Getting to grips with thumb drive encryption

Join us in welcoming Matt Trinca, the newest addition to TR's roster of bloggers.

I recently found myself in the market for a new thumb drive. In the process of doing exhaustive research for the purchase, I discovered a plethora of options, particularly with regard to security. I was both impressed and a little intimidated by some of the security features offered—I half-expected some of these drives to come with a cyanide capsule in case of capture.

My last name being neither Bauer nor Bourne, someone accessing the contents of my flash drive is not my worst fear. My worst fear involves rabid sharks with lungs that allow them to breathe on land. But enough about my crippling phobias. I think it's fair to say we all have sensitive data we'd rather not share with the world at large: Outlook PST files, financial information, blog posts for our Billy Joel fan page, etc. After giving the matter a little more thought, I came to the conclusion that I didn't really need a new thumb drive. What I needed was a way to secure some of the data on my existing thumb drives. That seemed easily doable with some third-party software.

I briefly considered using BitLocker, the encryption tool built directly into Windows 7 Ultimate. However, a look at its limitations convinced me otherwise. BitLocker allows versions of Windows from XP on up to read encrypted data, but write privileges are restricted to Windows 7 Enterprise or Ultimate—something pretty rare amongst my circle of friends. Furthermore, BitLocker seems to be an all-or-nothing deal—you encrypt either the entire drive or none of it.

I ultimately decided on TrueCrypt, a free, open-source disk encryption tool compatible with any version of Windows from XP onward, as well as Mac OS X and Linux. TrueCrypt encrypts file names, contents, and metadata on the fly using a wide variety of encryption algorithms. If you are willing to devote some time to the subject, both the program and the TrueCrypt website provide details about each encryption method. In short, though, anything locked down with TrueCrypt is a tightly closed book. I think it's fair to say that the FBI would agree, having failed to crack open TrueCrypt-encrypted hard drives seized as part of a criminal investigation over a year ago.

Being new to the program, I chose all the default installation options—it felt a little early to start customizing. My life experience so far is certainly vivid proof of the saying, "A little knowledge can be a dangerous thing," and I assumed this was doubly true when it came to matters of encryption. The installation process was straightforward and uneventful. Once it finished, I returned to the website to get a general sense of the program and check out the FAQ.

I discovered one major caveat while reading through the TrueCrypt tutorial: when run in portable mode (i.e. off the USB drive itself), the software requires administrator privileges. That can certainly pose a problem at most workplaces or Internet cafés. However, if you're spending your time at work or at the Internet café poring over plans to overthrow the government, intently scrutinizing bank safe blueprints, or merely looking at, ahem, "modeling" photos, I would suggest reevaluating both your work ethic and desire to remain discreet. For my own personal use, this limitation wasn't a deal-breaker—I was just looking to maintain some semblance of privacy in the event my thumb drive was lost or stolen.

While reading the comprehensive FAQ, I saw I had two choices: either encrypt the entire USB drive (and everything on it) or create an encrypted file container. The second option appealed to me, since I often carry around files to share with friends and colleagues. The idea of being able to loan the drive on a temporary basis while still maintaining a private sphere of files seemed ideal.

It was time to get to work. I launched TrueCrypt and chose "Create Volume" from the main window, at which point the program walked me through creating the container file.

TrueCrypt presented a number of security options along the way, and I generally rolled with the suggested defaults, for simplicity's sake. As you can see from the screenshot below, the program offers a basic level of detail on the methods selected, as well as links that provide even more information.

After accepting the default encryption settings, I was given the chance to determine the size of the container file, as well as the password required to open it. With that done (and I should note that my password was strongly frowned upon by TrueCrypt for being shorter than 20 characters), I was greeted with the following screen:

This screen encourages the user to move his mouse as randomly as possible to "increase the cryptographic strength of the encryption keys." I followed the directions in the interest of security, all the while unnerved by how much such random, meaningless mouse movements closely resembled a typical day at the office for me.

Following that, I clicked Format. After a few short minutes, TrueCrypt announced that the container had been created. I could now rest easy knowing there was someplace safe to store my Buffy fan fiction blueprints for building a perpetual motion device.

In order to make TrueCrypt accessible anywhere I have appropriate admin rights, I copied the entire TrueCrypt folder from my Program Files directory onto the root of my thumb drive. I then removed the thumb drive from my computer and plugged it back in to experience the unlocking process from the beginning.

With the drive back in, Windows gave me a set of typical AutoPlay options. I chose "Open folder to view files" and was soon viewing the TrueCrypt folder and a generic-looking file titled admin (my container file). To unlock that file, I simply launched the TrueCrypt executable on the drive, chose "Select File" from the main program window, navigated to the admin file, clicked "Mount," and entered the password when prompted.

At this point, Windows mounted my container file with a separate drive letter, giving me full read and write access. The encryption and decryption of files inside the container was completely transparent to me, and the bit-shuffling process didn't seem to affect the time it took to create, save, copy, or edit files. The USB 2.0 interface was presumably the real bottleneck—even on low-end processors, TrueCrypt encrypts and decrypts data more than quickly enough to saturate that interface.

There's probably a lot about this setup that could be improved and tweaked over time. For now, though, it's a definite improvement over a complete lack of encryption. This approach is also quite economical, since it allows you to add robust encryption to an existing thumb drive with software that's available free of charge.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.