Automatic Encryption/Decryption for Your USB Flash Drive

In “How to Create a Hidden, Encrypted Folder on Your USB Flash Drive,” we accomplished what we set out to do using TrueCrypt, but we found some small problems along the way. One was that the container file in which the hidden volume was placed is itself visible. Another was that the file space allocated to the container file is not hidden from the operating system. It’s clear that something is there.

The security model assumed that if the user were ever forced into divulging the password to the container file, the antagonists would never know that the hidden volume was there and would be distracted by the files they find in the outer volume that look sensitive.

At best, it appears that this scheme could succeed most easily if the container file and the hidden volume were very small – certainly not the 2 GB affair we used for an example.

So what if we don’t want to be cloak and dagger about it? What if we want to encrypt the entire card and be blatant about it?

OK. Let’s look at encrypting all of a USB flash drive and then running TrueCrypt from the flash drive itself. We’ll be using an 8 GB PNY Attaché USB flash drive formatted to Vista’s NTFS file system (for large file size support). We’ll even make it auto-run in Windows to start itself.

Note: Running TrueCrypt in “Traveler mode” requires that the user have administrator’s privileges in Windows. If you are running on a machine on which you’re not the administrator, you’ll need to get someone with administrator privileges to install it for you. This is needed because TrueCrypt uses a device driver to provide on-the-fly, transparent encryption and decryption, and normal users are not allowed to install device drivers. For more information about what normal users can and can’t do with TrueCrypt Traveler, please see their documentation and find the section entitled “Using TrueCrypt Without Administrative Privileges.”

Assuming that your privileges are squared away, let’s proceed. If you already have TrueCrypt installed, please scroll down to the next section.

1. First, download the application and run the installer. You’ll immediately be faced with a choice: install it to the computer, or merely extract the files. Since we assume that you are doing this with the PC which you will primarily use the card, select “Install” for the normal mode and “Next” to continue.

2. And then there are more choices. Do you want to install for all users on the PC? (Probably not if associates or other family members use the PC. Probably so if you are the sole operator of the PC.) Do you want to add TrueCrypt to the Start menu and put an icon on the desktop? (Maybe or maybe not, depending on your needs. The basic unit of security is trust, and I trust that I can control access to my computer. I also have enough desktop icons.) Disabling the Windows paging files (virtual memory on the hard drive) is for those paranoid enough to fear black helicopters. Unless you are really, really worried about some of the content of memory ending up being written to the hard drive, which would take forensics to decipher, I suggest avoiding this setting. On the other hand, associating the .tc file extension with TrueCrypt may be something to not do. This from the theory that the PC doesn’t need to tell everybody and sundry who may be watching that any file in any open folder is a TrueCrypt file. (And that’s how paranoid I am.)

3. Click “Install” and it will start creating a system restore point.

4. Soon after the restore point is created, installation will be complete. Click “OK” and click “Finish”.