How can I encrypt a USB drive?

Encrypt USB sticks with Bitlocker or Veracrypt

Arne Arnold & AV Test

The issue of data protection plays a particularly important role in connection with USB sticks. Security-conscious users protect their data with Bitlocker To Go or use Veracrypt. We show you how it works.

EnlargeDue to the mobile nature of the device, files on USB sticks should be particularly well secured or encrypted.
© Fox17 @ Fotolia.com

Do you save important documents on your USB stick and do you want to prevent this information from falling into the wrong hands at all costs? Or maybe you don't want someone to use your portable mail program? No problem. Because there are several ways under Windows to make access by third parties impossible.

Even better, however, you don't have to spend any money on that extra dose of security. In this article, we will introduce you to various options for protecting the folders and files stored on a USB stick from misuse.

Encrypt individual folders with the Windows on-board tools

You do not need to install any special software to quickly encrypt a folder under Windows. Because that also works with on-board resources. It does not matter whether the folder is on an internal hard drive or a USB stick. The only requirement is that the drive or USB stick is formatted with the NTFS file system - it does not work with FAT / FAT32.

Right-click on the folder in Windows Explorer, select "Properties" in the next step and then click on "Advanced" in the "General" tab. In the next dialog, activate "Encrypt content to protect data" and confirm with "OK". Then, in the “Confirm changes to attributes” dialog, specify whether the encryption should only apply to this folder or also to all subdirectories, and finish the process with “OK”. Windows then encrypts the folder contents.

In the test, encrypting a 1.4 GB folder with around 13,500 files took well over 60 minutes.

EnlargeIf the USB stick is formatted with the NTFS file system, folders and subfolders can be easily encrypted and protected using their properties using a Windows function.

Finally, an operating system message informs you that you should back up the data encryption certificate and the key. As the encrypted files can no longer be accessed if the certificate or key is damaged, you should strictly follow this advice. Click Back Up Now (Recommended) and follow the instructions in the wizard to save the security information. It is advisable to decide on a secure password in the "Security" dialog and then to give the certificate file a meaningful name. For security reasons, you should copy the PFX file saved by default in the “C: \ Users \ username \ Documents” folder and also save it on another drive.

You can tell that individual folders are encrypted by a special icon in Windows Explorer. However, since this icon is only displayed in the "Medium-sized icons", "Large icons" and "Extra large icons" views, we recommend that you configure Windows Explorer so that the names of encrypted folders are displayed in green. In Windows Explorer, click the “View” tab, then select the “Options” menu icon on the far left and click “Change folder and search options”. In the “View” tab, activate the option “Display encrypted or compressed NTFS files in a different color” and also confirm by clicking the “OK” button.

To check whether the protection mechanism works, eject the USB stick and connect it to another Windows device. When you open an encrypted folder, the contents are displayed, but as soon as you try to open a file, Windows informs you that you do not have the required permissions for it.

Tip:USB stick with 2 terabytes of storage capacity

Encrypt USB stick under Windows with Bitlocker To Go

EnlargeWith the Bitlocker Drive Encryption and Bitlocker To Go, the Pro versions of Windows offer excellent functions for encrypting HDDs and USB drives.

Regardless of whether you work with Windows 10 or are still using Windows 8 / 8.1 or 7 on a second computer - if you have opted for the Pro edition of the operating system, you already have two effective encryption options: Bitlocker drive encryption for the Encryption of individual partitions and complete drives as well as Bitlocker To Go for removable media such as USB sticks.

Setting up Bitlocker To Go is easy. Connect the USB stick to the Windows 10 computer, click on “Start” and select “Settings”, then “System”. In the left column select the entry "Info" and click in the main window under "Related Settings" on the hyperlink "BitLocker Settings". Alternatively, you can also type system into the search field, click on "Control Panel" in the list of references and then select "BitLocker Drive Encryption". Under “Removable Storage - BitLocker To Go” click on the entry to expand the list of removable drives and select “Activate BitLocker” next to the USB stick you want.

In the “Method for unlocking the drive” dialog, choose the option “Use password to unlock the drive”. Now enter a strong password that you can easily remember. You must enter this password whenever the removable disk is connected to another Windows computer. After clicking on “Next” you will get to the “How should the recovery key be saved?” Dialog.

USB sticks with built-in security mechanisms

Ready-made security sticks have an advantage over self-made USB sticks: They work with a crypto chip, which contains an important part of the encryption technology. On the one hand, this makes the sticks significantly faster than pure software encryption, and on the other hand, the protected files are, at least in some cases, more difficult to crack. For this plus in speed and security, however, you also pay the higher price for finished sticks. The Kingston Datatraveler 2000 (16 GB for around 120 euros) is interesting because it has an integrated keyboard. This ensures that the password cannot be determined even on PCs on which a keylogger records the keystrokes.

If, on the other hand, you need to protect log-in information, the Phrase-Lock USB stick is ideal. For around 50 euros you can get a particularly well-protected system for password management and simple log-ins on the PC. You save the log-in data for your web services, but also for many other access data, such as logging into your Windows user account, on your smartphone in the Phrase-Lock app. The data is encrypted with a key that is stored on the USB stick. The smartphone connects to the stick via Bluetooth when it is plugged into the PC. The log-in data from the app can be transferred to the open Internet browser on the PC at the touch of a finger. It worked smoothly in the test. We only find the one-time entry of the log-in a bit cumbersome. The app also includes a password generator that automatically generates complex passwords.

Select and save the recovery key

EnlargeTo be on the safe side, you should not only save the recovery key as a file, but also print it out on a piece of paper.

There are three options to choose from when saving the recovery key. If you don't trust Microsoft, you can safely ignore the option "Save to Microsoft account". In this case you choose "Save to file" and then specify the storage folder for the TXT file. It is recommended that you also print out the recovery key. To do this, select the option of the same name. You can store the printout, which contains both the recovery key and recovery instructions, in a safe place. This ensures that you can still access the data stored on the USB stick if you forget your password and lose the recovery file.