Securing a Thumb Drive with TrueCrypt

Thumb drives (aka flash drives) are extremely useful storage devices; they’re portable and easy to use, and with growing capacity used by more people every day. However they are more easily lost or stolen. Most thumbdrives offer no prevention against exposing the data within to unauthorized access.

Using Truecrypt 7 you can encrypt an entire thumbdrive (or create an encrypted container within for more novice users). The software works on Windows, Linux and Mac OS X. For this article we’ll look at using an entire thumb drive as an encrypted device, so that without decoding it’ll simply look like an empty or corrupted drive when plugged in by an unauthorized persons. The best thing about TrueCrypt is that it’s free and powerful, so effective in fact that FBI Technicians have been unable to crack a Truecrypt 5.1 volume used by an alleged suspect since 2008.

Preparing the Thumb Drive

It goes without saying that if you already have information on your drive, that you’ll want to back up it’s content as this procedure will erase all the existing data.

First thing we need to do is remove any existing partitions on the device, since I’m a Mac user I’ll illustrate this with Disk Utility. For windows users you can use these instructions to remove any partition on the device. I’m assuming most linux users know how to do this with their own preferred utility such as gpartd.

In Disk Utility select the device on the left, then the partition tab, select “1 Partition” with a format of “Free Space”, then click Apply.

Once you have done this, the device will be completely empty and be ready to be used completely by TrueCrypt.

Encrypting the Thumb Drive

First we’ll want to install and launch the TrueCrypt software on your system, and click the Create Volume button. You’ll be prompted with this screen, from here select that you would like to create a volume within a drive or partition.

You’ll then be asked to select your device, you may be prompted for your system password at this point. From the list select your now-empty device from the list.

From here select the Volume Type. For this article we’ll use a standard volume. The hidden type is useful if you wish to have an extra layer of protection. The hidden volume will only open with the use of an alternate password, this gives you a level of plausible deniability in case for legal or extortion reasons you’re forced to give up the password to the device, in which case you can simply provide the password for the normal volume.

Then you can select your encryption options. AES is the default and typically the fastest, especially with processors that now have hardware acceleration for the AES algorithm. You can click the benchmark button to see how fast your current system can encrypt/decrypt the various algorithm methods. With a very strong password the AES method is usually just fine. I usually stick with the RIPEMD-160 hash algorithm, but you can choose to use one of the larger 512bit options. If you went with the Hidden Volume option above, you’ll have the chance later to select a different method for the hidden volume.

Now select a password, I recommend a strong password, something over 20 digits, and uses a mix of letters, numbers, and symbols. The longer the password, and the more variety of passwords you use the harder it will be for even brute force method to crack. For example a 6 letter password using letters could theoretically be cracked in 5 minutes by an old Pentium 100mhz computer, mixing upper and lower case characters would increase that time to 5 hours on the same machine.

Now days a typical quad core desktop could crack the above scenario using brute force in as little as 3 minutes, but an 8 character password using both upper and lower case letters, plus numbers and symbols would likely take a 100 years to crack. So adding some variety to your password such as symbols and using something longer than 8 characters goes quite a long way to prevent a simple brute force attack from succeeding. For more information on possible scenarios and how long they may take to crack refer to this link, for the most part most multi-core computers now days fall under “Class E”.

A keyfile option will give you an extra level of password protection, but keep in mind if you lose or change the keyfile on your computer, the encrypted volume may become unrecoverable. It’s also impractical if you wish to use the thumbdrive from a number of different computers.

If you wish to use the thumbdrive with multiple operating systems, FAT format will be your best bet. If you choose to use the Mac OS Extended option, you’ll be asked later if you wish to use the drive on other operating systems as well as if you wish to store files larger than 4GB.

If you had previously sensitive information on your device, do not choose the Quick Format option. Otherwise when someone attempts to use recovery software they may be able to see the data left behind prior to the encrypting.

On the volume format window you will be asked to move the mouse randomly within the window for a while. This will help seed the hashing algorithm for stronger cryptographic strength. Once you’ve sufficiently moved the mouse about you can click the format button. Depending on the speed of your device this can take a few minutes.

And now your volume has been created:

If you remove, then reinsert your thumb drive you may be prompted with a message like below, you can saftely ignore this message and proceed back to the TrueCrypt application.

Within TrueCrypt you can select a device and mount it, again selecting the seemingly-empty device and then provide it with your password.

Once mounted it’ll appear on your computer as just another volume. Encryption and Decryption occurs in the memory, so even if your computer were to suddenly shut off, or the device were to be pulled from the computer, the data on the device is still encrypted. On OS X you normally want to eject the volume from finder before dismounting it from TrueCrypt.


The most obvious down-side is that you will need to have TrueCrypt installed onto any system you wish to use the thumbdrive on. However if you choose to do a container volume, you could simply use the thumbdrive as a regular device and store your important stuff as a file container on your thumbdrive. The encrypted device would no longer simply be plug-n-use, you would have to open truecrypt, select your device and provide a password in order to mount it. But on the plus side, to anyone who may steal your drive it’ll just look like a corrupted/empty device to them.

The other impact is speed, encrypted data takes longer to read than normal data straight off the device. However even on my 3 year old macbook, and a couple old thumbdrives I have not noticed much of a difference accessing and using files than when unencrypted.

I’ve tried this on an 8GB PNY Micro Attache Slide (one of my favorites, very cheap, tiny, and has a high read speed) and 16GB Sandisk Cruzer as well as a 16GB PNY Attache Mini (from the above screenshots) without a problem. The write speeds are usually much slower than the read speeds on the above devices. My Micro Attache has very slow write speeds, but a very nice read speed so I tend to use that a lot.

Comments are closed.