There has been considerable research done and also various newspaper articles about people leaving laptops or drives in public locations that contain sensitive data. There are numerous ways to protect data and one of the easiest and reliable ways we have found is a program called VeraCrypt. This is a short guide to enable you to produce an encrypted drive to use, store and protect your data at rest.
We recommend you use a clean/new USB drive in the first instance and as an organisational aide we use a coloured USB stick to indicate a VeraCrypt drive or use a paint pen/permanent marker to mark it.
You obviously need VeraCrypt for this guide, the latest available is from https://veracrypt.codeplex.com/
Download and install the software as usual and start it afterwards. You will also need VeraCrypt on all machines you are using with this drive or media.
VeraCrypt runs on all major platforms Linux, Windows and Mac OS and transparently so, we here at SafeNSecure regularly use it between all three platforms.
The main VeraCrypt window will load and look like the following.
You obviously need to make some decisions before you continue. This guide will encrypt the full USB drive, erasing/destroying all of the existing contents in the process.
Figure 1 – Veracrypt Main Window
WARNING Do not encrypt a drive that already has data on it. Copy the data off somewhere first and recopy back on after encrypting.
Click on the Tools menu then select Volume Creation Wizard.
A window will appear asking about the type of volume that you want to create.
Figure 2 – VeraCrypt Volume Creation Wizard
The choices are to create an encrypted container, encrypt a partition / drive or encrypt the system partition (the one running Windows). We are going to create a volume within a non-system device and check the second option in that screen. Click Next
The next window gives us the choice to create a standard or hidden VeraCrypt volume.
Figure 3 – Veracrypt Volume Type
Hidden volumes are created in standard volumes. Hidden volumes and allow a decoy volume to exist with a separate password. If under duress, you can supply the standard password and not the password for the hidden volume. We are creating a standard volume therefore Select it and Click Next
Now we are selecting the device that we want to encrypt, in our case the new USB drive. Click Select Device – This bring up a dialog to select your USB drive it will appear as drives D: E: F: etc on Windows, Linux/Ubuntu as a Device Mapping and Macintosh as the Name of your USB drive. Then having selected your USB device
Figure 4 – Veracrypt Volume/Drive location
Select Create encrypted volume and format it that is the quickest way. Note it will DESTROY any data on the drive
Figure 5 – Volume Creation Mode
Click Next this will take you to the encryption options scree
Figure 6 – Select Encryption Options
This encryption options screen details the encryption and hash algorithms that can be used. My selection was AES and SHA-512, which should be reasonably secure. You can run benchmarks in that window and get additional information about each algorithm. All algorithms are secure (unless someone proves otherwise, which has not happened yet).
Select your algorithm(s) and Click Next
Figure 7 – Volume Size
This screen shows us the volume size we are using. We are encrypting the entire thumb drive, so simply hit next.
The Volume Password is the most important part of the process. You access your files with it and if you happen to forget it your files are lost forever! So record it somewhere secure and accessible.
Figure 8 – Enter your volume password (complex) > 25 characters
Make sure you use a large password, something that is not a dictionary word and not a combination of them. A password should be at least made of 25 characters and be made of upper and lower case chars, numbers and special chars. The maximum amount of chars is 64. A keyfile can be created as well which then works in combination with the password. Store this password somewhere safe (envelope in a safe) should you forget it
The drive will be formatted in the end. You need to move your mouse randomly around the screen for some time to improve the quality of the encryption keys. You need to key doing this until the Format button is active then Click it
Figure 9 – Formatting the volume
The file system and cluster size can remain as is unless you need them to be different. Using Quick Format if there have not been any files on the USB drive previously. The process is finished after this step. You need to mount the drive now to be able to use it.
Mounting your encrypted USB drive
Select a drive letter currently not assigned and click on Select Device afterwards in the main menu. Now select the partition or drive that you have encrypted and click on OK
Figure 10 – Mounting your encrypted drive for use
Now click on Mount which opens up a password box where you have to enter the password that you have selected during setup. Click OK afterwards and work with the hard drive normally from there on if the password was correct it should appear as your selected drive on your machine. At the conclusion of use do not forget to Dismount All this will close the Veracrypt file down.
IMPORTANT NOTE If you place a VeraCrypt encrypted drive in a normal machine it appears as a drive that needs formatting…and it asks you to do so don’t format it… otherwise..you have just lost all the data!