Let's face, if anyone steal your USB stick, external hard drive or even
your laptop what will prevent from accessing your data? Have you
encrypted them? They would have access to all your financial data,
photos, your private communications, ...
There are legimitate secrets and your should protect them.
What will I teach you?
I will explain how to create your own private USB stick. You and you
alone will be able to read the data. The data on the USB stick will be
encrypted with a password of your choosing and only that password will
permit decryption. The downside is that you need a piece of software
that handles the encryption.
To illustrate what happens to the data I invite you to take a look at
the following images from Wikipedia's article on 'Block cipher mode of
(a technical term you don't have to understand to use encryption).
When an USB stick is not encrypted, to data looks like on the left: easy
to read. However encryption actively hides the data on the stick and
makes it look like noise to experts with forensic tools.
I choose Truecrypt for three reasons
- It is open-source and anyone can audit it. This means security
experts can take a look at how the software works and spot bugs,
and/or malicious code.
- It strongly adheres to industry standards such as AES. Truecrypt
doesn't invent their own unreviewed technology but uses technology
that is constantly analysed and reviewed for security.
- It is cross platform. It works on Windows, Mac OS X and Linux
distributions such as Ubuntu. Should you change your computer you
will be able to run Truecrypt and access your encrypted data.
You might ask: If the code is public and the standards it uses as well,
doesn't it make Truecrypt less secure? Actually the security resides in
a secret password you only know. The algorithms should be known because
they need to be trusted. How do you someone did not insert some malware?
How do you there are no easy ways to circumvent the encryption? To do
this there needs to be a way to check the code and the encryption
standards, that is why it is better for them to be open. There are
probably thousands of academics, security researchers, and other IT
geeks world wide who checks the securit of Truecrypt.
Let's encrypt our USB stick
Of course none of this would not make sense if you do not have a spare
USB stick. You can use an already existing USB stick but you will have
to backup all its data to your computer. You also need a conventional
computer with USB ports running Windows, Mac OS X or Linux (such as
Ubuntu) to use Truecrypt. You will need Admin rights on the computer.
Go to the following webpage: http://www.truecrypt.org/downloads
Click on the appropriate download link for your operating system. The
PGP signature is an additional file you can download to verify the
installer has not been tampered with between your computer and the
server. I won't cover it here but I will provide a link for more
information (link on more
Backing data on USB
Because encrypting the data on your USB stick will destroy all the data
on it, you want a backup. Backing up is not hard, you need to simply
make a copy of the files on the USB stick on your computer or anywhere
other storage device that is not your USB stick.
Insert your USB stick into your computer.
Open the drive and copy all of its content on your computer.
Remember where you have put your backed up data.
Encrypting USB stick
Start Truecrypt - Use the start menu on Windows, use Launchpad on Mac OS
X, use the dash on Ubuntu - You should be more or less greated with an
application that looks like this. (How it looks exactly depends on your
Press on button 'Create Volume', a new window will pop up called
'TrueCrypt Volume Creation Wizard'.
Choose 'Create a volume within a partition/drive' and the press on
'Next'. This tells TrueCrypt that you will encrypt your data on a
physical device .
Choose 'Standard TrueCrypt volume' and press 'Next'. (The other option
is quite advanced and requires some experience with TrueCrypt).
You are now greeted with a 'Volume Location' chooser window. Press on
'Select Device'. You will be presented with a list of devices in a new
window. This is the trickiest part as you need to find which devices to
To find which device is your USB stick go find the one that satisfies
the following conditions:
- It should have the correct name - On Mac OS X it may look like
/Volumes/, on Linux /media/, ...
- Look at the sizes of the devices, it should be small (dozen of GB)
and match the size of the USB stick
Select the correct device and click OK. If you can't find your device,
make sure your USB stick is plugged in. You will go back to the previous
screen. Press 'Next', you will be greeted with a Warning, read it
carefully. When you encrypt your device all the data on it will be lost.
Since you have done a backup you should be OK, so press 'Yes'.
Type in your administrator password, and you will be greeted with yet
another Warning. Think hard and if you are sure you want to have an
encrypted device and have a backup like I told you to do, press 'Yes'.
A window will show up giving you a list of option for encryption. AES is
the 'Advanced Encryption Standard', and is an industry standard
encryption algorithm. You don't have to do anything as AES is usually
the fastest and the most well-tested. The Hash Algorithms relates to how
the encryption password will be used. Leave the default. Press 'Next'.
Now you need to choose a good encryption password. Don't bother with
keyfiles because you might lose them. Read the instructions regarding
the password. Additionally here are my recommendations:
- Don't use a password you use somewhere else like your email. For
instance if you use your email provider password, your email
provider will be able to access your data.
- Don't share your password, don't store it in an email. If you have
to write it down, write it down on some paper no one will be able to
access. But I recommend you memorize it. Practice a few times on a
- If you don't like special characters, you can follow the
recommendations from http://correcthorsebatterystaple.net/ and
https://xkcd.com/936/. I prefer to use many random words as it is
easy to write on non conventional keyboards. But you need to use at
least 5 completely random words.
Type your chosen password and press 'Next'. Leave the default options,
i.e. 'I will not store files larger than 4 GB on the volme'. Choosing
otherwise might prevent you from reading your USB stick on other
operating systems than your own (like Mac OS X, Ubuntu, ...). Press
Leave filesystem type 'FAT'. 'FAT' is readable on Mac OS X, Windows and
Linux (like Ubuntu). FAT is unrelated to encryption. First your data is
encrypted then formatted under 'FAT', so choosing a Linux only or Mac OS
X only filesystem serves little purpose and provides no security. The
security lies in the encryption, not OS support. Press 'Next'.
Now for about a minute, press on a few random keys on your keyboard and
move the mouse around but leave focus on the TrueCrypt window. This
protects against some attacks against encryption by creating random data
from your action. Don't do it for too long as it quickly becomes
pointless. Don't enable 'Quick Format' and press 'Format'. Once again
you will be greeted by a Warning, press 'Yes' if you have done a backup.
It is encrypting, so wait for a while. All the bits on the USB sticks
will be encrypted, for this reason it takes time (encrypting everything
even unused data enhances security). Actual usage of the encryption /
decryption will be much faster.
You are done, don't encrypt another drive, just press cancel.
How to access your encrypted USB stick?
To access your data, you need to use Truecrypt to 'mount' the encrypted
drive on your computer. 'Mounting' means creating a link between the
computer operating systems and the encrypted contents on the hard drive.
Run Truecrypt, you get back to the original screen. This time press on
Select the appropriate device.
Press on 'Mount'.
Enter your encryption password and press 'OK', and enter your computer
Tada it is mounted, a new drive should be accessible in your computer.
On Windows you should be able to acces it through 'My Computer', on Mac
OS X through Finder, and on Linux (e.g. Ubuntu) whatever is your file
Copy over the data your have backup. Once you are done with accessing
your encrypted USB stick, your need to unmount first. To do you need to
go back to Truecrypt, select the appropriate slot and press 'Dismount'.
You don't need to select any device through the 'Select Device' button.
For more information
Here are some useful links to get more information about Truecrypt:
- For Windows:
- For Mac OS X:
- For Ubuntu: https://help.ubuntu.com/community/TrueCrypt