazing product.
My needs are primarily to have something that is easy, works seamlessly, even if it isn't before you have put some time into understanding the product and that the product is fast.

What I haven't been able to find out though, are with some specifics I have. I hope you can help me out and also, if anyone want to give additional information even I haven't directly asked about it, please let me know, as I would love to know more.

So I spend some days, trying to figure out what would be best for me. I mainly tried volumes, also as they seemed to be the easiest for testing purpose. As I want to use VeraCrypt for multiple HDD's (external and internal) in due course and while I realize that VeraCrypt isn't a back-up software by any means, I was intrigued by the fact, that the program itself gave me an option to format as ReFS, while my Windows Home Edition does not give me such an option. Since ReFS seems to be as close as I get to ZFS while using Windows, my first question is, if I can format my external partition as ReFS, although my Windows Home, doesn't support it?
At first, I formatted as NTFS, both because I have had some bad experience with exFAT in terms of getting bad sectors and also, because everytime I tried to format with VeraCrypt as ReFS I got the following warning: Windows FormatEx API failed to format the volume as NTFS/exFAT/ReFS. Failure Status = 0x00000004. As I don't quite understand how VeraCrypt does its formatting, can anyone explain to me how and if possible, if ReFS would work on my Windows 10 Home system?
The drive in question is a WD 18TB MyBook.

So instead I went with NTFS, because my drive which was original exFAT turned out to be completely misconfigured in clusters as they were 1MB a piece, so it gave me huge wastage of space. It also made moving files from my computer to the drive way faster. I gather though that there is also a concern in what cluster size I should use, as apparently, if I only used 4KB cluster size, 2 TB would be wasted on the drive with NTFS. However, I could not find a solution on how to check which cluster sizes my drive was compatible with and the support at WD couldn't give me an answer either, so I went with NTFS as the default settings using WD's own software, when reformatting to exFAT made it use 1MB cluster sizes again as opposed to NTFS 8KB.
I do gather that NTFS can have some problems from a privacy perspective and as such I also wonder, if that is why every time I securely erase a file, that a recovery program from EaseUS has always been able to find the name of the file?
I don't really mind generally, but still when it comes to financial information, it would be nice to just label things "tax returns 2023" and stuff like that instead of going through a complicated process of thinking up pseudonames and the like from everything, which should be kept confidential, even if I am not able to read anything of the securely deleted files EaseUS could recover, the mere fact of the name of the file itself gives way to whoever wants to recover it, what file exactly they should want to recover. Also since I would then have to figure out a way of remembering what all the files new pseudo names are and what they really contain instead of it saying it on the tin.
On a somewhat related note, as I gather that it is not necessary to use secure erasure software like SDelete on files already encrypted with VeraCrypt, does it do any harm in doing so regardless? Like if VeraCrypt, when formatting everything turns it into garbled data and I then delete a file inside and use SDelete, does all the garbled data then turn into readable zeroes? Admittedly the file is still unrecoverable, but will it do anything in terms of the rest of the data, meaning for instance would a hidden volume become more noticeable or?
Personally, I don't feel much need for a hidden volume, but I do find the feature to be quite cool, so I also tested that. I tried with a 5 GB outer volume and a 3 GB hidden volume. I moved some files to the outer first, when prompted and afterwards some other files to the hidden volume totalling about 2 GB in total, the majority of which went to the hidden volume. Then I tried moving about 500 MB to the outer volume, with write protection of the hidden volume on. It did move the file without problems, but did give me a warning that the integrity of the hidden volume was now compromised and I should recreate the whole volume, if I wanted to maintain plausible deniability. The warning was nice and I can see that, that isn't a problem in itself, because I assume the warning will only come when the hidden volume protection is turned on and you only logically turn it on, if you know, there is a hidden volume to begin with. My questions as to the hidden versus outer volume are therefore, what percentage is needed for me to be able to use both an outer volume as well as a hidden volume? Both for plausible deniability, but definitely for data integrity, which I gathered was the most immediate point of concern in using the outer volume with a hidden volume embedded? In my small test case, I could gather that 60 % - 40 % wasn't enough, so how much is needed? Or is it more a question of the raw numbers of how many MB, GB or TB that is on the drive, so it isn't like, if I use a 10 TB volume, that the first TBs of data written to the latter 4 TB outer volume would do much to compromise the integrity of the inside hidden volume of 6 TB, but more maybe the last 50 GB? Most files written would be done, after both volumes are created of course in this case and so I am not referring to the intial files, I would place unto the outer volume, before creating the hidden volume, but the files I would keep putting into both the outer volume and hidden volume over the years.
I could easily see a use case for this to have pictures from vacations and such on the outer volume, while keeping financial information in the hidden volume, but my concern goes to if I write too much to the outer volume, when will I break the content of the hidden volume, even with the hidden volume protection on? I don't mind that much about breaking the plausible deniability, because, because of the warning, that is an easy fix or a fix at least, that it lets me know and I just have to recreate a new volume and move everything into that/those two volumes, after I broke the seal. I do however care very much about breaking the data itself making cherished memories unrecognizable.

When testing the hidden volumes, I was thinking about if there is an easier way to delete them? Like, is it possible to delete only the hidden volumes? I realize that you can delete them, if you delete the whole volume, but a problem could occur, either if I misset the size I wanted the volume to be or if I want a bigger hidden volume. For instance if I have a 2TB volume (total size) and create a 200GB hidden volume, it would be a shame to lose those 200 GB permanently, when I realize that I actually want a 500 GB volume, but the only way to get it, is by deleting the whole 2TB volume and recreate everything. This might be a feature request, if such a thing is not possible to do as of yet.

To go a bit back to files integrity themselves, if anyone has any ideas on how, if I cannot use ReFS, it would be best for me to make secure back-ups of my files? For the moment, I am not daring enough to venture into using Linux and ZFS, although I would not mind hearing more about it, so if anyone has a good idea for me on where to begin, I am all ears. Especially since I gather that for all intents and purposes, that I should move to a new OS in about a years time at the latest. I've tried different back-up solutions and while they seem to work great, no one really does the self-healing, which is paramount as well as having an easy set-up. The best I could find was using rclone and set it up with a backup-dir for any file it might change and then check them through for which file I want to keep. That can work in the short term, but in the long term it could become a problem, especially if I one day decide to change some things here and there of where the files are stored, since a sync operation, although I normally use copy, would move a lot of duplicate files to the back-up dir folder. Of the self healing variety, I tried MultiPar and while it does heal files, it actually doesn't completely to my dismay and by that I mean, that it changes the metadata, which I find quite destructive in a big photo folder when you want to view items by date, if something taken years ago, suddenly is labeled as being created 2024-10-05. Admittedly that is only if the file itself was completely gone, while if it was only modified to an unreadable state it only changed the file last modified and last viewed status and not the creation date itself.
This is something that has become increasingly important to me, as I realized that the computer shops in my country, which I trusted to know their stuff, didn't know how to make proper back-ups. They simply used the copy-paste functions of Windows. Additionally they were quite glib, when I tried to explain to them the importance of having images taken at certain time retain that timestamp on the files themselves. At least I feel that, it is important, even if some files had EXIF data and I could manually redate them using tools, but that was and will be a big effort in the cases, where I got to do it now, due to not any longer having the originals.
Acronis, which I've used, can retain the metadata, however, they are not able to automatically not overwrite good files with faulty files, as I've tested, although I still only got the 2020 version and it might have changed since then.
When it comes to metadata, that is also where I really, really love VeraCrypt, because unlike other encryption programs, paid for as well as free, it doesn't actually alter my stuff, it "only" encrypts them, which means that the metadata is preserved or can even be tampered with, which is my need for my old files, which have been tampered with and I need to retamper them back to their original state.

On the subject of key files, what do you recommend using? I've read, that some uses a multitude of files, which I gather can be good, because you can hide the necessary keyfiles in plain sight, but of course if you use stuff like word documents, audio or video files, then they can easily be edited unintentionally by a third-party, be it program or person. On the other hand, a single keyfile made by VeraCrypt is easier to handle, but also easier to recognize in a plethora of files.
If using a multitude of files or even just a single files, how many files, when it comes to, say MB is too much? Like is it better to use file/files or 400 MB than it is 200 MB or is it only the 1st MB that is important and if so, is it the 1st MB in all the keyfiles or? From my testing, at least in the latter case, all files were important, but I am not technically skilled enough to figure out if it is only the 1MB or the whole file that matters.
Additionally, am I right in so far, as the key files are only needed for opening the volume/partition and as such, it would be possible for me to put needed keyfiles on a flash drive and then unplug the flash drive after I've mounted and just use the volume/partition as I would a normal folder/partition?

When it comes to backing up stuff, would you recommend backing up the least sensitive files unencrypted or is it safe to assume that no harm is done in backing them up in their encrypted format as well via another encrypted container. Safe to say, while I would hate to lose the stuff, it is only important to me, so no companies would go under or the like, if the encryption went wrong and I was unable to retrieve my files. Yet I rather retrieve them, than not.

From a cryptography point and since VeraCrypt offers multitudes, how much encryption is too much? I realize that my MyBook provides some in itself, but I still feel like it is a good idea to at least put one more layer in. Also, as soon as the drive is mounted, I don't see any degradation in my usage and on a general basis, I do like all this stuff, even if it is way more want than need. Thankfully. However, if say I use AES from VeraCrypt and MyBook uses VeraCrypt also, and the encryption algorithm gets broken, my data is just as insecure as it would have been, if I had only used MyBooks original encryption and as such, it might be better to use TwoFish or another option or possibly do a cascade.

I read that the portable version, could be a good idea, and I think I read that there were some differences between using portable as opposed to installed directly on my computer, but I couldn't figure out if, it would make a difference in my case. My question as such is this, is it fine to encrypt the drive with the program installed on my computer and am I then able to open it on another computer in the future using a portable version of VeraCrypt or must it be the same version, meaning directly installed vs. portable, not talking version numbers, that encrypts and decrypts every time I want to use the drive?
I would prefer to also have a portable version of VeraCrypt, just so if my computer goes haywire, that I can still get my files off my drive. I do realize that I can always install VeraCrypt on another computer of course, but it would be nice to have an always working portable version, because it is the same version used as the one that originally encrypted the drive. Sort of like how WD MyPassPort has a file on it, that can decrypt or how you can make a portable unlocker file with Folder Lock.

While I am nowhere as technical skilled as I would like, I am technological curious, so I hope you don't mind my questions and ponderings and are able to help.