(other than creating a hidden operating system), you can provide, for example, one of the following
explanations:
If there are more than two partitions on a system drive and you want to encrypt only two of
them (the system partition and the one behind it) and to leave the other partitions
unencrypted (for example, to achieve the best possible performance when reading and
writing data, which is not sensitive, to such unencrypted partitions), the only way to do that is
to encrypt both partitions separately (note that, with a single encryption key, VeraCrypt could
encrypt the entire system drive and all partitions on it, but it cannot encrypt only two of
them — only one or all of the partitions can be encrypted with a single key). As a result,
there will be two adjacent VeraCrypt partitions on the system drive (the first will be a system
partition, the second will be a non-system one), each encrypted with a different key (which is
also the case when you create a hidden operating system, and therefore it can be explained
this way).
If you do not know any good reason why there should be more than one partition on a
system drive at all:
It is generally recommended to separate non-system files (documents) from system files.
One of the easiest and most reliable ways to do that is to create two partitions on the
system drive; one for the operating system and the other for documents (non-system files).
The reasons why this practice is recommended include:
o If the filesystem on one of the partitions is damaged, files on the partition may get
corrupted or lost, whereas files on the other partition are not affected.
o It is easier to reinstall the system without losing your documents (reinstallation of an
operating system involves formatting the system partition, after which all files stored
on it are lost). If the system is damaged, full reinstallation is often the only option.
A cascade encryption algorithm (e.g. AES-Twofish-Serpent) can be many times slower than
a non-cascade one (e.g. AES). However, a cascade encryption algorithm may be more
secure than a non-cascade one (for example, the probability that three distinct encryption
algorithms will be broken, e.g. due to advances in cryptanalysis, is significantly lower than
the probability that only one of them will be broken). Therefore, if you encrypt the outer
volume with a cascade encryption algorithm and the decoy system with a non-cascade
encryption algorithm, you can answer that you wanted the best performance (and adequate
security) for the system partition, and the highest possible security (but worse performance)
for the non-system partition (i.e. the outer volume), where you store the most sensitive data,
which you do not need to access very often (unlike the operating system, which you use
very often, and therefore you need it to have the best possible performance). On the system
partition, you store data that is less sensitive (but which you need to access very often)
than data you store on the non-system partition (i.e. on the outer volume).
Provided that you encrypt the outer volume with a cascade encryption algorithm (e.g. AES-
Twofish-Serpent) and the decoy system with a non-cascade encryption algorithm (e.g.
AES), you can also answer that you wanted to prevent the problems about which VeraCrypt
warns when the user attempts to choose a cascade encryption algorithm for system
encryption (see below for a list of the problems). Therefore, to prevent those problems, you
decided to encrypt the system partition with a non-cascade encryption algorithm. However,
you still wanted to use a cascade encryption algorithm (because it is more secure than a
non-cascade encryption algorithm) for the most sensitive data, so you decided to create a
second partition, which those problems do not affect (because it is non-system) and to
encrypt it with a cascade encryption algorithm. On the system partition, you store data that
is less sensitive than data you store on the non-system partition (i.e. on the outer volume).
