Securing a USB Drive

The problem: You want to transport information. A USB drive is a convenient solution, but comes with risks. There is always the risk that the drive could be misplaced or stolen. You need some way to encrypt the data so that your loss is limited to the drive, and the data on the drive does not fall into unscrupulous hands.


Dedicated secure drive and a strong password. By using a secure USB drive (and a strong password), the information on the lost or stolen secure USB drive is not disclosed. Avoid the older implementations, see Update Your Secure USB Drive.

  • SanDisk
  • Verbatim
  • Kingston
  • TAC Drive
  • IronKey
  • Imation secure USB drives
  • Kingston DataTraveler 4000-M, a managed version of their secure USB drive has been announced.  “Full device-state management for tight policy enforcement and lockdown of stolen/lost drives – without bricking; customization for easy asset tagging; and, full audit and backup/recovery for forensic analysis and compliance – including adherence to all data-at-rest regulations.”
  • Victorinox Secure Pro USB drive has been discontinued by the manufacturer. Return these devices for a refund.

Passthrough encryption device and strong password used with generic USB storage device.

  • The Enigma module is an inline USB encryption solution designed to provide real-time full disk encryption for any USB mass storage class (MSC) drive.

Dedicated secure drive with integrated keypad. A benefit of USB drives is their platform independence. If the USB drive requires a driver and a device with a keyboard, then you can’t plug it into your TV or Blu-Ray player. There are other dedicated secure drives with integrated keypads to enable the device to transport files to any device which accepts a USB drive.

Dedicated secure drive with integrated biometrics.

  • Apricorn Aegis Bio 3.0 USB 3.0 external drive safeguards data with secure fingerprint access and military grade 265-bit AES-XTS hardware encryption.

Ordinary USB drive with encryption software and strong password.

  • Ordinary USB drive and Bitlocker encryption.
  • Ordinary USB drive and TrueCrypt encryption. A copy of TrueCrypt Portable on the USB drive means you won’t need to install TrueCrypt on the host device to read the encrypted portion of the USB drive. (While use of TrueCrypt has been discouraged, it will still defeat almost any thief. See “Open Crypto Audit Project TrueCrypt Security Assessment” [pdf].)
  • Ordinary USB drive and Rohos Mini Drive or USB Safeguard. Both can reside upon the USB drive. Both offer a free version which encrypts up to 2 GB.
  • How to Create a Secure USB Drive in Ubuntu with Linux Unified Key Setup


  • Password strength. Easily guessed passwords turn encryption into an ineffective control. How do you enforce a strong password policy?
  • Remote wipe. The goal of an encryption implementation is to make it take longer to crack than is practical. (Easily guessed passwords make cracking practical.) After a short number of attempts, the device should wipe itself.
  • Key management. Can keys for these encrypted devices be managed centrally? If they cannot, is the information on these devices managed in another fashion?
  • Maintenance. If these devices must be updated, what approaches are available?
  • Inventory. How will these devices be tracked? What are the costs of not tracking them?

When reviewing these challenges, remember the risk from lost, unencrypted data. You may choose to accept a less-than-perfect management solution to limit the risk of information disclosure.

Comments are closed.