Flash file security
How to secure flash drives for transport.
Working at home has become a way of life for many of us, and even with COVID-19 seemingly coming to an end, many people will continue to do so. For many workers, however, there are logistical challenges with getting digital files to and from the office. Sometimes project files may simply be too big to relay back and forth over the internet, or there may not be the infrastructure available in your business to allow you to work on files remotely.
That’s where, for many people, the flash drive comes in. They load files onto a flash drive for transport between home and work. Needless to say, that’s somewhat fraught from a security perspective – a lost or stolen flash drive doesn’t just mean lost work, it can mean a massive breach in business security.
The ideal solution, of course, is to stop using flash drives and for the IT manager to set up a proper remote access/remote control system for business applications and files. If that’s not going to happen any time soon, however, there are some ways to better make sure that you flash drive files are secure.
Hardware encrypted drives
The first solution is the hardwareencrypted flash drive. These are special (and notably more expensive) flash drives that have a special chip in them that handles encryption and decryption. Examples include the Kingston Ironkey and DT Vault lines ( www. kingston.com), the DatAshur line of products ( istorage-uk.com) and Apricorn’s Aegis line of products ( apricorn.com).
There are, broadly speaking, two forms that these encrypted drives come in: those with and those without keypads.
Those without keypads use a software agent to activate the internal drive encryption/ decryption tools. Typically, when you plug them in, you’ll see a small partition created that just has the software to unlock the drive. You open that drive letter, and run the app, which then prompts you to enter the password. A correct password will then unlock a different partition/drive letter on which you can store all your data.
These flash drives are, generally speaking, very secure, though you do need to check which operating systems are supported before you buy since you do need to run an app to unlock the drive (the Ironkey, for example, supports Windows, Mac and Linux). They are also slightly vulnerable to keyloggers and can potentially be brute forced if you use a weak password.
If you can overcome the sticker shock, however, an even more secure type of hardwareencrypted flash drive is available. These drives, such as Aegis Secure Key 3.0 and DatAshur PRO have physical keypads with PIN entry to unlock the drive. Using them is very simple: you plug them in, press the unlock key and then enter the pin number for the drive, hopefully without snapping the USB key or breaking the USB port by pressing down on the buttons too hard. A drive letter should then appear on your PC.
These have the virtue that
they’re invulnerable to keyloggers and cannot be brute forced (well technically they can, but not by software – the thief will need a lot of patience to break a six or seven digit code). They’re also platform agnostic, since they don’t require a software agent to unlock.
Software encryption
If you don’t want to fork out for a hardware encrypted drive, however, there are a variety of software solutions available. One of the simplest is BitLocker To Go, which is built into Pro, Enterprise and Education versions of Windows 10, but is unaccountably missing from the Home edition.
If you have a version of Windows at home that supports it, just plug your USB drive in and type bitlocker in the search bar to bring up the BitLocker control panel. Then follow the Wizard to encrypt the drive with a password and create a recovery key. The drive can be accessed on any other Windows PC that also supports BitLocker just by plugging it and clicking on it in File Explorer, which will bring up the BitLocker password entry box.
For the majority who don’t have a supported version of Windows, however, we recommend VeraCrypt ( www.veracrypt.fr), a free and open source tool that provides very powerful encryption. To use it, VeraCrypt will typically need to be installed on every PC that intends to access the contents of the drive. To encrypt a drive you:
1 Plug in the flash drive.
2 Run VeraCrypt.
3 Go to Tools->Volume Creation Wizard.
4 Choose to encrypt a nonsystem partition/drive and create a standard drive.
5 Find the drive and partition you want to encrypt (ie. the partition on the flash drive; if there is no partition on there it can create a new one by selecting the drive instead of the partition).
6 Choose to encrypt the files that are already there or delete them. 7 Leave the default encryption options in place.
8 Give it a password.
9 Enable large files.
10 Let the encryption begin!
Once you’ve done that, in order to access the contents of the drive on any computer, you’ll have to start the VeraCrypt app on the computer. Then you click on a drive letter to assign it and finally on Auto-Mount Devices, which will detect the encrypted drive and mount it as the selected drive letter. You do need to keep VeraCrypt running for as long as you want to access the drive.
If you don’t mind a little extra setup, we’d also recommend creating multiple partitions on the flash drive: one small unencrypted partition and one larger encrypted partition. You can do this using Disk Management in Windows (type disk management in the Search bar to find it). On the small partition you can copy the portable version of VeraCrypt (downloadable from the VeraCrypt website), then run VeraCrypt to encrypt the larger one.
That way, you don’t have to have VeraCrypt pre-installed on every PC. You can just plug the USB drive and the PC will detect and mount the small unencrypted partition automatically. Then run the portable version of VeraCrypt from it to mount the encrypted partition. That way, the drive works just like one of the hardware encrypted models above, without having to pay the extra premium.
That’s not strictly necessary, however, and a fully encrypted volume will work if you don’t mind have VeraCrypt pre-installed everywhere. Either way, you’ll have a USB drive that is safe from potential thieves and hackers, and safe to carry to and from work.