USB memory sticks are a great addition to computing. Having the ability to carry hundreds of gigs of data in your pocket is amazing. Especially to those of us that remember the days of 360K (yes, K) floppy disks. Almost every computer has a USB port for you to connect your USB stick and copy or access files. You can carry all your documents with you and use them anywhere.
However, carrying your data with you has significant security and privacy concerns. If you loose your USB stick, anyone can now access your files. They would have access to your word documents, spreadsheets, maybe even your finances or taxes.
To protect your data on your USB stick, you should encrypt your data. There are two methods to encrypt data on a USB stick — hardware and software. Hardware encryption is a special USB stick that includes additional chips in the USB stick to encrypt your data. Software encryption uses a normal USB stick and does the encryption though software on the computer.
There are a few general types of hardware encryption USB sticks. All will have a encryption chip built-in to the stick and offer either software that runs on the computers and access the stick or a key pad on the case to enter your password. Look for sticks certified to FIPS 140-2 Level 2 or higher. Level 2 ensures good cryptographic chips and the stick will show evidence if tampered with. Hardware encrypted sticks provide improved security at a higher cost. The will cost 10 to 20 times the cost of a normal drive. When choosing a hardware stick that doesn’t have a key pad, make sure it supports the operating systems you use. Most support Windows and Mac, but few support Linux or Android.
Software encryption on a USB stick uses an application run from the computer to create a encrypted partition or container on the USB stick. Software encryption allows you to use lower cost normal USB sticks and makes it easier to keep your encryption software updated. Windows 10 Pro includes BitLocker, encryption software from Microsoft, that can also encrypt a USB stick. BitLocker does not come with the home version of Windows. Linux has a built-in system for encrypting drives called the LUKS file system. Unfortunately, both of these only work on the single operating system – they are not cross compatible. When creating a encrypted USB for carrying files with you, you need to use software that can run on any operating system and doesn’t have to be installed. Many places that might let you use their computer to access your USB won’t allow you to install software.
Veracrypt is the most popular disk encryption software and it’s free. Veracrypt is the successor to Truecrypt and is available on Windows, Mac, Linux, and there are even Android and iOS (Apple) versions. Veracrypt supports encrypting a partition or creating a ‘container’. Containers are large Veracrypt files that when you enter the password, become a mounted drive on the computer. Veracrypt containers are large files that don’t have any characteristics that indicate they are a Veracrypt file. You can name them anything you want to help hide their true use.
Veracrypt has several advanced features, including a “plausible deniable hidden volume” mode where a encrypted container has two passwords. One password opens your truly secret files and the other password opens a ‘sacrificial’ drive where you would store fake secret files that are OK if they got out. This allows you to show someone it’s just Grandma’s secret recipes you’re hiding. Today we’ll cover the easiest installation – Standard Veracrypt volume.
Visit the Veracrypt web site and download the version for each operating system Windows, Windows Portable, Mac, and Linux. Copy all the installers to a folder on your new USB stick. Putting the installers on the stick ensure you can install Veracrypt on any computer you come across. Windows Portable is a version for windows that does not have to be installed onto the computer. You use this version when borrowing a computer you can’t install software on. Now, install Veracrypt on your computer by running the proper installer and following the screens. Once it’s installed, run Veracrypt.
To start the creation of our first volume:
- Click the Create Volume button.
- Then select “Create encrypted file container”.
- On the next screen, select “Standard Veracrypt volume”.
- Now it’s time to select where we want the container to be stored.
- Click “Select File” and navigate to your new USB stick.
- Enter a file name and click save.
- On the next screen, leave the standard encryption options and click next.
- Now enter the volume size. Leave some room on your new USB stick. Look at the “Free space” information and make the volume 1 or 2 GB smaller. This leaves room for new Veracrypt installers and any plain files you need to carry.
- Next you enter the volume password. Enter a long phrase twice and click next.
The last step is to start the formatting of the new volume. Move your mouse around the screen to create random information that will feed into the encryption process. Once the indicator turns green, Click Format.
After a few minutes, your new encrypted volume has been created.
To mount your new encrypted volume (so you can use it):
- go to the Veracrypt home screen, click on a drive letter then Select file.
- Select your new file, click on mount, and enter your pass phrase. Veracrypt will mount your encrypted volume as a drive on your computer.
Use your normal file manager to copy files to your new volume. Once you are finished using your volume, use Veracrypt to dismount the encrypted volume before you eject the USB stick.
Read more about using Veracrypt including the Beginner’s Tutorial on the Veracrypt web site.
Now, you have a encrypted USB you can use almost anywhere.
Chad “Chainsaw” Sawyer is a information security professional that focuses on helping organizations and individuals maintain their privacy and computer data security. He’s the author of the Linux Workstation guide and blogs on privacy issues at Chainsaw’s Privacy. He holds a General Amateur Radio license and is a AmRRON Corps member.