Brendan’s Blog

The small physical size and low cost of USB based flash disk drives, or USB Drives, often exposes confidential information due to theft and loss. The growing memory capacity on these drives increases the problem as more data is stored for longer periods of time.

I use my USB Drives frequently, as do many mobile professionals. I categorize my usage into two basic functions:

• Storage – Storing my files for later reference, often with a PC which is not my own.
• Transfer – As a mechanism to copy files from one PC to another.

When evaluating encryption methods I considered how a given encryption product would impact the use of a USB Drive for both functions. For example, since I frequently use my USB Drive with PCs I do not own, I cannot use a product which requires a typical software installation on a PC to use.

I also sometimes lend my USB Drive to others temporarily – typically when transferring files from one PC to another. The encryption product needs to allow a third party to still use my USB Drive without knowing how to use the encryption software.

Another consideration was cost. A low to no-cost solution is usually preferable, not only because it does not require an initial investment, but it also facilitates easy testing and rapid adoption.

I settled on a product called TrueCrypt which, for now, seems like the best tool suited for my use. Its license provides for free use for both non-commercial and commercial purposes. Version 4.2a for Windows is around 1,388KB in total size which includes documentation.

Main Features:

• Creates a virtual encrypted disk within a file and mounts it as a real disk.
• Encrypts an entire hard disk partition or a storage device such as USB flash drive.
• Encryption is automatic, real-time (on-the-fly) and transparent.
• Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
  • Hidden volume (steganography – more information may be found here).
  • No TrueCrypt volume can be identified (volumes cannot be distinguished from random data)
• Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: LRW.
• Further information regarding features of the software may be found in the documentation.

I create an encrypted disk volume within my USB Drive, rather than encrypting the entire device. The encrypted volume is used to store all protected data. When the encryption software is not used, the encrypted volume simply appears as a large file which cannot be accessed. Naturally this file can be deleted, however, the data within the file is protected from unauthorized access.

I leave unencrypted free space on the USB Drive for use when transferring files from one PC to another. This allows the USB Drive to be used for file transfers without using the encryption software at all.

TrueCrypt can certainly be used in many other ways and for many other purposes. I simply find the USB Drive to be an easy use-case.

This entry was posted on Thursday, August 30th, 2007 at 6:15 am and is filed under Encryption, How To, Review, Security, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.