Do you want to encrypt USB sticks?
… and prevent unauthorised persons from accessing them.
Here is your guide to encrypting USB sticks (with an extra tip)
Let’s start!
2 encryptions for more privacy
There are two types of encryption:
Symmetric encryption
With symmetric encryption, you use the same key for decryption and encryption.
The encryption mixes and swaps the 0s and 1s of the source file (diffusion and permutation). Each key causes a different mix so that the attacker cannot read the plaintext from the “bit salad”.
Asymmetric encryption
Asymmetric encryption enables two parties to communicate without using the same key for decryption and encryption.
Asymmetric encryption uses a public key for encryption and a private key for decryption. The sender encrypts a message with the recipient’s public key. No attacker can derive the plaintext from the ciphertext using the same key. Only the recipient with his private secret key can decrypt the message.
Which is the most secure encryption?
Both types of encryption are secure if a modern algorithm is used. The Advanced Encryption Standard (AES) is suitable for symmetric encryption. RSA is a secure asymmetric algorithm. We encrypt USB sticks with AES because we know the password and use the USB stick ourselves. We take the USB stick with us when travelling and can ensure that the data is protected if it is lost.
Certification of USB flash drives – the standards
Some major hardware manufacturers offer USB sticks that are particularly secure. They claim that the data is more secure on their devices.
To this end, the manufacturers specify standards that are intended to make a USB stick secure.
Level 1 according to FIPS 140-2
Security level 1 – The USB sticks do not have to fulfil any security requirements. The devices are as secure as a personal computer (no protection). The manufacturer does not have to provide any physical protection. The only protection is the facility, e.g. the locked room / safe in which the memory stick is located.
Level 2 according to FIPS 140-2
Security level 2 specifies a tamper-proof casing and encryption for the device. The physical casing must be broken so that an attacker can gain access to the stored data.
Level 3 according to FIPS 140-2
Security level 3 goes one step further. If a criminal attempts to open the device, the device should overwrite itself with 000.
In Hollywood films, an actor always has to cut the right cable when defusing a bomb. Instead of exploding, the contents of the device are extinguished (same effect).
Steffen Lippke
The hardware itself should check whether the hardware has changed (trusted path).
Level 4 according to FIPS 140-2
The highest level – Level 4 – can automatically recognise whether someone is trying to open the chip and automatically deletes all plaintext keys if the criminal attempts to do so. These memories are difficult to obtain on the market.
Manufacturers can produce the secure USB sticks by wrapping “erasure” wires directly around the casing of the memory. When the wires are cut, the memory erases itself (self-destruction).
Twice as secure – 256-bit AES encryption
AES encryption is an absolute must for every device. Since 1990, no researcher has been able to demonstrate a better attack on AES than brute force (wild testing with billions of passwords).
Tight – IEC 60529 IPX8 compliant
Many USB sticks offer and advertise further certifications. These devices should be protected against water and dust. They should be able to withstand splash water and shallow immersion depths.
This certification does not make the USB more secure from a cryptographic point of view – but the chance of the owner destroying the data unintentionally is lower. If a car gets lost or your hammer slips, this certification is of little use.
Steffen Lippke
Fingerprint – biometrics use
Some (usually very expensive) sticks offer security via your fingerprint. A sensor is built into the device for this purpose. The connected computer can only access the files if authentication via the integrated scanner is successful. Bear in mind that not all sensors can withstand flagship attacks: Silicone fingers, cut fingers or a warm bag of water.
Top tip for very important data
Remember that a simple USB should not be a tomb for very important data.
Steffen Lippke
If you want a secure USB, buy two and make an exact copy. The memory cells (flash) can lose their charge (0 or 1) due to the environment (magnetic fields) or ageing (discharge). You should check the devices every few months to see if one of the USB sticks has “died”.
More in the Backup Guide
USB for Crypto / Bitcoin Wallet
Cryptocurrencies are on the rise. The decentralised management of the currency is based on a public key infrastructure. This means that you, as the owner of crypto, must keep a private key. This is a long sequence of 0s and 1s.
You can store the key on a secure USB stick and encrypt it with a “memorable” password.
You should not entrust your key to anyone – not even the best-known brokers. A USB ledger often uses a set of English real words as the key, which must be written down in a sequence.
Do I need hardware or software encryption?
In principle, software encryption is sufficient from a cryptographic point of view.
AES has not been cracked since 1990. On the other hand, an attacker could extract the file and try to bruteforce it with a botnet. That’s not a nice idea. That’s why hardware encryption exists.
Encryption takes place between the controller and the memory. The signals are decrypted in real time. The process drains performance and consumes power if complex algorithms are used.
Bitlocker step-by-step guide
Secure USB sticks or not. A cryptographer does not necessarily need these devices. Encryption such as AES is secure.
The only thing you need to keep secret is your password. Hardware encryption is nice, but software encryption is similarly secure.
The Bitlocker function is available for Windows Pro.
- 0. Connect your USB stick and create a backup of the data on the USB.
- 1. Go to the Control Panel
- 2. Search for the Bitlocker option at the top right
- 3. Go to Bitlocker To Go
Software encryption with 7zip
The archiving programme 7zip is mainly known for its strong compression of images and documents. you can also encrypt 7Z files with AES.
Use the 7z format to ensure that the attacker does not even see the file names (without content). The software is open source and has therefore been reviewed by many.
1. Download 7zip for Windows
2. Install the programme
3. Right-clickon a folder and search for 7zip
4. Select “Add” in the submenu in “Archive”
5. Select AES-256 from a strong password or passphrase
6. You can compress and encrypt at the same time if you want to shrink your data.
Leave a Reply