For most Internet users, gone are the days when you backed up files to an external drive or home server. Instead, most of us rely on cloud storage to secure sensitive files, like banking information, password databases, and family photos.
While major services like Dropbox and Google Drive claim to encrypt your data on the server side, these companies hold the encryption keys. They can't guarantee that your files will remain secure in the event of a platform breach.
This risk is not merely theoretical. For instance, in April 2024, the Dropbox Sign service was breached, exposing customers' private information. In this case, the contents of client files seemingly weren't exposed.
OneDrive users may not have felt quite so complacent, though, as in May 2025, Oasis Security discovered a flaw in the platform's File Picker that could allow websites to access more files in a user's account than those explicitly selected for upload.
Fortunately, there's a simple solution to regain control of your privacy: retain your encryption keys. In this guide, you'll discover how to do this with VeraCrypt.
Why Use VeraCrypt to Secure Your Cloud Storage?
VeraCrypt is a fork of the now-abandoned TrueCrypt project. It was originally released in 2013 and remains a popular choice for creating encrypted virtual disks.
These can be mounted from VeraCrypt, at which point you can move or copy sensitive files, just as you would with any regular disk. Once the container is unmounted, no one can access the sensitive data it contains without the correct password and/or keyfiles.
VeraCrypt is ideal for securing data in the cloud, as you can create the virtual container inside the relevant storage folder, such as ~/Dropbox.
Most modern cloud providers support block-level syncing (also known as delta syncing). With block-level syncing, the provider uploads only the changed blocks within the VeraCrypt container, rather than reuploading the entire file.
How It Works
VeraCrypt includes a helpful wizard to create your first encrypted volume. The volume can be an entire disk drive, but for cloud storage, it's best to create a dedicated file.
The wizard offers multiple options for encryption algorithms, file hashes, and passphrases/keyfiles. VeraCrypt also prompts users to specify the file size upfront, e.g., 1 GB. Once these options are chosen, VeraCrypt will create the file and initially fill it with random data.
Users can then mount the newly created file within VeraCrypt, at which point the Linux kernel treats it as a virtual disk. You can copy folders here, edit and delete files, and perform any other operations you need, once you provide the correct encryption key.
Because this key never leaves your device, even if your cloud provider's platform were breached, cybercriminals could recover only the encrypted container. Possession of the container alone reveals almost nothing about the number of files it contains or their contents.
Step 1. Install VeraCrypt
Navigate to the VeraCrypt Downloads page.
The easiest way to run VeraCrypt is to download the appropriate AppImage, which runs as a standalone executable.
If you're using a Debian- or Ubuntu-based distribution and haven't previously used AppImages, you may need to install the libfuse2 package first via the command line:
sudo apt install libfuse2
Next, grant the AppImage permission to run on your system:
sudo chmod +x VeraCrypt-*-x86_64.AppImage
(The * matches the version number in the filename.)
You can now run the AppImage with ./
./VeraCrypt-*-x86_64.AppImage
Step 2. Create a New VeraCrypt Volume
Once VeraCrypt launches, go to Volumes > Create New Volume.
Selecting this option starts the VeraCrypt volume creation wizard. Leave the default option selected (Create an encrypted file container), then choose Next.
The wizard will now ask if you want to create a Standard or Hidden VeraCrypt volume.
Hidden volumes offer the advantage of creating a separate container with its own password within the main volume. However, they require careful use to avoid accidentally overwriting hidden data. That way, if you're forced to reveal the password to the "outer volume," your sensitive files can stay safe inside the hidden one. You can read more about hidden volumes in VeraCrypt's documentation, but for the sake of simplicity, this guide focuses on using standard volumes.
Leave this option checked and choose Next.
Step 3. Set Your VeraCrypt File Location
The VeraCrypt volume creation wizard will now prompt you to select a location to store your mountable encrypted volume.
This choice should be easy, as most cloud storage providers' software has a dedicated sync directory in the home folder for Linux users, e.g., ~/Dropbox.
Choose the Select File button to do this. From here, navigate to your chosen folder, then create a file name, e.g., myfiles.vc.
Choose Next once you've done this. You'll set the VeraCrypt volume size in a later step.
Step 4. Choose Encryption Options
At this stage, the wizard will prompt you to choose both an encryption and a hash algorithm.
If you're uncertain, the default options, AES and SHA-512, are extremely secure. Most modern processors are also optimized to carry out AES encryption/decryption operations, so using AES alone is likely to give you the best read/write times.
However, if you want to explore other encryption options, choose Benchmark at the bottom right, then, in the new window that appears, select Benchmark again.
This action will prompt VeraCrypt to run several read/write tests in RAM to simulate encryption. In most cases, AES will almost certainly outperform other individual algorithms. The slowest options are likely cascade algorithms, i.e., encrypting the same data multiple times with different ciphers. While this offers extra security if a fundamental weakness is found in one algorithm, it will also likely lead to slower access speeds.
From the Algorithms Benchmarks window, you can also open the Benchmark dropdown menu to trial different hash algorithms. These are used for key derivation (converting your passphrase into an encryption key). SHA-512 is widely regarded as highly secure by security researchers, so the default option is fine.
Choose Next to continue.
Step 5. Secure Your Volume
VeraCrypt will next ask you to specify the volume size. If you're placing the file container in a cloud sync folder, note that the system will create a file of this size immediately, so be sure you have sufficient capacity.
Choose Next to open the Volume Password screen. At this stage, you'll be prompted to enter a password for your volume twice.
When choosing a passphrase, size matters. Check out Diceware to create a high-entropy passphrase composed of randomly chosen dictionary words. Choose "Display password" as you type for easy entry.
You can also choose to "Use keyfiles." These are files whose contents can be combined with a password to generate a stronger key.
Technically, you can use any file type for this. However, the highest-entropy encryption keys can be generated with a separate wizard in VeraCrypt or by using files with high randomness. If you use personal files as keyfiles, store them securely and never in the same cloud-sync location as the encrypted volume.
We suggest the latter option if you use keyfiles, as it prevents them from being identifiable. Designating a file as a keyfile doesn't change it in any way, so you could, for example, choose a selection of songs from a favorite music album.
Select Next to continue.
Step 6. Format and Finalize Your Volume
As the VeraCrypt wizard explains, your volume must be formatted so it is accessible to the operating system.
The default option (FAT) will work, but it isn't optimized for Linux systems. If you plan to access your encrypted files only from Linux and not from Windows or macOS, open the Filesystem dropdown menu and select "Linux Ext 4" instead.
If you choose Next, VeraCrypt will ask you to confirm this is what you want. Choose "I will mount this volume only on Linux" to continue.
The volume creation wizard will now prompt you to move your mouse within the window.
Moving the mouse helps the system generate entropy (randomness), strengthening your encryption keys against brute-force attacks. Move your mouse around within the window for several seconds to add entropy before choosing "Format."
The system may ask you to enter your admin password to finalize these changes. Choose Exit once volume creation is complete.
Step 7. Mount Your VeraCrypt Volume
As we've learned, VeraCrypt supports mounting encrypted volumes as virtual drives. To get started, click on one of the slots in the main window.
Next, find the Volume section and choose Select File. You can now navigate to the file you just created.
Once this is done, select the Mount button at the bottom-left of the window. In the new window, enter the password you chose earlier into the corresponding field.
If you set any keyfiles during volume creation, check the box marked "Use keyfiles," then select the Keyfiles button to specify these. Press OK when you're done.
Once the volume is mounted, you can navigate to it in your file explorer, where it will appear as an external/virtual drive. Copy your private files or folders to this location.
You can use the Volume Tools button to configure your VeraCrypt container, such as by changing the password or adding/removing keyfiles.
Step 8. Backup Your Volume Header
Once you've finished moving your chosen files and folders to the mounted VeraCrypt virtual drive, you need to create a backup volume header.
Creating this backup is critical: if the VeraCrypt volume header becomes corrupted and you do not have a backup, the encrypted data may be permanently unrecoverable.
To get started, select the Volume Tools button, then select Backup Volume Header. You'll now be asked to re-enter the volume password and specify any keyfiles (if applicable).
Once you've done this, choose OK and "The volume does not contain a hidden volume." Next, select Yes, then specify a filename and location for the header backup. Make sure this is a safe place — and not a cloud-sync folder.
VeraCrypt will now ask you to move your mouse to collect randomness again. Do this for as long as possible, then click Continue to save the volume header backup.
Return to the VeraCrypt main window, then select Unmount to unmount your files securely.
Take Control of Your Cloud Data
By encrypting your files before they ever reach the cloud, you retain control over your data regardless of how your cloud provider secures its platform. VeraCrypt makes this process straightforward, allowing you to protect sensitive information without changing how you work with cloud storage day-to-day.
Once your encrypted container is properly configured and backed up, your files remain accessible only to you — even if the underlying cloud service is compromised.
Loading ...