When you (or the operating system) defragment the file system in which a file-hosted VeraCrypt container is stored, a copy of the VeraCrypt container (or of its fragment) may remain in the free space on the host volume (in the defragmented file system).
This may have various security implications. For example, if you change the volume password/keyfile(s) afterwards, and an adversary finds the old copy or fragment (the old header) of the VeraCrypt volume, he might use it to mount the volume using an old compromised
password (and/or using compromised keyfiles that were necessary to mount the volume before the volume header was re-encrypted). To prevent this and other possible security issues (such as those mentioned in the section
Volume Clones), do one of the following:
- Use a partition/device-hosted VeraCrypt volume instead of file-hosted.
- Securely erase free space on the host volume (in the defragmented file system) after defragmenting. On Windows, this can be done using the Microsoft free utility
SDelete (https://technet.microsoft.com/en-us/sysinternals/bb897443.aspx). On Linux, the
shred utility from GNU coreutils package can be used for this purpose.
- Do not defragment file systems in which you store VeraCrypt volumes.