How and Why You Should Encrypt Your USB Data by Richard LeCount

If you deposit sensitive data on your USB stick, then you must consider encryption to secure your information in the event of a security breach or physical loss.

There are a couple of different ways to encrypt your device, depending on what operating system your host device is using, be it Windows or a macOS – in this blog we’ll cover the different ways to encrypt your USB on both devices. 

It’s important to note though, that USBs, along with just about any device, are not 100% impenetrable even after encryption. 

That said, hacking and exposing a devices’ weaknesses is not a simple task that can be performed by just anyone. It requires technical skills and knowledge to penetrate the information of an encrypted device.

What is Encryption?

When you encrypt your files, you’re essentially making them unreadable, unless someone can unscramble them. Which is usually only the case when someone is using a certain kind of software or has some idea of what your chosen password is. 

Someone may encrypt files to prevent certain information from being seen. For instance, if you use a USB stick to store financial data, photographs or any other personal documents, that someone could use against you, like trying to steal your identity, then it’s of the utmost importance that you encrypt this data. 

Should I Encrypt My Device?

You know the story: someone with significant power loses a USB device, containing information that could be available for anyone to see if they were to stumble across it. 

Such incidents are often reported in the news, and only last year an unencrypted USB device containing the personal details of up to 900 university students was lost by a leading Irish university. 

No one wants to be in that situation, whether it’s data from a respected institution such as NUI Galway, or even your own personal data. 

That said, most of us are only storing and transporting this kind of information for a reason, so we’re not carrying such sensitive data on a daily basis, which means that encryption isn’t necessary for every situation. 

As we’ve already covered, it’s really only for when you’re carrying documents that could present a considerable personal security threat if the drive were to be misplaced, or your host device, such as a tablet or laptop, has been breached by malware, and the data needs to moved. 

Encrypting Your Device Using BitLocker on Windows

Microsoft’s built-in encryption tool is called BitLocker, which will encrypt the information on your device and request a password of your choosing each time its plug into a PC, so only individuals with knowledge of the password will be able to view your information. 

Note: If the steps below aren’t working on your computer, it means that your current version of Windows doesn’t support BitLocker

Step One – Connect your USB drive to your computer, and then right-click on the image of the USB drive in ‘This PC’ and select ‘Turn on BitLocker’. 

Step Two: Once you’ve clicked this option, you’ll be asked how you’d like to unlock your data. There are three options available to you: password, smart card or both. For most users, the password option will be the best. 

Step Three: The next step is crucial since you’ll be asked to select the method you’d use in order to retrieve the data from your device if you happen to forget your password.

There are three options available to you at this stage:

• Save to your Microsoft account
• Save to a file
• Print the recovery key

Saving your data to your Microsoft account is usually the best option because it will remain securely stored on the Microsoft servers. 

If you choose the second option, Save to a file, then you must ensure your file is saved securely. 

Finally, you could print the recovery key and then store it safely in a secure location. 

Whatever avenue you decide to travel down, it’s absolutely crucial that you keep your recovery key secure, because if anyone were to stumble across it, they’d have the means to access all of your data. 

Step Four: Now, you’ve decided how you’ll recover your device; you’ll need to choose how much of your drive you want to encrypt. If it’s a brand-new flash drive, just encrypt the used space, and it’ll encrypt new data as its added. If you already have data stored on it, then just go ahead and encrypt the whole drive.

Depending on which version of Windows you’re using, you may not see this. You’ll instead see:

This is because Windows 10 runs a stronger and improved version of BitLocker, which isn’t compatible with earlier versions of Windows. If you require upgraded protection, get Windows 10, but if you just want to connect the device to older versions, click Compatible Mode. 

Once you’ve clicked Next, the PC will encrypt your USB, and the time it takes to do so, will depend largely on how much data is stored on the device.

When it does finish encrypting, you’ll see a notification when you plug it into any Windows machine telling you that your device is ‘BitLocker-Protected’. 

If you enter the ‘This PC’ section again, you’ll now see that your drive icon has a gold padlock on it:

Step Five: Now everything is encrypted, double-clicking on the drive icon, will bring up a password prompt. This screen will also allow you to enter your recovery key, should you forget your password:

If you want to unlock your device again, right-click the icon and select Manage BitLocker then Turn off BitLocker. 

Within this menu, you’ll also be able to change your password, get another recovery key, add smart card verification and toggle auto-unlock for specific devices. 

Encrypting Your Device Using VeraCrypt on Windows

Many third-party data encryption options on the market claim to be safe and secure, but in reality, no one has actually audited these options to verify these claims. When it comes to encryption devices, you must use software that has been written and reviewed by security experts.

The only software we could recommend at this time is VeraCrypt, which is the name now given to the previously popular TrueCrypt. The code for this programme has been correctly audited, and no major security concerns have been highlighted. 

Step One: Once you’ve downloaded the programme, you’ll see this:

We want to create a new volume:

Step Two: You’ll now see the ‘VeraCrypt Volume Creation Wizard’, which presents you with a few options:

You can use one of the following options:

• Create an encrypted file container – makes a virtual encrypted disk and stores it in a single file
• Encrypt a non-system partition/drive – will encrypt your entire flash drive
• Encrypt the system partition or entire system drive – encrypts some parts of the drive and leaves the rest unencrypted.

Since we’re carrying delicate data on our USB, we’d always select option two. 

Step Three: On the next screen, you’ll need to choose between creating a ‘Standard VeraCrypt Volume’ or a ‘Hidden VeraCrypt Volume’. 

Essentially the difference between the two is the added security level. Again, we’re carrying sensitive information, so we’ll choose hidden volume because this basically creates another layer of protection, which means you can store decoy data within the first layer and the real data in the second.

This method also means that if someone has your password, they will only gain access to the first layer (volume) of information and not the real data hidden in the second since this will need another password.

If you’ve chosen the hidden volume, ensure that you select normal mode on the next screen, so the software knows to create two layers – one visible and one hidden.

Step Four: Next, we need to choose the location of the volume.

Click on the select device button and then take a look for your device. At this step, you’ll either be able to choose a partition or the entire device. 

If you decided on hidden volume in the earlier stage, the next screen would set your parameters for the ‘outer volume’ or outer layer of security in other words.

Step Five: At this stage, you’ll be asked to select the encryption and hash algorithms. However, if you are unsure on this, it’s best to just leave everything in its default state and move to the next step.

Step Six: The next screen will ask you to verify the size of the outer volume, which will be the same size as the portion of the drive you want to encrypt, then you’ll be asked to create a password:

Be sure to note that the outer volume (decoy layer) and the hidden volume (the real data) must be given very different passwords, so think of some long and varied passwords that you could use for each, or alternatively use a password generator. 

passwordgenerator.net is a good one to use, since you can generate passwords that include symbols, numbers and upper- and lower-case characters with up to 2048 characters, for unbelievable levels of security. 

Step Seven: You’ll now need to select whether or not you’d like to support huge files. It’s generally recommended that you don’t, so only click yes if you are storing data larger than 4GB.

Step Eight: Now, you’ll be asked to format the outer volume, and it’s a good idea to leave everything as it is here since the FAT filesystem is best for VeraCrypt. 

Once you click the format button, it will actually delete everything on the drive and then begin to create the outer volume.

This will take more time than if you were using BitLocker because doing this will enable you to actually write random information across the entire device. When this finished, you’ll be asked to copy data to the outer volume, which is supposed to act as your decoy data. 

Step Nine: Once you’ve copied over miscellaneous data, you’ll need to begin the process for the hidden volume. 

You’ll be once again asked to choose your encryption type, which, once again is best to leave as it is. Then you’ll need to choose the size of the hidden volume. If you’re certain that you won’t be adding to the outer volume, you can just choose the maximum hidden volume value. 

Alternatively, you can keep the hidden volume to a minimum if you don’t need to store large amounts of data, and you need more room for the outer volume. 

Step Ten: Now, you’ll need to give your hidden volume a password and hit Format to the create the hidden volume, once this is complete, you’ll see this message:

Now, this is complete; the only way you’ll be able to gain access to your drive is by using VeraCrypt. If you attempt to click on the drive in Windows, you’ll be given an error message which tells you that your device can’t be recognised and requires formatting, don’t do this or you will lose all of your encrypted data.

Open VeraCrypt and select a drive letter from the list:

Then click select device:

And choose a removable disk partition from the list and hit the Mount button. 

Now you can enter the outer password to mount the outer volume to a new drive letter, or if you type the hidden volume password it will dismiss the outer volume, and your hidden information will load instead.

Since the release of macOS Mojave, it’s relatively easy to encrypt your USB devices. 

However, bear in mind that if you’re using Finder to encrypt a device, you won’t be able to access it on a machine that isn’t running macOS.

Step One: Plug your USB drive into the Mac and open Finder.

Step Two: Right-click on your device in the left sidebar, under locations and click encrypt:

Step Three: You’ll now be prompted to enter your password and hint. Just like other forms of encryption, you’ll need this to access your data, so keep a secure copy somewhere away from the primary device, as you won’t be able to recover or reset this password once you’ve decided what it is.

Step Four: Once this is filled out, click Encrypt Disk. 

The Mac will now encrypt the device, and as with the other options we’ve covered, the time taken to do so will depend largely on what you have stored on the drive. 

Once it’s complete, the only way you’ll be able to access your information is by inserting it into a Mac device and inputting the password. 

Note: If the Encryption option doesn’t appear when you right-click your device, it means the drive isn’t in the right format to use the standard macOS encryption. You’ll need to follow the steps below to encrypt your device.

Encrypting Your Device Using Disk Utility on a Mac 

We we’ve mentioned in the section above, if you can’t use the built-in encrypt option, it means your flash drive hasn’t been formatted using a GUID partition map.

Step 1: To use this encryption method, you’ll first need to remove your drive and encrypt it in Disk Utility. First, make a copy of all your data and move it somewhere safe. Once, you’ve completed this; you can then erase and encrypt the device. 

Step 2: Open up Disk Utility, which can be found in Applications and then Utilities in Finder:

Step Three: From here, select Disk Utility, then view.

Step Four: Now select, Show all Devices, and select the top option of your USB drive from the left-hand sidebar.

Step Five: Click the Erase option in the toolbar:

Step Six: Now rename your USB device and under the Scheme menu, ensure you have GUID Partition Map selection, before you change Format, where you should select Mac OS Extended (Journaled, Encrypted).

Step Seven: You’ll be asked to type in a password and reminder, once again it’s worth remembering that this isn’t changeable so don’t forget it. Once you’ve completed this step, click Erase. 

Step Eight: Once you’ve completed this step, move all of your data that initially removed back onto your device. Once it’s on the drive, it will automatically encrypt with a password.

Conclusion

While we know that encryption is not 100% fool proof, leaving sensitive data exposed is not something we should be doing in this day-and-age. 

In this blog, we’ve covered how to encrypt devices using BitLocker and VeraCrypt on Windows and how to do it on an Apple device too, so you can be sure that whatever device you’re using you can keep your private data safe.

About the Author:

Richard LeCount is a cybersecurity expert and the managing director of usbmakers.com, a company specialising in USBs and power banks.