We look at how to protect your data when you take it on the move
Whether it’s in the form of an SD card, USB thumbdrive or external hard drive, portable storage has never been so cheap. But oddly, in a world where everything has passwords – and sometimes extra security verification procedures on top of that – all that most people need to get access to the data on your portable drive is a spare USB port.
It’s fair to say that the documents, photos and backups on a portable drive have great potential to be used for fraudulent purposes if they fall into the wrong hands, so it’s odd that many of us still don’t choose to protect the files with some form of security or encryption. Portable storage, by its nature, has a high likelihood of ending up in the wrong hands. Just ask every politician who’s ever left a briefcase or folder on public transport.
So how do you encrypt your personal storage? Luckily, it’s not that difficult. And to prove that, we’ve put together a step-bystep guide that’ll work for any USB-based storage device.
Types Of Encryption
There are various levels of encryption you should look for, but ideally you should use international standards as a guide to the level of protection you’re receiving. 256-bit AES encryption is a high-security version of encryption, which is currently safe (and should remain so for the foreseeable future), but anything higher is acceptable.
Encryption, whether in hardware or software, means that files cannot be read from the storage without the necessary key, even if the platters or memory banks are accessed directly. Anyone trying to access the files would find only unintelligible gibberish.
The most basic type of encryption happens in software. The advantage of doing it this way is that you can use it to turn any standard drive into an encrypted drive. The disadvantage is that the software must be accessible on any machine you wish to access it on. If your data is encrypted using a program that only works on Windows, you won’t be able to access the data on a Mac or games console, for example.
Hardware encryption, meanwhile, is performed by the drive itself. This means the drive is compatible with any USBcompatible device, because once the drive is decrypted, it works like any standard USB drive, but it’s also limited to the hardware itself, meaning you can apply it more generally to other storage devices. The price of hardware-encrypted drives is much higher due to their increased complexity and a premium on security.
Although some guides assert that encrypted drives are slow, this is not the case other than USB 2.0 drives being slightly more popular due to the slower market throughput of encrypted drives. If you get a USB 3.0 drive with hardware encryption, it will be no slower to access than any standard USB 3.0 device. Indeed, it may actually be faster than software-encrypted drives because the decryption is done directly using an AES chip, rather than through a software implementation of the same.
So given that you can’t add hardware encryption to existing hardware, we’re going to concentrate on something you can do: encrypting your portable storage in software.
Encrypting Your Drive
Many guides advise you to use Microsoft’s own BitLocker to protect your files, but this software is only available in certain versions of Windows and if your system has certain types of hardware installed. Rather than try to account for every configuration, we’re going to suggest a free third-party decryption system that works on every version of Windows, but don’t be discouraged from trying Bitlocker if your Windows installation supports it.
There was a time when we would have recommended the free software TrueCrypt, but it mysteriously discontinued last year. There are plenty of paid-for alternatives, but the best free one to TrueCrypt (and BitLocker) is DiskCryptor. It allows you to encrypt any file, drive or external storage device and uses a number of different encryption algorithms including AES, Twofish, Serpent and more. It’s open source and still under active development, and you can download an installer or a portable version from diskcryptor.net/wiki/Downloads, so do that before following these instructions.
Step 1: Run DiskCryptor
Once you’ve installed Diskcryptor and rebooted, you’ll be able to access the software. Remember to run it with administrator privileges, otherwise its functions will be unavailable to you, but you should be prompted to do this before you can access the program. The software’s main screen will look something like this, with a list of your installed drives, their capacities, labels and types.
Step 2: Pick The Drive You Want To Encrypt
In this case, we’re going to encrypt the 2GB flash drive (drive H: in the visible list), so click it and hit ‘encrypt’ on the right. You’ll be given the option to select your encryption settings, which means choosing an algorithm (AES, Twofish, Serpent or some combination of all three) and a wipe mode (either none, one of two versions of US DoD 5220.22-M or Gutmann mode).
Unless you have a good reason for selecting another kind, AES encryption should be fine. If you want to keep the contents of the drive intact, select ‘none’ for Wipe Mode, but if you do want to erase the existing contents, any of the other three options will suffice. When you’re happy with your choices, click ‘next’.
Step 3: Choose A Password
The next step involves choosing a password, which you’ll need to enter to decrypt the contents of the drive. If you lose this password, the contents of the drive will become permanently irretrievable, so don’t forget it under any circumstance!
As ever, when you choose a password you should select it using best practices, which mean it should be long, memorable and use a combination of numbers, punctuation and cases. A passphrase may suit you better than a string of random letters and numbers, but feel free to use a password generator. In any case, coming up with something secure is very important here, as a weak password renders encryption virtually moot.
The password rating at the bottom of the dialogue box will rate your password for you, highlighting the security features you’ve included and allowing you to manually refine your password. You should also confirm the password in the second dialogue box, and if you wish to read it, tick ‘Show Password’. We recommend you do this so you can be certain you haven’t made any typos. Making the same mistake twice without realising would be disastrous; it would render your data irretrievable unless you could replicate it again!
If you have a keyfile, you can also add it here by ticking the ‘Use Keyfiles’ box and then clicking ‘Keyfiles’, but if you’re a home user, you’ll know if this is desirable for you or not. If you don’t know what it means, you can assume not.
Step 4: Wait For The Wipe & Encryption To Complete
Once you click ‘OK’ on the settings dialogue, DiskCryptor will return to the main application and show a progress bar at the bottom of the screen, which tells you how the wipe and encryption is proceeding. In the ‘status’ column you can see a numerical percentage, while the data at the bottom will show you the number of sectors encrypted (of the total amount), as well as the speed in megabytes per second, the total megabytes completed, the time taken and the estimated time left.
You can pause the process by hitting ‘pause’.
Step 5: Accessing The Encrypted Drive
When the drive has been encrypted, it will automatically be ‘mounted’, meaning you can access the encrypted files. If you unmount the drive, whether by manually doing so or by removing it for use in another system, the contents will be inaccessible unless they’re decrypted.
To access the drive again, you have to run DiskDecryptor and mount it, inputting the correct password when prompted. In some cases you’ll be able to choose which drive letter the contents are mounted under (i.e. if they’re not already assigned a drive letter), but this isn’t a common situation for portable drives, which Windows usually gives a drive letter the moment they’re detected.
While the drive is mounted, you can access it through any standard piece of software. The OS will treat the drive as if it’s completely unencrypted up until the point where your system is rebooted or the drive is physically removed.
If you try to access an unmounted, encrypted drive through something like Explorer, Windows (and any other operating system or hardware) will probably detect it as unformatted and may attempt to format the drive. Remember that if you allow the format to take place, the drive’s contents will be wiped.
Step 6: Permanently Decrypting A Drive
If you’re ready for the drive to be decrypted permanently, simply mount it using DiskDecryptor and then click ‘Decrypt’ on the right (which will only be available if the drive is encrypted). When you put in the right password, the contents will be decrypted in a similar process to the way they were encrypted.
Note that if you don’t want to keep the files that are stored on the drive, you can bypass this process by simply reformatting the drive. This will wipe it clean, but the new file system will be unencrypted and ready for use.
Hardware Encrypted Drives
These perform their encryption in hardware and are therefore an order of magnitude harder to crack than software encrypteddrives. However, at the same time, they’re often considerably more expensive, and the encryption can only be applied to those drives, whereas most software solutions can be employed on virtually any type of storage. Another benefit of hardware encryption and decryption is that it doesn’t require any specific software, so you can use it in any piece of hardware.
And in case you’re not sure what hardware is available, here are a few encrypted storage brands you might want to look out for.
iStorage DataShur
iStorage’s range of encrypted drives have 256-bit AES encryption, a hardware keypad that you can use to unlock them securely, support for multiple users and access privileges (so you can assign a code that’s read-only, for example) and a protective metal case to ensure it resists damage. Its USB 2.0 drives range from 4GB (£40) to 32GB (£100) while the USB 3.0 versions come in capacities from 30GB (£170) to 240GB (£320).
iStorage also produces the ‘DiskAshur’ range, which are encrypted portable hard drives of a similar pedigree.
Kingston DataTraveler Locker+
Made by RAM and memory specialist, Kingston, the DataTraveler Locker+ USB 3.0 drives have 256-bit AES encryption and USB cloud functionality, which can keep online backups of your data. Prices range from £11 for the 8GB version to £54 for the 64GB version. Not as advanced as DataShur’s USB sticks, but just as secure.
Lexar JumpDrive M10
Beware of these Lexar JumpDrives: although they might appear to be encrypted in hardware, they aren’t. They actually use EncryptStick Lite software to encrypt and decrypt the contents, which is a more secure option than buying a standard unencrypted USB key, but also not much better than simply using something like DiskDecryptor with any other drive. They are cheap (£10 for the 16GB version and £20 for the 32GB version), but that’s because they’re essentially just regular, encryption-free drives.
Can Encryption Be Broken?
In theory, encrypted files are always safe from unauthorised access and will be now and well into the era of quantum computing, when the exponential power of quantum processing may render current forms of encryption trivial to break. But at the same time, it’s not impossible that circumstances may arrive that render encryption beaten in its own right.
For example, the Heartbleed bug, once it was discovered, made OpenSSL encryption breakable at a single stroke. Some researchers recently cracked 4096-bit encryption by listening to a CPU with a powerful microphone that allowed them to divine the decryption key by recognising the repetition of the noise it made before it accessed encrypted data. Some forms of encryption may even have backdoors built in to ensure that the security services can access the content even if its owners refuse to give them access.
In short, nothing on a computer is definitely, permanently secure. But strong encryption is the closest you can get, and in a world where most people you meet aren’t affiliated with the secret service and don’t have access to high-powered listening devices, you can be relatively sure that your data isn’t going to get stolen. At least, not for now.