Getting to grips with thumb drive encryption

Join us in welcoming Matt Trinca, the newest addition to TR’s roster of bloggers.

I recently found myself in the market for a new thumb drive. In the process of doing exhaustive research for the purchase, I discovered a plethora of options, particularly with regard to security. I was both impressed and a little intimidated by some of the security features offered—I half-expected some of these drives to come with a cyanide capsule in case of capture.

My last name being neither Bauer nor Bourne, someone accessing the contents of my flash drive is not my worst fear. My worst fear involves rabid sharks with lungs that allow them to breathe on land. But enough about my crippling phobias. I think it’s fair to say we all have sensitive data we’d rather not share with the world at large: Outlook PST files, financial information, blog posts for our Billy Joel fan page, etc. After giving the matter a little more thought, I came to the conclusion that I didn’t really need a new thumb drive. What I needed was a way to secure some of the data on my existing thumb drives. That seemed easily doable with some third-party software.

I briefly considered using BitLocker, the encryption tool built directly into Windows 7 Ultimate. However, a look at its limitations convinced me otherwise. BitLocker allows versions of Windows from XP on up to read encrypted data, but write privileges are restricted to Windows 7 Enterprise or Ultimate—something pretty rare amongst my circle of friends. Furthermore, BitLocker seems to be an all-or-nothing deal—you encrypt either the entire drive or none of it.

I ultimately decided on TrueCrypt, a free, open-source disk encryption tool compatible with any version of Windows from XP onward, as well as Mac OS X and Linux. TrueCrypt encrypts file names, contents, and metadata on the fly using a wide variety of encryption algorithms. If you are willing to devote some time to the subject, both the program and the TrueCrypt website provide details about each encryption method. In short, though, anything locked down with TrueCrypt is a tightly closed book. I think it’s fair to say that the FBI would agree, having failed to crack open TrueCrypt-encrypted hard drives seized as part of a criminal investigation over a year ago.

Being new to the program, I chose all the default installation options—it felt a little early to start customizing. My life experience so far is certainly vivid proof of the saying, “A little knowledge can be a dangerous thing,” and I assumed this was doubly true when it came to matters of encryption. The installation process was straightforward and uneventful. Once it finished, I returned to the website to get a general sense of the program and check out the FAQ.

I discovered one major caveat while reading through the TrueCrypt tutorial: when run in portable mode (i.e. off the USB drive itself), the software requires administrator privileges. That can certainly pose a problem at most workplaces or Internet cafés. However, if you’re spending your time at work or at the Internet café poring over plans to overthrow the government, intently scrutinizing bank safe blueprints, or merely looking at, ahem, “modeling” photos, I would suggest reevaluating both your work ethic and desire to remain discreet. For my own personal use, this limitation wasn’t a deal-breaker—I was just looking to maintain some semblance of privacy in the event my thumb drive was lost or stolen.

While reading the comprehensive FAQ, I saw I had two choices: either encrypt the entire USB drive (and everything on it) or create an encrypted file container. The second option appealed to me, since I often carry around files to share with friends and colleagues. The idea of being able to loan the drive on a temporary basis while still maintaining a private sphere of files seemed ideal.

It was time to get to work. I launched TrueCrypt and chose “Create Volume” from the main window, at which point the program walked me through creating the container file.

TrueCrypt presented a number of security options along the way, and I generally rolled with the suggested defaults, for simplicity’s sake. As you can see from the screenshot below, the program offers a basic level of detail on the methods selected, as well as links that provide even more information.

After accepting the default encryption settings, I was given the chance to determine the size of the container file, as well as the password required to open it. With that done (and I should note that my password was strongly frowned upon by TrueCrypt for being shorter than 20 characters), I was greeted with the following screen:

This screen encourages the user to move his mouse as randomly as possible to “increase the cryptographic strength of the encryption keys.” I followed the directions in the interest of security, all the while unnerved by how much such random, meaningless mouse movements closely resembled a typical day at the office for me.

Following that, I clicked Format. After a few short minutes, TrueCrypt announced that the container had been created. I could now rest easy knowing there was someplace safe to store my Buffy fan fiction blueprints for building a perpetual motion device.

In order to make TrueCrypt accessible anywhere I have appropriate admin rights, I copied the entire TrueCrypt folder from my Program Files directory onto the root of my thumb drive. I then removed the thumb drive from my computer and plugged it back in to experience the unlocking process from the beginning.

With the drive back in, Windows gave me a set of typical AutoPlay options. I chose “Open folder to view files” and was soon viewing the TrueCrypt folder and a generic-looking file titled admin (my container file). To unlock that file, I simply launched the TrueCrypt executable on the drive, chose “Select File” from the main program window, navigated to the admin file, clicked “Mount,” and entered the password when prompted.

At this point, Windows mounted my container file with a separate drive letter, giving me full read and write access. The encryption and decryption of files inside the container was completely transparent to me, and the bit-shuffling process didn’t seem to affect the time it took to create, save, copy, or edit files. The USB 2.0 interface was presumably the real bottleneck—even on low-end processors, TrueCrypt encrypts and decrypts data more than quickly enough to saturate that interface.

There’s probably a lot about this setup that could be improved and tweaked over time. For now, though, it’s a definite improvement over a complete lack of encryption. This approach is also quite economical, since it allows you to add robust encryption to an existing thumb drive with software that’s available free of charge.

Comments closed
    • Dirge
    • 9 years ago

    The deal breaker when running TrueCrypt on a portable drive is the requirement of administrator privileges. Things becomes allot less mobile when you can’t access your data where you want, when you want.

    I will wait until things become a little more portable and tweaked over time.

    • wira020
    • 9 years ago

    I hope they’ll have a feature to wipe the protected file after a certain amount of tries to unlock… or do they have it already? Last time I tried using it, I was totally lost.. so I gave up n uninstall it.. for now, Kaka Folder Protector is good enough for me… it’s free and small (portable too, just 1 exe).. very simple and it hides the content…

    • Majiir Paktu
    • 9 years ago

    TrueCrypt is blindingly fast, and in some cases it apparently /[

    • kvndoom
    • 9 years ago

    l[

    • Rakhmaninov3
    • 9 years ago

    Welcome to TR! Great post — educational and entertaining at the same time. Maybe I’ll dl TrueCrypt and give it a shot since it appears to be so easy.

    • FuturePastNow
    • 9 years ago

    BitLocker is not as restrictive as you seem to think. Although you do need Ultimate or Enterprise to create/initialize a BL drive, once the drive is created, you can open it and write to it from any Windows 7 edition.

    /and the free trial edition of Enterprise works for creating them

    • Kurkotain
    • 9 years ago

    a man has to protect his -[

    • Ditiris
    • 9 years ago

    “We use TrueCrypt at my workplace, and I’d have to say its a piece of garbage, not only is it buggy but we’ve had it cracked on multiple occasions even through just a network. There has got to be better encryption software out there >.<”

    I use TrueCrypt daily.

    I find your comments ignorant at best, since saying TrueCrypt has been “cracked” is tantamount to saying AES, Serpent, and Twofish have all been “cracked,” which they have not. These are all publicly accessible ciphers which have withstood close scrutiny by the best minds in cryptanalysis. AES would not be approved by the NSA for encryption of top secret data had it been cracked.

    Now, as to other exploits, specifically side-channel attacks and the various exploits used against TrueCrypt specifically, those are not the fault of the software or the cipher, but the user. The weakest link is generally the evolved ape banging on the keys in front of the keyboard. Installing a keylogger is exponentially more easy than all of the known exploits.

    I also disagree with the software being buggy. The only problem I’ve ever had (and continue to have) is the encryption of very large volumes (>1TB) in Windows, which I am perfectly comfortable blaming on Windows.

    TrueCrypt and GPG are both fine products.

      • nightprowler
      • 9 years ago

      /[< I also disagree with the software being buggy. The only problem I've ever had (and continue to have) is the encryption of very large volumes (> 1TB) in Windows, which I am perfectly comfortable blaming on Windows.<]/ What problem do you have with encrypting large volumes?

    • derFunkenstein
    • 9 years ago

    Great first post, looking forward to more.

    • indeego
    • 9 years ago

    /[<"That can certainly pose a problem at most workplaces or Internet cafés."<]/ Considering both of those are somewhat likely to have keyloggers, this would be a very unwise place to run anything requiring a password entryg{<.<}g

      • tay
      • 9 years ago

      You could always encrypt with a file. Anyway, there is not much to protect your data if you use it on an already compromised system.

      • Convert
      • 9 years ago

      Keyloggers at work?

        • indeego
        • 9 years ago

        Yep, they exist on the software and hardware side, even in corpsg{<.<}g

          • Convert
          • 9 years ago

          All things considered in this situation, work would be one of the safest places, provided the IT staff were worth their paychecks. I mean heck, I am less likely to get my work PC infected than my home one with something (note: I have not infected my home PC for as long as I can remember). Even if there were loggers, it is more likely the people using them would not even know what to do with the encryption key, they would be after CC numbers, website login info or corporate data.

            • indeego
            • 9 years ago

            Have you ever worked IT in a corp? It is sometimes/always requested that IT place keyloggers on machines, log all traffic/sites visited, etc. Some corps do it by default. I’m saying encryption is fairly useless if you don’t consider the environment it’s used in. There’s no guarantee that the logs get nabbed somehow later on.

            Considered Google and 100+ other companies were breached in January, I don’t think the salt of IT really matters, assume any machine you don’t control is compromised and you are better off.

            And lest you think I’m paranoid, why are YOU encrypting in the first placeg{

    • sweatshopking
    • 9 years ago

    who’s this matt guy, and how come he has a blog? everyone knows i’m the best poster, as well as scott’s BFF. where’s my blog post?! I have a piece done up on how to get wireless cameras for your neighbors bedroom, it would be great on a tech blog like this!

      • wira020
      • 9 years ago

      Dude, USB encryption is way cooler than your idea.. This article have complicated stuff like AES, FIPS and stuffs.. Try harder ;P

    • StuG
    • 9 years ago

    We use TrueCrypt at my workplace, and I’d have to say its a piece of garbage, not only is it buggy but we’ve had it cracked on multiple occasions even through just a network. There has got to be better encryption software out there >.<

      • Asbestos
      • 9 years ago

      I’ve been using it for years and never had any bugs. Care to elaborate? And the encryption wasn’t cracked. You must have been using it wrong.

      • Convert
      • 9 years ago

      I don’t personally use it so I can’t comment on reliability but it hasn’t been “cracked” to my knowledge.

      I know of a couple different techniques that can get the key, such as a bootkit that acts as a keylogger or simply retrieving the contents of your RAM and searching for the key. The former only works on full volume encryption during boot though.

        • Fighterpilot
        • 9 years ago

        The key wouldn’t be available for retrieval from RAM if the OS page file is set to delete on shutdown.

          • Convert
          • 9 years ago

          Interestingly enough it’s actually possible to make a copy of what’s in memory even if the module is pulled from the system and put in another one, it’s very time sensitive as the charge dissipates but it’s still possible.

      • Spotpuff
      • 9 years ago

      Any details on cracking TC? Cause I’m sure I am not the only interested party.

      • indeego
      • 9 years ago

      /[<"cracked on multiple occasions even through just a network. "<]/ Disk encryption isn't present at all at the network/share levelg{<.<}g

    • YellaChicken
    • 9 years ago

    Welcome Matt (Welcome Matt! Muhahahahaa, never heard that one before have ya?)

    Sorry, crap joke, welcome to TR. 🙂

    I’ve always figured I should encrypt my thumb drives and just never bothered looking into it, cheers for the info on Truecrypt and I may well join the ranks of it’s users after reading this.

Pin It on Pinterest

Share This