Friday, June 18, 2010

How to encrypt a USB flash drive

Summary: Recommendations for protecting sensitive data on a USB drive.
I recently lost my primary USB flash drive (the key chain broke), so I had to go over the exercise of setting up a new one using my favorite drive encryption software: TrueCrypt. I don't do this very often, and every time it takes me some time to recall the correct procedure and reconstruct my basic USB flash drive setup, so I thought I'd outline these step here. Hope it will help someone else.
  1. Download and run TrueCrypt on your computer
    TrueCrypt can run in (semi-)portable mode, so you have an option of either installing it on your computer or simply downloading and executing the program.

  2. Create encrypted container on the USB drive
    This container is just a file with space allocated for the encrypted volume. TrueCrypt will use this file as a virtual drive (volume) that you can map as a regular drive letter. Follow these steps:
    • In the main TrueCrypt application window, click the Create Volume button:
    • In the TrueCrypt Volume Creation Wizard, select the Create an encrypted file container option, and click Next:
    • In the Volume Type dialog box, select the Standard TrueCrypt volume option:
    • In the Volume Location dialog box, use the Select File button and navigate to the drive mapped to your USB drive; then enter the name of the file you want to create (you can give any name and extension to this file):
    • In the Encryption Options dialog box, select AES for encryption algorithm and SHA-512 for hash algorithm (if you wish, you can use another combination of options):
    • In the Volume Size dialog box, specify the size of file that you will allocate for the encrypted volume. Make sure that you leave some space for regular (unencrypted) storage. You will need this space to store the TrueCrypt binaries and possibly other files (more on these later). If you are not sure how much space you need to allocate, just use ~75% for encrypted storage, i.e. for a 4 GB USB drive, use 3 GB for encrypted storage (75% of 4 GB = 3 GB):
    • In the Volume Password dialog box, enter the password that you will use to access the encrypted volume (make sure you can remember this password):
    • In the Volume Format dialog box, select the file system type (I prefer NTFS, but you can use another), and click Format:
    • Confirm the operation and wait until TrueCrypt creates and formats the encrypted container (file). When done, click the Exit button to close TrueCrypt Volume Creation Wizard.

  3. Install TrueCrypt software on the USB drive
    If you expect to use your encrypted drive on a system where TrueCrypt is not installed, you need to keep the necessary TrueCrypt files along with your encrypted container. Do the following:
    • Switch back to the main TrueCrypt application window and select the Tools-Traveler Disk Setup... menu option.
    • In the Traveler Disk Setup dialog box, specify the root location of the USB drive and uncheck the Include TrueCrypt Volume Creation Wizard option (since you have already created one). Select the Auto-mount TrueCrypt volume option and specify the encrypted container file you created in the previous step. You can adjust these and other options to your liking:

    • Click the Create button and once the operation completes, close the Traveler Disk Setup dialog box.
    • You can close the main TrueCrypt program window.
At this point your USB drive will have an encrypted container that you can mount as a drive, as well as all necessary TrueCrypt components (for use on systems where TrueCrypt is not installed).

Here are additional changes that improve my experience with TrueCrypt and your USB drive:
  • Autorun.inf file
    The default autorun.inf file created by TrueCrypt is fine, but I normally make a couple of changes. E.g. I like all TrueCrypt's Windows shell context menu items to be grouped together, so I rename them. Here is the contents of my autorun.inf file (if you decide to use it, make sure that you reference the correct location of the TrueCrypt.exe file, as well as the container file):

    autorun.inf
    [autorun]
    label=Cruser2GB
    icon=TrueCrypt\TrueCrypt.exe
    action=TrueCrypt: Auto-mount volume
    open=TrueCrypt\TrueCrypt.exe /q background /e /m rm /v "volume.tc"
    
    shell\start=TrueCrypt: Run from USB
    shell\start\command=TrueCrypt\TrueCrypt.exe
    
    shell\dismount=TrueCrypt: Dismount all volumes
    shell\dismount\command=TrueCrypt\TrueCrypt.exe /q /d
    
    shell\mount=TrueCrypt: Mount volume
    shell\mount\command=TrueCrypt\TrueCrypt.exe /q background /e /m rm /v "volume.tc"
  • Helper batch scripts
    The autorun.inf file works great on older versions of Windows, but unfortunately Windows 7 (and I expect later versions) only recognizes the label and icon settings. So, if you plug the USB drive into a USB port on a system running Windows 7, it will neither auto-mount the drive, nor will it show the TrueCrypt's shell context menu options. To make it easier to mount and unmount the volumes, I use the following batch scripts (I put them in the root folder of the USB drive):

    mount.bat
    @echo off
    start %~dp0\TrueCrypt\TrueCrypt.exe /q background /e /m rm /v "volume.tc"
    Notes: The start command hides the command-line window (without it, you will need to close the window manually). When using this script, make sure that it references the correct location of the TrueCrypt.exe file and your volume container.

    unmount.bat
    @echo off
    %~dp0\TrueCrypt\TrueCrypt.exe /q /d
  • Auto-runner
    As an alternative to the batch scripts I mentioned above, you may want to try the AutoRunner.exe program attached to the Windows 7 - Autorun on USB drives post on SevenForums. When you launch this program, it will auto-mount the TrueCrypt volume and create the shell context menus defined in the autorun.inf file on Windows 7. The main problem with this program is that once launched, it will continue running until you kill it in the TaskManager (there seems to be no other interactive way to close the program). And you will need to kill it when you need to remove the USB drive. If you want to use this program, copy the executable to the root folder of the USB drive.

  • Safely remove drive helper
    The built-in Windows' Safely Remove Hardware feature has been and still is (even in Windows 7) one of the most user-unfriendly interfaces. As an alternative, you can try Uwe Sieber's Remove Drive program. When you run this program from a USB drive, it will keep trying to safely remove the drive until it succeeds or you cancel it. The program will give you a chance to close all open files and perform other cleanup that you may need to do before unplugging the drive. Note: Even though you launch the program from the USB drive, it will actually clone itself in a temporary folder and run from there (sweet! I wish AutoRunner.exe were as smart). Assuming that you extract the Remove Drive files in RemoveDrive folder under the root of your USB drive, you can use the following batch script to launch it with appropriate command-line parameters (place this batch file in the root folder of the USB drive):

    saferemove.bat
    @echo off
    if defined ProgramFiles(x86) (
    %~dp0\RemoveDrive\x64\RemoveDrive.exe %~d0 -L -i -b
    ) else (
    %~dp0\RemoveDrive\Win32\RemoveDrive.exe %~d0 -L -i -b
    )
As the very last thing, I add a readme.txt file to the root folder with my phone number in case I lose it next time. I don't actually count that a person who finds it will return the drive to me, but you never know: there are some good people out there.

5 comments:

  1. So many steps!I know truecrypt is the most popular encryption software, but it is not good to encrypt portable storage media. As for encrypting portable storage media like USB drive, I'd prefer easy-to-use and portable USB encryption software, just like this usb drive encryption software I got from giveaway.com

    ReplyDelete
  2. There may be better (commercial) alternatives for USB drive encryption (I haven't tried them, though), but to claim that TrueCrypt is not good for protecting portable storage media, you would need to explain why. There are more steps than may have been needed (many could've simply used reasonable defaults), but it's a one time thing which takes about a minute or so (plus time to format the container).

    ReplyDelete
  3. Great blog.....followed your instructions and everything went flawlessly. I lost my flash drive with sensitive info and now will never own a flash drive without encryption. In addition, the price was right for TrueCrypt software....free! Thanks again!

    ReplyDelete
  4. Thanks for the feedback, Donald.

    ReplyDelete
  5. I think truecrypt is better Option for that .There may be other ways .
    but really i liked ur post . Thanks !

    usb flash drives

    ReplyDelete