USB flash drives are great for transporting files and documents. On the other hand, the small size and ease of mobility also has disadvantages. Thumb drives are incredibly easy to forget in the USB port and they’re small enough to fall out of—or be taken from—your pocket or bag unnoticed.
Because theft or human error is so common, your best defense is to encrypt your USB flash drive. This protects your files and documents in case someone else gets their hands on it. With the help of an open-source and free software called TrueCrypt, you can easily protect the data stored your flash drive so that if it is lost or stolen, nobody will be able to get to your sensitive files.
IMPORTANT: Before You Begin
The procedures in this guide will erase the information on it. If you have any data already on the drive that you care about, get it copied somewhere safe or it will be erased. Make sure that you’ve backed up everything that might already be on the USB drive you’re using.
You will need Administrative privileges to perform these tasks.
What you’ll need
- A USB thumb drive or external hard drive
- A computer
- TrueCrypt – This is FREE, and you can get it at http://www.truecrypt.org/downloads
USB drives do fail, so be sure to keep a backup of the new contents of your drive. You should also encrypt this backup.
Step by Step Guide
Written by the SpiceWorks Community and found to be one of the most efficient ways to encrypt your USB drives.
Open the TrueCrypt setup file you downloaded
Mark the checkbox next to “I accept the license terms” and choose “Next”
With Extract selected, choose Next
If you’re using a personal computer that you will be accessing the drive a lot on, you can choose the Install option.
In this guide, we’re choosing to Extract the files because in that way there aren’t any desktop or start menu shortcuts that are made. So anyone else using your PC won’t know you have TrueCrypt on it unless you put it somewhere obvious.
Note that once you’ve extracted the files, you can move them around to wherever you want. I suggest hiding them somewhere you don’t think people will look. When you are ready to use the software in the future just find that TrueCrypt application and open it.
Hit OK on the prompt that comes up, and then Extract
When the process has completed, hit OK on the next prompt, then Finish
You’ll see a window come up showing you the files that were extracted
Open the TrueCrypt application
In the software
Click “Create Volume”
Choose “Encrypt a non-system partition/drive” and then “Next”
This step can vary depending on how paranoid you’d want to be.
If you choose the first “Create an encrypted file container” option, you could store the encrypted drive in a file. This is typically used when you’d want to include the TrueCrypt software on the same USB drive.
This guide was created with paranoid users in mind, so we’ll be using the second option. Note that with this, you’ll have to install or set up TrueCrypt on any computer you’d be using.
The reason we’re using the second option is so that at first glance the USB drive will be completely inaccessible and not appear to have anything.
If we did have TrueCrypt readily available on it, they’d know exactly what we used to create it, and could see the encrypted file. So let’s make it as hard as we can for any malicious people that want your information
Leave the “Volume Type” as it is, and choose “Next”
Ensure that your USB drive is plugged in. Choose “Select Device”
Select a Partition or Device
On the next screen, you will see several items. You will want to choose the line under Removable Disk.
Note that if you have several devices plugged in, you may have more than one item under a Removable Disk heading. You should recognize the Label field as the name of the device that you usually see when you plug in the drive you’re about to encrypt.
Choose that, then OK.
You will come back to the “Volume Location” screen you were at in Step 8. Choose “Next”
Volume Creation Mode
Choose “Create encrypted volume and format it”, then “Next”. Keep in mind that the first option will erase all data on the drive, so back it up first or you will lose everything!
If you want to proceed while keeping existing data already on the drive, choose Encrypt partition in place and then Next. If you do this, you should still make a backup first. However, for our purposes it’s best to just use the first option.
Depending on the option you chose, you might receive a warning message asking if you’ve already made a backup of your data. This is just a precaution in case the encryption process is halted. Choose Yes to proceed.
The next screen asks about which Encryption Algorithm you’d like to use. Choose “AES-Twofish-Serpent” from the dropdown menu, as it has one of the highest levels of encryption. If you want to brag to your friends about how secure your stuff is, you can choose to read more information about this selection. Either way, trust me when I say that “pretty darn secure and hard to get at” is a good summary.
Hit Next, then Next again at the Volume Size screen
The Volume Password screen is important. You will be creating two-factor authentication. The first is a password. Read the note on this screen, and be sure to create a password that is secure. However, don’t make it so complex that you’d forget it. The second is what’s called a ‘keyfile.’ This is a file that you will need in addition to the password to be able to unlock your information.
*NOTE* – You must have both the correct password and the correct keyfile in order to access anything on this drive. This makes it so that even if someone obtains either of these independently, they cannot access the data on the drive without both. That also means that if you lose one, you lose everything on this drive! If that happens, your only option is to erase all of it and start over.
As such, be sure to keep each in a separate place. I suggest emailing the keyfile to yourself so that you’ll have access to it wherever you are, but DO NOT also email the password to yourself. If anyone were to access your email they’d have both, and we don’t want that! Also, it’s a good idea to make the password different than your email password.
Alternatively, you could store the keyfile on a separate thumb drive or a folder on your computer. Also keep in mind that the keyfile option is just an added precaution, so you may choose to skip those steps if you prefer to only use a password. However, since we’re going to all this trouble anyway, and for maximum protection, it’s recommended to use both.
Input your password, then confirm it. Then check the box next to Use keyfiles and hit the Keyfiles… button
Generate a Keyfile
Click on “Generate Random Keyfile” in the lower right corner.
This part’s a little fun, and if there are people around you they might start looking at you funny while you seem to be seizing.
On this screen, you’ll be asked to randomly move your mouse around inside of the Current Pool Content area. I try to just be as crazy as I can with this, partly for security but mostly for fun.
You’ll see the information inside randomize. Do this for about 30 seconds to 1 minute, as the longer you do it the stronger you’ll make the keyfile’s encryption. Then hit Generate and Save Keyfile…
The purpose of this step is that if someone were to try and decrypt your keyfile they’d have a really hard time doing it.
Save your Keyfile
You’ll be asked to name and save your keyfile. I suggest using an inconspicuous name like ‘temp’ or something innocent. If you name it ‘keyfile’ then it will be obvious to anyone looking for it to see what it is, so don’t do that. Make note of the current file location, or find a new place to save it, then type the file’s name. If you’ll be keeping the file on this PC, you should hide it, so don’t put it on your desktop or anywhere easy to find.
I placed mine at C:\Windows\System32 as there are several other files there, and it’s a naturally good hiding place.
Next, choose Save, then hit OK and Close on the Keyfile Generator window.
Add your Keyfile
On the Keyfiles screen, choose Add Files… and then browse to your hidden keyfile. Select it, and hit Open
Note that at this Keyfiles screen you have the ability to generate multiple keyfiles. This would mean you’d need every single keyfile to unlock your info. If you choose to do so, proceed with steps14-16 until you’re satisfied, and hit OK. I don’t think it’s really that necessary, but again it depends on how paranoid you are.
Now hit Next at the Volume Password screen. If you have a short password, you may see a prompt, just hit Yes.
How large are your files?
At the next screen you will be asked if you intend to store files larger than 4 GB. If you do, hit Yes. If not, hit No.
If you are just using the drive to store documents and personal information, you can probably just hit No. If you’re using it for larger things hit Yes.
Choose NTFS from the Filesystem dropdown.
If this is a new drive, I suggest checking the Quick Format option to speed things along. Only do this if you haven’t had sensitive data on the drive before. If you don’t use the Quick Format option, the format process will take a few hours.
You’ll again be required to move your mouse randomly in the Random Pool area. Just as you did before, do this for 30 seconds to 1 minute, then hit Format.
You’ll be prompted to confirm that you understand your data will be erased, hit Yes only after you’re sure you don’t have anything on the drive that hasn’t been backed up.
When the process has completed, hit OK on any confirmation prompts.
You will be taken back to the original screens you started at, and can now hit Cancel to exit these screens.
If you chose Encrypt Partition in Place in Step 11, do this. Otherwise, skip to Step 20
The Wipe Mode method should be left at None, it’s default value. Just hit Next.
At this screen, you’ll be asked to start the encryption process. Note that the larger the drive is, the longer this process will take. While the software is encrypting the drive, you will be unable to access any information on it, and you may notice that the TrueCrypt screens might be inaccessible. It’s important that you do not cancel the operation, reboot, or take any other action that could halt this process. You should also know that if there isn’t much free space or if there’s a problem with the drive, the encryption process could halt with an error. I recommend moving all data to your PC first, if you haven’t already, so that the USB drive is empty. After the volume is encrypted, you can copy the data back.
Choose Encrypt. You’ll be prompted with a warning. Read it, then confirm with Yes. You’ll see an estimated time of completion. If you notice that your PC is too slow for you to work, you can pause the process until you have time for it to proceed.
Accessing your newly encrypted data
*NOTE* – From this point forward, you will only be able to access the information on this drive using the TrueCrypt software, your password, and your custom keyfile.
If you attempt to access the drive without the software, you might be prompted to format it, or that the information is inaccessible. This prevents anyone from accessing your information without the appropriate authentication or methods. It’s important that you only ever choose Cancel at those prompts. If you follow the Windows format prompts, your information will be erased! Don’t worry though, as you’ll be asked again to confirm that action before it happens.
If you chose the first option in step 6, you can ignore the rest of these steps. If you followed this guide, read on.
Step Twenty One
Mounting your Encrypted Drive
Choose Auto-Mount Devices. A password prompt will come up.
Input your Password and click Keyfiles…
Step Twenty Two
Add your Keyfile
Just as you did in Step 16, choose Add Files then browse to your keyfile and hit Open, then OK.
After choosing OK on the password window, you’ll come back to the main TrueCrypt window.
You’ll notice that your device now shows up in the main list and is assigned to the highest drive letter that was available
Step Twenty Three
Browse to your Encrypted Drive
Open My Computer or Windows Explorer (Windows Button + E or you can use the icon on your desktop)
You’ll notice that the encrypted drive now shows up as if it is a hard drive, and as a removable storage disk.
The drive letter (in this example, G: ) matches the drive letter as shown in the TrueCrypt list. If you try to access the other drive you’ll come to an error message.
If you aren’t sure which drive to open, it’s the one that lets you. If you try one and get an error, use the other.
Step Twenty Four
Use the encrypted drive!
You’re now free to save any files to this encrypted drive just as you would a normal USB drive.
So do everything you need to do, and proceed to the next step.
Step Twenty Five
Don’t forget to Dismount the drive when you’re done!
When you are done working, be sure to go back to the TrueCrypt window and select Dismount All.
If you don’t do this, the drive will remain accessible to any person at your PC. The whole purpose of encryption is to secure your data, so this step is absolutely critical.
UPDATE: I’ve been asked about whether or not the drive will dismount if you remove the USB drive without interaction in TrueCrypt. The answer is YES, if you yank the USB out of the machine, it will automatically dismount any mounted drives. As with any USB drive, I’d suggest using the proper ejection methods to prevent corruption. You could use the build-in ‘disconnect device’ utility on your OS, and after doing so you’ll see a prompt stating that the TrueCrypt drive has been dismounted.
Step Twenty Six
Now that the drive has been encrypted, you can take it with you wherever you go.
You’re the only one that knows what encryption protocols you used and the methods for accessing your stuff. If you lose the drive and some random person picks it up, they won’t be able to do anything with it unless they format the drive, erasing everything in the process.
And beyond that, if someone steals it, they can’t use it unless they know your password and they have access to your custom keyfile. The only other method is for them to try and decrypt the files. This is extremely difficult, time-consuming, and a pain for them to do especially if you used a really good password.