Tutorial - A Poor Man's Secure USB

USB Flash thumbdrives are efficient, large capacity, fast and very resilient. So everyone uses them for transport of files, and very often for transport of corporate documents. But USB thumbdrives are also very easy to loose and steal. Naturally, there are secure USB thumbdrives, but their price may not get approved by management, especially if the company purchases a large number of thumbdrives.
So, in order to maintain a high level of security while maintaining the same level of your budget, here are two tutorials on how to create a secure USB.

I. Security For Usage

If the user will use the thumbdrive to transport documents and will use them at unknown locations and computers, you should create an encrypted virtual volume in a file on the thumbdrive.

Here is an excellent tutorial on how to create this encrypted volume, but with the following modifications:

  1. Prior to creating the encrypted volume, format the USB thumbdrive to clear all previous content.
  2. The file size of the virtual volume should fill the ENTIRE FREE SPACE of the USB thumbdrive - this way a lazy user cannot copy something into the unencrypted space, since there is no unencrypted space.
  3. The tutorial gives instructions on how to create a autorun file, which is deprecated, since the TrueCrypt wizard will create this autorun for you.
  4. Set the truecrypt files Truecrypt.exe, truecrypt.sys and truecrypt-x64.sys as read-only, to prevent accidental deletion of those files. Naturally, you cannot make the actual volume file read-only, since you need to write to it.

II. Security For Transport

A much higher level of security can be attained if the USB thumbdrive is used only as a transport of files between known computers. (For instance, the office PC and the home PC of an employee)

For such a home worker, the process of creation a USB Thumbdrive is almost the same as under I. Security For Usage , with the following difference:
  • When creating a volume password, check the Use keyfiles option, and then choose Generate Random Keyfile and save the file under an arbitrary name.
After completion of the format, the administrator should place the keyfile to both the office PC and the home PC of the user of the USB Thumbdrive. To do this, the administrator should use another media (a CD-ROM or another thumbdrive).

With this process, in order to decrypt the encrypted volume, the user needs two things: the password and the keyfile. So even if the USB thumbdrive is stolen and the password is known, nothing can be done without the keyfile.

Naturally, this is not foolproof. The home computer security must also be taken into consideration, and these computers are usually not too secure. Once the files are decrypted on the home computer, they can fall prey to possible trojans or spyware that got into that computer via the internet. So a very prudent measure is to pair this implementation with a corporate license of Antivirus/Antispyware and Firewall on the employees home PC.


These processes improve the security of files stored on a USB thumbdrive, but since the software is designed as single-user each encrypted volume has a single decryption password, so only one person should use it.

Related posts
6 steps to securing your backup media
Be Aware of Security Risks of USB Flash Drives

Talkback and comments are most welcome

No comments:

Designed by Posicionamiento Web