If you store sensitive information on a USB drive, you should consider using encryption to protect your data in the event of loss or theft. I’ve already talked about how to encrypt your hard drive using BitLocker for Windows or FileVault for Mac, which are built-in features of the operating system.
For USB drives, there are several ways to use disk encryption: use BitLocker on Windows, buy a hardware-encrypted USB drive from a third-party manufacturer, or use third-party encryption software.
In this article, I will go over all three methods and how you can implement them. Before we dive into the details, it should be noted that no encryption solution is perfect or guaranteed. Unfortunately, all of the solutions mentioned below have had problems over the years.
Security holes and vulnerabilities have been identified in BitLocker, third-party encryption software, and many hardware-encrypted USB drives can be compromised. So does it make sense to use encryption? Definitely yes. Hacking and exploiting vulnerabilities is extremely difficult and requires a lot of technical skills.
Secondly, security is constantly improving, and software, firmware, etc. updates are made to keep the data safe. Whichever method you choose, always keep everything updated.
Method 1 – BitLocker on Windows
BitLocker will encrypt your USB drive and then ask you for your password each time you connect to your PC. To start using BitLocker, connect your USB drive to your computer. Right-click the drive and select Enable BitLocker.
You will then have the option to choose how you want to unlock the drive. You can use a password, smart card, or both. For most personal users, the password option will be the best choice.
Then you will need to choose how you want to save your recovery key in case you forget your password.
You can save it to your Microsoft account, save it to a file, or print the recovery key. If you save it to your Microsoft account, it will be much easier for you to recover your data later as it will be stored on Microsoft servers. However, the downside is that if law enforcement ever wants to retrieve your data, Microsoft will have to pay for your recovery key if a warrant is issued.
If you are saving it to a file, make sure the file is stored in a safe place. If someone can easily find the recovery key, they will have access to all of your data. You can save to a file or print the key and then save it in a bank vault or something very secure.
Next, you need to choose which part of the disk you want to encrypt. If it’s new, just encrypt the used space and it will encrypt the new data when you add it. If it already has something on it, just encrypt the entire drive.
This screen may not appear depending on which version of Windows you are using. On Windows 10, you will be prompted to choose between the new encryption mode or the compatible mode. Windows 10 has better and stronger encryption that is incompatible with earlier versions of Windows. If you want more security, select the new mode, but if you need to connect the drive to older versions of Windows, select the compatible mode.
After that, disk encryption will start. The time will depend on the size of your disk and the amount of data that needs to be encrypted.
Now, if you go to another Windows 10 PC and connect the drive, you will see a small message in the notification area. In earlier versions of Windows, just open File Explorer.
You will also see that the drive icon is locked when you browse drives in Explorer.
Finally, when you double-click the drive to access it, you will be prompted for a password. If you click Advanced Options, you will also see an option to use the recovery key.
If you want to disable BitLocker later, just right-click the drive and select Manage BitLocker. Then click Disable BitLocker in the list of links.
You can also change your password, back up your recovery key again, add smart card verification, and turn auto-lock on or off. All in all, this is an easy and secure way to encrypt a USB flash drive without requiring any third party tools.
The second method – V iCrypt
There are many third-party encryption programs out there that claim to be safe and secure, but they have not been audited to ensure this so-called quality. When it comes to encryption, you need to make sure the code is validated by teams of security professionals.
The only program I would recommend at the moment is VeraCrypt, which is based on the previously popular TrueCrypt. You can still download TrueCrypt 7.1a, the only version we recommend for download, but work is no longer being done on it. The code has been tested and, fortunately, no major vulnerabilities have been found.
However, it has some problems, so it shouldn’t be used anymore. VeraCrypt mainly used TrueCrypt and fixed most of the issues found during the audit. First download VeraCrypt and then install it on your system.
When you run the program, you will see a window with a bunch of drive letters and a few buttons. We want to start by creating a new volume, so click the Create Volume button.
The Volume Creation Wizard will open and you will have several options. You can create an encrypted file container or encrypt a non-system partition / disk. The first option will create a virtual encrypted disk stored in a single file. The second option will encrypt your entire USB stick. In the first option, you can store some data in an encrypted volume, and the rest of the disk can contain unencrypted data.
Since I only store sensitive information on one USB drive, I always use the whole drive encryption option.
On the next screen, you have to choose between creating a standard VeraCrypt volume or a hidden VeraCrypt volume. Be sure to follow the link to understand the difference in detail. Basically, if you need something super secure, use a hidden volume because it creates a second encrypted volume inside the first encrypted volume. You should store real sensitive data in the second encrypted volume and some fake data in the first encrypted volume.
This way, if someone forces you to refuse your password, they will only see the contents of the first volume, not the second. There is no additional complication when accessing a hidden volume, you just need to enter a different password when connecting the drive, so I would suggest using a hidden volume for added security.
If you select the Hidden Volume option, be sure to select Normal Mode on the next screen to have VeraCrypt create a normal volume and a hidden volume for you. Next, you need to choose the location of the volume.
Click the Select Device button and locate the removable device. Note that you can select a partition or an entire device. You may run into some problems here because when I tried to select removable drive 1, I got an error saying that encrypted volumes can only be created on devices that do not contain partitions.
Since there was only one partition on my USB stick, I just selected / Device / Harddisk / Partition1 E: and it worked fine. If you chose to create a hidden volume, the next screen will set the parameters for the outer volume.
Here you have to choose an encryption algorithm and a hashing algorithm. If you don’t understand what something means, just leave the default and click Next. The next screen will set the size of the external volume to be the same size as the partition. At this point, you must enter the password for the external volume.
Note that the passwords for the outer volume and the hidden volume must be very different, so consider some good, long and strong passwords. On the next screen, you have to choose whether you want to support large files or not. They recommend no, so only select yes if you really need to store files larger than 4 GB on disk.
Then you need to format the outer volume and I would recommend not changing any settings here. FAT file system is better for VeraCrypt Click the “Format” button and all the data on the disk will be deleted, and then the process of creating the external volume will begin.
It will take a while because this format actually writes random data across the entire disk, as opposed to the fast formatting that usually happens in Windows. When finished, you will be prompted to copy the data to the external volume. This is supposed to be your fake confidential data.
After you copy the data, you will start the process for the hidden volume. Here you need to select the type of encryption again, which I would leave alone if you don’t know what this all means. Click Next and you now have the option to select the size of the hidden volume. If you are sure you are not going to add anything to the outer volume, you can simply unmount the hidden volume to the maximum.
However, you can reduce the size of the hidden volume if you wish. This will give you more space in the outer volume.
Then you have to enter the password for the hidden volume and then click â€œFormatâ€ on the next screen to create the hidden volume. Finally, you will receive a message on how to access the hidden volume.
Please note that the only way to access the disk right now is using VeraCrypt If you try to click a drive letter in Windows, you simply get an error message that says the drive cannot be recognized and needs to be formatted. Don’t do this if you don’t want to lose all of your encrypted data!
Instead, open VeraCrypt and first select a drive letter from the list at the top. Then click “Select device” and select the partition of the removable disk from the list. Finally, click the Mount button. Here you will be prompted for a password. If you enter a password for an external volume, that volume will be mapped to a new drive letter. If you enter the password for a hidden volume, that volume will be loaded.
Pretty cool right !? You now have an ultra-secure, software-encrypted USB drive that no one else can access.
The third method – encrypted USB flash drives
The third option is to buy a hardware-encrypted USB drive. Never buy a software-encrypted flash drive because it probably uses some kind of proprietary encryption algorithm created by the company and has a much higher chance of being compromised.
While Methods 1 and 2 are good, they are still software encryption solutions that are not as perfect as hardware based solutions. Hardware encryption provides faster access to data on disk, prevents pre-boot attacks, and stores encryption keys on the chip, eliminating the need for external recovery keys.
When purchasing a hardware-encrypted device, make sure it uses AES-256 or FIPS compliant. My main recommendation from the point of view of reliable companies is IronKey
They have been in the business for a very long time and offer truly high protection products for consumers and businesses. If you really want secure flash drives and don’t want to do it yourself, then this is the best choice. It’s not cheap, but at least you can rest assured that your data is stored securely.
You will see many cheap options on sites like Amazon, but if you read the reviews, you will always find people who were “shocked” when something happened and they could access the data without entering their password or something similar.
Hopefully this detailed article will give you a good idea of ??how you can encrypt data on a flash drive and access it securely. If you have any questions, do not hesitate to comment. Enjoy!