Encrypting Flash Drives with TrueCrypt

In my previous article, "Introduction to TrueCrypt," I showed you the basics of encryption, how to install and use TrueCrypt, and how to mount and dismount standalone volumes. In this article, we will examine the basics of encrypting portable USB flash drives. Unlike the previous article, you will create a hidden volume to provide an extra layer of security. If you recall, hidden volumes can be stored inside standalone volumes and inside partitions and entire hard drives.

When using hidden volumes, TrueCrypt actually creates two separate volumes: an outer (decoy) volume and a hidden volume. This allows you to store data in two separate locations. Each volume is comprised of its own individual settings, from the file system used, to the level of encryption you require.

The outer volume is used to store non-sensitive or non-incriminating files should you ever be required to divulge your password. In other words, if you are ever required to provide your password to authorities (or another authoritative figure), you will provide them with the password to the outer volume.

Since this password will decrypt the outer volume, you can maintain plausible deniability to the existence of the hidden volume. The hidden volume is used to store sensitive files, and is protected by a completely separate password. In fact, TrueCrypt has no way of knowing the hidden volume exists when the outer volume is mounted.

The only down side to using TrueCrypt on a flash drive is you will need administrative rights on any computer on which you intend to mount your volume. This is not a limitation of TrueCrypt, but rather a security feature of Windows. If you need to use your flash drive on a computer other than your own, you will need administrator privileges on that machine.

Preparing the Flash Drive

To get started, you will need a USB flash drive. In this tutorial, I am using a 4 GB Cruzer Micro already populated with files. Before you continue with this tutorial, you may want to copy all the files stored on your flash drive to your computer. You want to maximize your flash drive’s free space so you can create the largest standalone volume possible. Once you have copied all your files, delete all the files from the flash drive.

If you do not want to delete everything on your flash drive, you have the option to continue the process. You will, however, be limited to the maximum possible size of the volume. You are not required to create a volume as large as your flash drive; you can define a size that suits your needs. The only reason I encourage you to use all the space on the flash drive is to discourage you from unintentionally storing any files on the unencrypted portion.

You may remember that in the previous tutorial, you created a standalone volume. I also said this volume could be stored anywhere: on your desktop, a flash drive, or even the "cloud." In this tutorial, you will be creating another standalone volume, with the addition of a hidden volume. Because a flash drive can be easily misplaced or stolen, you are going to use the highest level of security TrueCrypt offers. TrueCrypt has a built-in tool that is specifically designed for portable hard drives.

After you have finished removing all the necessary files from your flash drive, check the amount of available space, as this will determine your volume’s maximum size. This will also help you decide whether or not you need to remove additional files from the drive, depending on the overall size of an encrypted volume you need. You can find your flash drive’s available space by viewing it in Computer/My Computer. My flash drive has 3.75 GB of available space.


In order to use TrueCrypt, you must first install it. If you have already installed TrueCrypt, you can skip this step. TrueCrypt is available for free at its website: http://www.truecrypt.org/. The TrueCrypt installation is very simple. Follow these steps and you will have it installed and running in no time. 

  1. Download TrueCrypt; double-click "TrueCrypt Setup 6.3a.exe."

  2. If you are warned by Windows’ User Access Control, click the "Yes" button. 

  3. Accept the license agreement.

  4. Choose the "Install" option (I will discuss the "Extract" option in a later article).

  5. Keep the default installation directory and make sure all the check boxes are checked. Click the "Install" button.

  6. Wait for the installer to finish. Click the "OK" button when the installation completes.

  7. When prompted to read TrueCrypt’s Beginner’s Guide, you can select either "Yes" or "No" depending on whether you would like to read the guide now or bookmark it for future reading. This tutorial should, however, serve as a decent starter’s guide. 

  8. Click the "Finish" button.


Once the installation is complete, run TrueCrypt by clicking the icon for the installer created on your desktop, or by clicking the icon created in the Start menu.

 


As I mentioned earlier, TrueCrypt has a built-in tool specifically designed for preparing flash drives. You can access this tool by going to Tools > Traveler Disk Setup… on the main menu.

 


The Traveler Disk Setup window will now open. The first thing you need to do is specify the location of your flash drive. TrueCrypt will copy all the necessary files to your flash drive so you can use TrueCrypt on a computer that does not have it installed. Only about six files are copied, totaling about 4 MB, so very little space on your flash drive is consumed by TrueCrypt. Click the "Browse…" button to select the root of your flash drive.

 


Select your flash drive, then click the "OK" button.

 



Now, let’s discuss some of the options available in the Traveler Disk Setup tool. By default, the "Include TrueCrypt Volume Creating Wizard" option is already checked. This option will copy the necessary files, allowing you to create more TrueCrypt volumes directly from the flash drive. This is completely optional and will not affect the integrity of the volumes already stored on your flash drive.

TrueCrypt also has several mounting options. Unfortunately, due to new security improvements, none of these options work on computers running Windows 7 (Windows 7 has disabled AutoPlay and AutoRun on USB devices). On the bright side, these options will work on Windows Vista and XP.

Since this flash drive will be used to encrypt all its contents, you are going to enable auto-mounting of the TrueCrypt volume. What this means is, right after you connect the flash drive to the computer, TrueCrypt will be automatically launched, allowing you to use your volume with minimal effort. TrueCrypt will prompt you for your password; however, your volume will not be mounted until the password for the volume has been verified by TrueCrypt. Select the "Auto-mount TrueCrypt volume" (specified below) option in the "AutoRun Configuration" (autorun.inf) section, and click the "Browse…" button once the "Mount Settings" section is no longer grayed out.

 

 

You will now choose a name and location for your volume. Store your volume in the root of your flash drive for easy access. In this example, I am naming my volume "data.txt." During this step, you need to remember the name and location of your volume because this tool will not create your volume. You will still need to create the actual volume using the Volume Creation Wizard. Click the "Open" button once you have created a name for your volume.



There are still a few more options to configure before we can finish this step: 

  • Mount volume as drive letter: This option will let you select a custom drive letter to mount your volumes on. Keep this set to "First available" in case the drive letter you select is being used by another device.

  • Open Explorer window for mounted volume: When this option is checked, after you have successfully entered your volume’s password, Windows will open your mounted volume in Explorer so you can quickly and easily browse your files.

  • Mount volume as read-only: This option is self-explanatory: you will not be able to create, modify, or delete any information on the volume while it is mounted.

  • Cache password in driver memory: If you recall from my previous article, this option will allow you to remount your volume without using a password after it has been recently dismounted. For security purposes, you never want to leave this option checked, because it would allow someone to mount your volume on the the same computer and not be required to enter a password.


Once you have verified that your settings look similar to those shown below, click the "Create" button.

 

You should see a message saying the traveler disk was successfully created. It also informs you that TrueCrypt must be run with administrator privileges when run from a flash drive, as discussed earlier. Click the "OK" button to close the window, then click the "Close" button on the Traveler Disk Setup tool.

 



If you open your flash drive from Computer, you should see two items created by TrueCrypt: a folder called "TrueCrypt" and a file called "autorun.inf."

 

If you open the "TrueCrypt" folder, you will see four additional files, all of which are required for mounting and dismounting your volumes.



Now that your flash drive is prepared, you are ready to create the volume.

{mospagebreak title=Creating the TrueCrypt Volume}

You should now be back at the main TrueCrypt window. The steps presented in this section will be very similar to those in my previous article. If you would like to read more detailed installation steps, or if you want to omit the hidden volume, please read my "Introduction to TrueCrypt" article. Otherwise, click the "Create Volume" button so you can begin creating the volume.



Since you are creating a standalone volume, select the "Create an encrypted file container" option, then click the "Next" button.

 

Next, you will select the volume type. As discussed earlier, select the "Hidden TrueCrypt volume" option, then click the "Next" button.



Next, you will select the volume creation mode. You have one of two options for creating a hidden volume. The first option, "Normal mode," will enable you to create a normal volume first, and then create a hidden volume within it. The second option, "Direct mode," will let you create a hidden volume inside an already-created volume. In other words, if you already have a standalone volume that you use on a regular basis, you can modify this volume so it can contain a hidden volume. Since you are creating a brand new volume, select "Normal mode," and then click the "Next" button.



In this step, you are going to select the name and location of your volume. This is the same name and location you entered earlier when you prepared your flash drive using the Traveler Disk Setup wizard. To select the volume location, click the "Select File…" button.


Again, make sure you enter the same name that you created when you prepared the flash drive. When I used the Traveler Disk Setup wizard, I named mine "data.txt" and stored it at the root of my flash drive. Click the "Save" button once you have named your file, and then click the "Next" button.

 


Next, you will set the options for the outer volume. No input is required here, so simply click the "Next" button.

 


Now you will select the encryption method you wish to apply to the outer volume. The default "AES" encryption algorithm and "RIPEMD-160" hash algorithm are proven and recommended for their robust protection and performance. Once you have made your selections, click the "Next" button.

 

 

Next, choose the size for the entire encrypted volume, not specifically the outer volume as the title implies. As I have stated earlier, the outside volume is considered the decoy volume. The value you enter here will simply be the size reported by Windows when the outer volume is mounted. Even if your hidden volume contains 3 GB worth of data, Windows will still report that space as being available. In all actuality, the outer volume will probably consume about 100-200 MB of space depending on your needs. The outer volume’s actual size will be determined when you define the size of your hidden volume in a later step. Since you cannot input decimals (.) into the size field, you may need to adjust the "KB, MB, and GB" options to suit your needs. Once you have set the volume’s size, click the "Next" button.

 

 

Now you will select the outer volume’s password. This is the password you can divulge should the situation arise. Remember, it is impossible to identify the hidden volume unless the hidden volume’s password is entered. Even though this is the password for the outer volume, you should always use a strong password. Once you have entered your password, click the "Next" button.

 

 

Next, you will select the outer volume’s file system. You can use either FAT or NTFS. TrueCrypt recommends you use FAT for the outer volume because NTFS significantly decreases the size of the hidden volume. This is an NTFS limitation, not a limitation of TrueCrypt. You can, however, use NTFS on the hidden volume without any limitations.

This step also generates a random number from your mouse movements based on the hash algorithm you selected earlier. It is important to move your mouse around the window a few times so a truly random number can be generated. You will see the "Random Pool" change whenever you move your mouse.

Once you have selected your desired file system, click the "Format" button. The formatting process can vary depending on the size of your volume and the speed of your flash drive.

 

 

 

After the volume is created and formatted, it will be automatically mounted as drive Z:. You should also notice your thumb drive has very little space available.

 

 

TrueCrypt will also ask you to copy some decoy files into the volume. This is a precautionary step that urges you to copy data to the volume to give the impression that this is the only data stored in the volume. You only want to copy about 100 MB or so worth of files because this will limit the maximum size of the hidden volume. The more data you store now, the smaller your hidden volume will be when you get to that step. If you click the "Open Outer Volume" button, TrueCrypt will open the volume in Explorer. When you are finished copying some files into the volume, click the "Next" button.

 

 

 

TrueCrypt will now examine the volume to determine the maximum size of the hidden volume. Once this process is finished, you will click the "Next" button.

 

 

Just as you did with the outer volume earlier, you will now set the encryption options for the hidden volume. Keep the default "AES" encryption algorithm and "RIPEMD-160" hash algorithm as these are very robust encryption methods. Click the "Next" button to continue.

 

 

Now you will set the maximum size for the hidden volume. As I mentioned earlier, TrueCrypt will determine the maximum size of the hidden volume based on how much data you initially copied to the outer volume. Since you cannot input decimals (.) into the size box, you may need to adjust the "KB, MB, and GB" options to suit your needs. When selecting a size, enter a size slightly smaller than the maximum size. This will allow the outer (decoy) volume to expand should you ever need to update the existing files or add newer files. Depending on how much space you left available, TrueCrypt may display a warning message informing you of the dangers of not leaving enough expansion space. Once you have entered the size, click the "Next" button.

 

 

 

Now you will select a password for the hidden volume. Just as you did with the outer volume, select a good, strong password. Do not use the same password you used for the outer volume. Once you have selected and entered a new password, click the "Next" button.

 

 

Now you will select a file system for the hidden volume. You can choose between FAT and NTFS,  depending on your needs. Use NTFS if you know you will be storing files larger than 4 GB because FAT does not support files that large. Just as you did with the outer volume, be sure to move your mouse around the window so you can generate a truly random number. Since the entire volume has been created, the formatting process will be very quick. Once you have selected your desired file system, click the "Format" button.

 

 

 

Once the hidden volume is formatted, TrueCrypt will warn you about protecting the hidden volume. TrueCrypt provides you with this warning because the hidden volume is susceptible to damage if the outer volume is not mounted correctly. When the outer, or decoy, volume is mounted, TrueCrypt has no way of knowing the hidden volume exists unless you mount the outer volume a specific way. You will learn how to do this in the next section. Click the "OK" button to close the warning.

 

 

Since this is the only volume you are going to create, click the "Exit" button.

 

 

You should now see the main TrueCrypt window. In order to see how your flash drive will work in another computer, you are going to run TrueCrypt directly from the flash drive, not the one you installed on your computer. Click the "Exit" button to close TrueCrypt. After you have closed TrueCrypt, remove your flash drive from your computer. You will plug it back in during the next section.

{mospagebreak title=Mounting and Dismounting the Hidden Volume}

At this point, you have successfully created a decoy volume and a hidden volume. You are going to mount your hidden volume first since this is the volume you will primarily use. Keep in mind the AutoRun feature is disabled in Windows 7; however, it is enabled in Vista, XP, and older versions of Windows. Just remember you will need to run TrueCrypt manually from the flash drive whenever you use it on Windows 7.

When using a Vista or XP machine, the Windows "AutoPlay" menu will ask you if you want to mount a TrueCrypt volume.

 

 

When using Windows 7, you will be presented with a general list of options.

 

 

If you are using Windows 7, click "Open folder to view files" option. You will now be at the root of the flash drive. Open the "TrueCrypt" folder, then double-click "TrueCrypt.exe." 

If you are using Vista or XP, you can skip the next two steps.

 

 

 

Mounting a hidden volume is no different from mounting a standard, standalone volume. In fact, you mount it the exact same way you did in the previous tutorial. With the TrueCrypt main window now open, click the "Select File…" button and select your encrypted volume. After you have selected your volume, select the drive letter you would like TrueCrypt to mount your volume under, followed by the "Mount" button. In this example, my volume is called "data.txt," it is stored at the root of the flash drive, and I am mounting it as Q:.

 

 

If you are using Vista or XP, you will automatically skip to this step. 

You will now be required to enter the volume’s password. You will notice there are no options to specify this as a "hidden" volume. You are only presented with a password field. TrueCrypt will mount the volume associated with the specified password so there is no need to identify the volume as a hidden or outer volume. All you need to do here is enter the hidden volume’s password, then click the "OK" button.

 

 

If you enter the correct password, the volume will be mounted, and you can start creating and storing your files securely. If you look at the "Type" column, you can confirm the hidden volume has been mounted.

 

 

The volume will be mounted as a regular hard drive; however, you can have it mounted as a removable drive by clicking the "Mount Options…" button on the password box. You can access your newly mounted volume by opening Computer, or you can simply double-click your mounted volume within the main TrueCrypt window.

 

 

Next, save some files to your hidden volume. You do not have to fill the the volume to its maximum capacity; rather, fill it just enough so you will be able to distinguish its contents from the contents of the outer volume, which you will mount in the next section.

 

 

After you have added the files to your volume, dismount it from the TrueCrypt main window by selecting your mounted volume, then clicking the "Dismount" button. Just as you did in the previous tutorial, there are no special steps required to dismount the hidden volume.

{mospagebreak title=Mounting and Dismounting the Outer Volume}

Even though you may seldom mount the outer volume, it is extremely important that you learn how to mount it correctly. If you recall, when the outer volume is mounted, TrueCrypt has no way of knowing the hidden volume exists unless you explicitly tell TrueCrypt it exists. This can cause irrecoverable damage to the hidden volume without any warnings from TrueCrypt.

In order to mount the outer volume, follow the same steps you completed earlier when you mounted the hidden volume. When you are prompted to enter a password, enter the outer volume’s password, then click the "More Options…" button.

 

 

In the "Mount Options" window, you are going to tell TrueCrypt that a hidden volume exists. In the "Hidden Volume Protection" section, check the option "Protect hidden volume against damage caused by writing to the outer volume." You will now enter the hidden volume’s password in the password field directly below the check box. Now that TrueCrypt knows the hidden volume exists, you can interact with the outer volume without risking any damage or corruption to the hidden volume. Click the "OK" button after you have entered the hidden volume’s password, then click the "OK" button on the password box to mount the volume.

 

 

If the outer volume is mounted successfully, and the hidden volume is protected, TrueCrypt will prompt a warning message. If you try to write more data than is available on the outer volume, TrueCrypt will write-protect the hidden volume. This will cause Windows to report "Delayed Write Failed" errors. This could indicate a faulty flash drive, or it could indicate that a hidden volume exists, which could adversely affect plausible deniability. This is exactly why you left expansion room when you set the size of the hidden volume. Click the "OK" button to close the warning message.

 

 

You will now see your volume mounted in the TrueCrypt main window. If you examine the "Type" column, you can confirm you have mounted the outer volume.

 

 

If you open your mounted volume, you should see all the same files you copied over at the beginning of this tutorial. Keep in mind the outer volume has limited available space, so use it sparingly. From time to time, you may want to open and modify these files so their timestamps are more current, reinforcing the notion that a hidden volume does not exist.

 

 

When you are finished working with the outer volume, dismount it from the TrueCrypt main window by selecting your mounted volume, then clicking the "Dismount" button. Even though you were required to mount the outer volume a specific way, no special steps are required to dismount it.

Summary

In this tutorial, you learned how to encrypt your flash drive so your data remains safe should you ever lose possession of it. You also learned how to install TrueCrypt, create a standalone volume containing a hidden volume, apply encryption to both the outer and hidden volumes, and mount and dismount both volumes in Windows.

Always remember to protect your hidden volume when mounting the outer volume. This will protect your hidden volume from any unnecessary damage. While you will probably not mount your outer volume very often, it is important to update the timestamps so your outer volume looks "used" should you ever be required to divulge your password.

In my next article, you will learn how to encrypt partitions and entire hard drives that are directly attached to your computer.

2 thoughts on “Encrypting Flash Drives with TrueCrypt

  1. It is possible to run TrueCrypt from a USB without actually having admin rights on the PC but it takes a bit of tweaking. You need to run it from a shortcut that elevates the rights of the user and then stores those rights. I found all the info here: http://geekknowhow.com/page_12

  2. While it is technically possible to mount volumes without administrative privileges, the user will still need admin rights to initially load the TrueCrypt drivers. Even the TrueCrypt developers recommend not mounting volumes in this type of situation.

    http://www.truecrypt.org/docs/

[gp-comments width="770" linklove="off" ]