Securing a USB Thumb Drive

Padlock and Chain

The more I learn about information security, the more paranoid I get. It is so, SO easy to get hacked, you guys. One point of security concern I’ve been thinking about recently is the USB thumb drive. We often carry around all kinds of sensitive information and files on these oh-so-losable, bite-size bits of technology. Recently I thought to myself, ‘My Kali Linux LiveUSB is encrypted; why not all of my thumb drives (or at least a few important ones)?’

It turns out creating a portable, cross-OS encrypted thumb drive is not quite as easy as just setting a password and clicking a button, but it’s not hard either. I’m going to be using VeraCrypt since it is Open Source and works on all platforms. If you’re on Linux and don’t need compatibility with other OS’s, you can also do all of this from the command line, but for now I’m sticking with this easy-to-use GUI. I had a hard time gathering the instructions for all the different methods in one place, so I made this post to gather it together.

There are two small catches to using VeraCrypt. First, you must have administrator access on any  machine opening the encrypted volume. That’s not a problem for me since I only want these files opened on a secure system (and so should you). The second catch is that the VeraCrypt program is required not just for creating the encrypted volumes, but for opening them as well. Fortunately we can install a portable copy of the program on the drive itself rather than having to install it on every system we want to use to access the USB.

There are a two ways to do this:

  1. Use the “Extract” installation method to simply put a copy of VeraCrypt.exe onto an unencrypted portion of the drive.
  2. Use the Traveler Disk Setup Tool.

I’m going to use the latter because it gives us a few more options and advantages.

There are two basic methods for creating VeraCrypt Volumes. I will call them the container method and the partition method. The container method is easier if you don’t want to mess about with multiple partitions and you do want the ability to store unencrypted files on the same device/partition. This is probably fine for most cases. But I need these drives to be cross-platform, which means they need to be formatted as FAT32. As you may know, FAT32 has a filesize limit of 4GB, and since the container itself is a file, our encrypted partition will be limited to 4GB. This may or may not be an issue for you, but I wanted my encrypted volume to be bigger, so I ended up going with the second method, which involves creating multiple partitions on the thumb drive and encrypting at least one in its entirety. I will walk through both methods.

But first we need to prepare our USB drive.

Prepare USB Drive

As always, back up any data you are worried about losing. It’s possible to encrypt with data in place, but the thumb drive will be erased during formatting in these examples.

For the container method, or if you don’t wish to include a portable version of VeraCrypt (if, for example, you will only be using your drives with machines that have VeraCrypt installed), simply format the whole drive as FAT32 as you normally would.

If you wish to use the whole partition method but you still want to include portable VeraCrypt, then you need to use something like gparted or Windows Disk Management to create at least two partitions. In this example I’m using an 8GB drive, so I’m going to create one 6GB partition which I will encrypt and leave the rest as an unencrypted volume which will hold the autorun script, the VeraCrypt portable program, and any other unencrypted files I feel like storing on the drive. There are lots of good tutorials on this process so I won’t cover it here. Just make sure they are both formatted as FAT32.

Install VeraCrypt

  1. Download VeraCrypt.
  2. Install on your system. I am using Windows 10 for this but, as mentioned, there are versions for Linux and Mac as well. However, it seems the Traveler Disk Setup Tool may not be available on non-Windows versions, so if you don’t have access to Windows, you may have to use the direct Extract method in place of it to install the portable version. But for now just install a system version regardless of your OS.

 

 

Create the Encrypted Volume

Container Method:

  1. Click Create Volume to open the volume creation wizard. It’s a pretty straightforward process and the defaults should generally be fine, but I’ll touch on the relevant options.
  2. Select Create an encrypted file container. This allows the partition to continue to store unencrypted files on the same volume.VeraCrypt-volume-container-creation-1
  3. Select Standard VeraCrypt Volume. Hidden Volumes are discussed below, but they must reside inside another VaraCrypt volume, so regardless, this must be done first.
  4. Select your USB drive location and choose a name for your container file. Do not chose an existing file; this is a new VeraCrypt Volume (.hc) file that VeraCrypt will create. In this example I’ve used the name foo.
    VeraCrypt-volume-container-creation-2
  5. The default Encryption Options should be fine.
  6. Specify how large you want the encrypted volume to be. If you have an NTFS filesystem, you can make the container size dynamic, but this is less secure and performance takes a hit. If you want it to eventually include a hidden volume within, take that into account as well. If your system is FAT/FAT32, you are limited to a maximum container size of 4 GB.  If you want a larger volume, follow the method below instead or else format the drive to NTFS or exFAT.
  7. Make sure you create a secure password. Use a long passphrase with multiple words and special characters, but make sure you will remember it. For ultimate security, memorization is the way to go, but if you absolutely need to write it down, store it in a physical, locked safe or in a secure password manager, nowhere else.
    VeraCrypt-volume-creation-5
  8. Now move the mouse about within the window as much as possible in order to generate randomness. The longer you do this, the more secure it will be, and there is a handy meter at the bottom to help with this.
  9. Click Format and wait for VeraCrypt to finish.

Whole Partition Method:

The process is the same as creating the encrypted volume above, but with the following differences:

  1. Partition the thumb drive as necessary, described in USB Prep.
  2. Select Create Volume
  3. Instead of selecting Create an Encrypted File Container as the first step, select Encrypt a non-system partition/drive.
    VeraCrypt-volume-creation-1
  4. Select Standard VeraCrypt Volume
  5. Chose your USB drive location. If you have multiple partitions, chose the one you want to serve as your encrypted volume.
  6. Assuming you have no existing files on the partition you wish to protect, select Create encrypted volume and format it. You can chose the other option to encrypt existing files, but it will be slower. I just formatted my drive so there’s nothing to save.
    VeraCrypt-volume-creation-3
  7. The rest of the defaults should be fine. Select Yes for Large Files if necessary, but otherwise leave at default No. Follow the same steps to set up a secure password and Format the volume as described in the container method above.

VeraCrypt Traveler Disk Setup

Follow these steps to include a portable copy of VeraCrypt on the unencrypted portion of the drive so you don’t need to install it on the system in order to open the encrypted volume.

  1. Open VeraCrypt.
  2. Tools > Traveler Disk Setup…
  3. Select your USB drive and options. If your drive has multiple partitions, be sure to select the unencrypted partition.
    Screenshot of Traveler Disk Setup options
    VeraCrypt Traveler Disk Setup

    To save disk space, don’t include the VeraCrypt Volume Creation Wizard unless you really need to create volumes on the go. You can set the drive to autorun when plugged in, although a system’s security settings may block it from doing so. If you’re using the container method, you can set autorun to automatically mount it here. Otherwise select Do nothing or Start VeraCrypt as desired.

  4. Click Create.

Open an Encrypted Volume

Once you’ve finished with any of these methods, the drive should automatically open VeraCrypt when plugged in. If not you can just navigate to VeraCrypt.exe on the unencrypted partition and open it.

  1. Click Select File…
  2. Click Auto-Mount Devices
  3. This will take a minute.
  4. When finished, the volume will appear as a Local Disk and can be used normally.

Creating a Hidden Volume

A hidden volume is a secret volume within another encrypted volume (whether container or partition). For the extra paranoid, this can prevent someone from seeing all your files in case you are coerced/forced into revealing your password. The parent volume will open, but the encrypted gibberish looks just like the free space of the parent volume, since the file system of the parent volume is not modified in any way.

The hidden volume’s password should be very different from the parent volume’s password. When mounting the drive, whichever password you enter, either the parent volume password or the hidden volume password, will determine which volume actually gets mounted. The only way to know a hidden volume is present is to enter the correct password.*

You should be sure to have at least some sensitive-looking files within the parent volume but outside of the hidden volume in order to throw off any intruders.

Within the Create Volume wizard, select the Create a hidden VeraCrypt volume option. The wizard should walk you through it just fine.

*The Internet says this isn’t foolproof, but close enough.

Close an Encrypted Volume

Make sure you both dismount the volume within VeraCrypt (Dismount all) and right-click > Eject the device before removing. Otherwise data loss may occur.

Photo credit: Dori (dori@merr.info)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s