this post was submitted on 29 Aug 2024
67 points (98.6% liked)

Privacy

31951 readers
403 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Not sure is this is the best place to post this question, but wondering what is the best way to encrypt a usb drive?

Want to be able to carry an encrypted flash drive with me but also be able to unlock it, if possible, on various OSes. Preferably with some kind of portable software. Something similar to the method that comes with the Kingston Data Traveler USB drives.

Edit: Seems like Veracrypt and Cryptomator are the best options to check out. Thank everyone!

top 29 comments
sorted by: hot top controversial new old
[–] [email protected] 50 points 2 months ago (4 children)

Veracrypt. Make a file on your disk.

Don't want a storage file?

Make 2 partitions, put veracrypt portable exe on the first normal storage partition. (fat32 is likely ideal here) Second partition formatted with veracrypt.

[–] [email protected] 11 points 2 months ago* (last edited 2 months ago) (2 children)

This, except consider exFAT. It's more modern than FAT32 but also widely compatible.

https://www.howtogeek.com/235596/whats-the-difference-between-fat32-exfat-and-ntfs/

[–] [email protected] 7 points 2 months ago (1 children)

I would not just default to exfat because it is "newer," it does have compatibility issues on non-windows systems. The implementations differ wildly.

[–] [email protected] 2 points 2 months ago

Back when I used Windows, it worked fine for me out of the box between Win7 and both Ubuntu-based and Arch-based Linux distros 🤷

[–] [email protected] 1 points 2 months ago

I have had major issues with exFAT across a variety of platforms. But I also work with a bunch of niche gear. But my point is simply that being widely compatible isn’t the same as being fully compatible. And OP was asking for the best way to reach the widest compatibility. That calls for FAT32, even if it has issues with things like file size.

[–] [email protected] 6 points 2 months ago

+1 for veracrypt. Very convenient.

[–] [email protected] 3 points 2 months ago

I make 1 single partition for the entire drive and encrypt it with veracrypt. Veracrypt has portable executables for windows and if I lose the flash drive in the worst case people will think it's a corrupted disk (unrecognized partition) and reformat them probably.

[–] [email protected] 1 points 2 months ago (1 children)

This was my immediate thought as well. Portable launchers for the various OS’es on a tiny (just large enough to store the launchers) FAT32 partition, then a large FAT32 partition (the majority of the drive) encrypted by VeraCrypt. As long as it can read FAT32 and run VeraCrypt, it’ll be compatible. And that covers Windows, Linux, Raspberry Pi, and Mac ecosystems. It’s not as simple as just plugging it in and getting a password prompt, but it’s going to be the most compatible while still allowing for (nearly) the entire drive to be encrypted.

[–] [email protected] 1 points 2 months ago
[–] [email protected] 10 points 2 months ago (1 children)

Cryptomator might be a good option. They have clients for Windows, macOS, and Linux. It’s designed around encrypting your cloud storage but nothing should stop you from using it on a USB drive.

[–] [email protected] 6 points 2 months ago

That what I use, the key itself is formatted using ExFAT for compatibility with all major OSes, and using Cryptomator to encrypt the files.

[–] [email protected] 6 points 2 months ago* (last edited 2 months ago)

Yup Veracrypt is great even has a portable version that can be kept on the drive (might still need admin privileges though) so you won't have to install it on the system iirc . Would also go with cryptomator if you plan on using it with mobile systems but it has a one time payment for mobile.

[–] [email protected] 4 points 2 months ago (2 children)

Probably far from the best option; but you could use 7zip? Put a 7zip portable exe & linux binary on the usb, put the regular contents in an encrypted .zip file, anyone with the password can decrypt. I assume there are much more secure options though.

[–] [email protected] 3 points 2 months ago (1 children)

Encrypted ZIPs are very trivial to break. I can break it with a simple python script.

For instance, Microsoft does that for all encrypted ZIPs

https://arstechnica.com/information-technology/2023/05/microsoft-is-scanning-the-inside-of-password-protected-zip-files-for-malware/

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago) (1 children)

ZIP isn't a good way to encrypt, but what Microsoft is doing is simply reading the email, and decrypting zips with the password found in the email body.

All encryptions schemes can be trivially broken if you have the key. It's not even breaking, it's just normal decryption.

[–] [email protected] 1 points 2 months ago (1 children)

No, zip encryption is very weak. Thus is because million of combinations can be tried very quickly

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago) (1 children)

While that's true, but there's no indication of Microsoft brute forcing with million of combinations.

The article you link says Microsoft is only trying a few obvious passwords: the filename, and words found in the plaintext message.

Proper encryption isn't just about using a strong algorithm. It's also about proper key management, ie not sending the password in the clear via the same channel as the encrypted files.

[–] [email protected] 1 points 2 months ago

Well no ZIP is not secure. There is a plethora of software that can brute force it.

Do not trust zip encryption. It is not secure and it will likely never be secure. It is like storing your passwords on a spreadsheet

[–] [email protected] 3 points 2 months ago

7zip encryption is solid, but the problem with this is that you don't Mount 7zip, so you have to extract it. Once you extract encrypted files into a drive thats not encrypted, they may as well never have been encrypted in the first place.

Its better to use a tool that creates an encrypted filesystem that you can mount and read-write directly without copying the files onto another disk

[–] [email protected] 4 points 2 months ago

I've used Veracrypt when I've needed something portable with windows and linux. Been a few years so might be better options now.

[–] [email protected] 1 points 2 months ago (1 children)

The best option is going to be a USB drive that has an external key entry feature. Kingston IronKey has these and its as simple as enter a key and plug in. I use them at work and it works on all the major OSes. They're not cheap though so if you want or are looking for a free solution then something like VeraCrypt portable and an encrypted container will be your next best option.

[–] [email protected] 0 points 2 months ago (1 children)
[–] [email protected] 6 points 2 months ago* (last edited 2 months ago) (1 children)

How about you tell me why instead of just saying "TeRribLe AdViSe."

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago) (1 children)

Because historically when FDE is done in hardware there's been massive compromises. FDE is better done in software. Its more secure.

But, sure, there's no shortage of companies trying to sell you shitty hardware thats "100% secure" (which is a major red flag)

[–] [email protected] 1 points 2 months ago (1 children)

Nothing is 100% fool proof. Hardware or software encryption both have their issues. Case in point, Truecrypt (on which VeraCrypt is based) had a few issues that ultimately led to its demise. Hardware devices (I saw mention of one SSD maker) a few or years ago would store keys on the device that could be read off. So you're going to have to give me a source for "FDE is better done in software. It's more secure" beyond "just trust me bro."

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago) (1 children)

Lol wut. What was the issue with TrueCrypt? I don't think we ever found out. The anon dev just bailed and hilariously told people to use bitlocker. Personally I think they were just trying to be funny. Fortunately veracrypt took over development.

[–] [email protected] 1 points 2 months ago

I'm not sure what the original issues were either but I do remember the message on the TrueCrypt site that said something like "warning, do not use. Contains unfixed security issues." The only thing that might explain that is this line from Wikipedia: "TrueCrypt includes two vulnerabilities in the driver that TrueCrypt installs on Windows systems allowing an attacker arbitrary code execution and privilege escalation via DLL hijacking" Personally I believe the guy just didn't want to maintain the thing anymore and abandoned it with no notice. Either way. Good thing VeraCrypt took over and fixed all those issues.

[–] [email protected] 1 points 2 months ago
[–] [email protected] 0 points 2 months ago

Get a Kingston IronKey. I have personally used the D500S. This is an off the shelf solution so it is a bit pricy. But it does look like they have lower versions in the same product line. Maybe you will find something that fits your budget.