USB flash drive security and encryption

USB flash drive security & encryption

For many people, when faced with the dilemma of moving files around, despite the increase in the use of services such as OneDrive and Google Drive, a USB flash drive is still the preferred choice for many people who need ultra-portable data storage without carrying around their device or a large USB disk drive. USB flash drives are efficient, easy to use, portable data storage devices that fit into your pocket or onto a keyring.

Although they are convenient, there is the obvious risk of loss, theft or misplaced data exchange. Its important to understand the risks of USB flash drives but also the steps we can take to safeguard our data. While a USB portable device is compact and easy to carry, it’s also easy to lose or have stolen for those same reasons.

There’s a great solution to that problem. Encryption.

Should we encrypt our flash drives?

Quite simply. If you plan to use a flash drive for anything personal, or information you would not like to share with others; you must use encryption.

Encryption will guard your personal data on the drive, in case it falls into the wrong hands through loss or theft, but there are other reasons for encryption, too. Un-encrypted flash drives can leave you vulnerable to malware and other device security threats. Every time you plug your drive into a new PC, there is a chance that any malware or virus activity can automatically infect your drive and destroy your hard work

So, what is encryption? Does it mean we need a password for every file, or decryption software on every device?

Encryption of USB drives means only those with an encryption key file or password will be able to access the data on your encrypted flash drive.

Even if your USB drive falls into unscrupulous hands, you are safe in the knowledge that  any third parties will not be able to access or understand the format of the data on the drive and therefore the drive is useless. In all likelihood the thief would move to format the drive and use it as their own.

How does encryption work with our files?

Your flash drive carries a filesystem of its own. A filesystem manages the drive by cataloguing each file, the location of the data on the drive, the format of the data and the names and folders for easy access. It also dictates what type of data can be stored in files.

For the purposes of this article, we will look at Microsoft Windows encryption only. Although there are specific file services for Apple devices (APFS) and flash drives, we focus here on Microsoft based technologies.

Different filesystem types will impact your encryption options in different ways. Here are the differences.

For MS Windows (Windows Server and Windows 7 and above), the following file systems are supported.

Ultimately encrypting your drive makes the contents invisible and/or unreadable to the finder.

NT File System [NTFS]

NTFS is the corporate industry standard for MS Windows based filesystems, especially internal drives (C: [System] Drive and Data drives for example). It enables granular permissions to be set on files, including using Active Directory group membership, built in recover and file versioning (when enabled) and lots of other features. It has not changed much in the last decade as it is recognised as the most modern file system that Windows uses by default for its system drive and non-removable drives. NTFS is the ideal filesystem for internal drives, especially server drives.

File Allocation Table [FAT32]

FAT32 is a much older, less efficient file system than NTFS which has been around since Windows XP. It is however more compatible with lots of other operating systems and non-windows appliances and can be used to support an external drive. FAT32 has a 4GB limit per volume.


ExFAT is an upgraded replacement for the FAT32 filesystem and is an even more supported, cross platform filesystem. It is today supported by more devices and operating systems since it is compatible with both Windows and macOS. ExFat is a great choice for USB flash drives since it is a lightweight more modern version of FAT32. Like FAT32 however, it does not support the additional features of NTFS  Similar to NTFS, exFAT gives you more storage than FAT32’s 4GB limit.

How to encrypt a flash drive with Windows

MS Windows uses built-in encryption software known as BitLocker drive encryption, which included with Windows Vista, including Pro, Ultimate, Enterprise, and Windows 10. Whilst Bitlocker can easily encrypt your operating system drive and fixed data drives on your computer, ‘Bitlocker to Go’ is able to encrypt an external USB flash drive or traditional external hard drives.

Important Decision: Select a filesystem

Once you have decided whether you need the portability and inter-device compatibility of exFAT, or the additional features and file permissions of NTFS you should be clear about which filesystem you want to use — NFTS, exFAT or FAT32.

With the drive showing in MS Windows Explorer, right click and choose ‘Format’. You can leave the default sizing and other options, but you may want to give the volume a name. Our advice: for anything portable or potentially visible to an attacker, we recommend using non identifiable names.

Drive naming help: Rather than putting in your full name on the drive, or your address, use a pseudonym which you will remember. You should have such a name available for all internet activities, forums, public sites, and registrations where you would rather not pass on your full name to everyone who sees your email address.

Encrypt the drive

To encrypt your flash or external drive, select the drive again withing Windows File Explorer, find the ‘Manage’ tab, Select BitLocker, and turn BitLocker on.

Set password

You can then choose how you want to unlock the drive — with a smart card, password, or both. When you choose to set a password, make sure its one that you will remember without it being easily guessable.

Password help: For password selection many people will reuse a simple word they will remember which is then adjusted with misspelling, replacing numbers for letters and then adding 3 or more rememberable digits and finally a non character or two. This will ensure that the password is unguessable and extremely hard to crack.

An example of this might be your first pet. Let’s say the pets name was Sooty and you acquired the pet in 1990. Nobody will really know this information especially if you then amend the S in sooty to be a 5 and teh oo in sooty to be 00 before adding 1990 and an extra character, eg & or $.  You should remember this password relatively easily and can always change the numbers within to be other years of importance.

Save recovery key

After  you’ve set a good password, you will want to save the recovery key, in case you forget your password. After the key created you should store it somewhere completely different to your drive, embedded within in a document and stored on another computer, or secure recoverable cloud storage with 2 factor authentication enabled.

That’s it! Your drive is now encrypted and the contents are only available to the person who knows the password.