TruPax Plus
As convenient as TruPax is for creating volumes of just the right size, this comes at the price of extra security.
If you wish you can also add a key file. This means in order to mount your TruPax volume, VeraCrypt would use both your password and a file. This is a form of Two Factor Authentication (something you have and something you know) and hugely reduces the chance that an attacker can access your volume.
VeraCrypt also has a random keyfile generator. Go to Tools > Keyfiles to launch this.
You can use one or a number of files. Remember that the first 64 kilobytes of the file must not change, or the container can’t be opened. This is why images and music files work better. VeraCrypt doesn’t alter the file, so if for instance you choose an MP3 of Aqua’s Doctor Jones as your key file, there’s no way from examining the file itself to know that it’s been used this way.
In VeraCrypt choose Volumes > Change Volume password to get started. Enter your password in the field in the Current section, then again in the New section. Check ‘Use Keyfiles’ then click the ‘Keyfiles’ button to select the actual files. The order in which you select them doesn’t matter at all.
Before clicking ‘OK’ at the top right, move to the dropdown menu marked ‘PKCS-5 PRF’ in the New section, and choose ‘HMAC-Whirlpool’ to use a hash that has been developed entirely independently of our friends in the NSA.