How to Encrypt a USB Drive... for Free

If you’d like to skip ahead to the actual setup process, click here.

In this modern world, where data protection has never been more important, it pays to take those extra steps to keep your data secure.  This is particularly prevalent when talking about removable devices, such as USB storage.  Just think how easy it is to misplace a memory stick, particularly with these portable devices getting smaller and smaller.  Do you really want all your files sitting there waiting for whoever finds them to have a good old browse?

That’s where encryption comes in.  There are two types of encryption: hardware and software.  Put simply, hardware encryption is carried out by the device itself.  For this to work, and as the name suggests, the hardware must contain its own circuitry to carry out the encryption.  Generally these devices are easier to set up.  The downside is they’re usually more expensive.

Which brings us to the other type, known as software encryption.  Again, the clue is in the name.  With these devices, software is used to encrypt your files.  As this doesn’t require any special hardware to function, this option is usually much cheaper (or even free, if you already own the storage device).  The downside here is that you often require administrative rights on your computer to use this type of encryption – not a problem if it’s your home PC (as the main account usually has these privileges), but this can be a major stumbling block if you’re trying to use a software encrypted device on a corporate network where user accounts may be locked down.

For this reason, especially if you’re setting out to buy an encrypted storage device, you need to be aware of what you’re buying and be sure to purchase a suitable device.  Take an encrypted USB memory stick, for instance.  This is available to buy in both hardware and software encrypted versions.  Price is often a good indicator of what you’re getting (unfortunately, the best products are usually the most expensive), but you should also check the spec sheet.

Why am I talking about price? Isn’t this article called Securely Encrypt a USB Drive for Free? All we’ve discussed so far is related to buying one. You’re absolutely right, and while purchasing an encrypted storage device is usually the easiest option, with a little effort on our part, we can definitely create something to rival even the best products on the market as far as security is concerned.  This is great news if you already have a USB hard drive, as it won’t even cost you a penny!

Getting Started

Note, while I’m using a USB hard drive for the purpose of this tutorial, everything covered in this guide will work just as well on a USB memory stick.

So let’s turn our external storage device into our very own super secure digital fortress.  To do this, we’re going to use some free and open source software called VeraCrypt.  Open a web browser and head over to the following website.

Click on the Downloads tab, and get the “Windows – Portable version”.  Make a note of where you saved the file, we’ll need it shortly.  With that done, you can close your browser.

Let’s do a little preparatory work on our USB hard drive

Plug it into your computer now, if it’s not already.  If it’s a USB 3 drive, make sure you plug it into the correct socket so as to get the fastest transfer speed – you can tell if its USB 3 by the blue-coloured plastic inside the connector, as shown on the right.  Connect this to a blue-coloured socket on your computer.

Next, click on the Start Menu and type “management” (without the quotes).  When Computer Management appears, click on it.  In the left column of the window that opens, select Disk Management.  If you look through the devices your computer has found, you should see your USB hard drive in the list.  If you look at the screenshot below, you’ll see that mine is listed as Disk1 and is 931.51 GB in size.

I know this is my USB hard drive as it’s a 1 TB (Terrabyte) model, and the only other disk listed is the (C:) drive of my computer.

Some tech stuff (click here if you’d prefer to skip this and go to the next step)

In case you’re interested, 1 TB equals 1000 GB (gigabytes), so why does my drive only show up as 931.51 GB?  To put it simply, it’s all to do with the mathematics involved in calculating the capacity.  Basically, computers use base 2 numbers, people use base 10, which is why most hard drives show slightly less space being available than you might have been expecting – it’s not the manufacturer trying to rip you off, honest!

On your marks… get set… GO!

Okay, back to the job in hand.  Let’s get our hard drive ready.  Warning. This procedure will completely wipe your drive.  If there’s any data on it, back it up first.  Now let’s begin.  Right-click on your USB partition (the box with the diagonally striped lines) and select “delete volume…”  It will ask if you want to continue, click “Yes”.

When the partition changes to “Unallocated”, right-click on it again.  This time, select “New Simple Volume…”  Then click “Next”.  On the Specify Volume Size window, click “Next” again.  Leave “Assign the following drive letter:” selected.  You can change the drive letter itself, if you wish (I’m leaving it as E) and click “Next”.

Format this volume with the following settings:” should be selected in the next window.  Make sure the “File System:” is set to NTFS and that “Allocation unit size:” is Default.  You can call the “Volume Label:” what you like (I’m going with USB).  Now make sure “Perform a quick format” is checked and “Enable file and folder compression” is NOT checked.  Then click “Next”.  Finally, click “Finish”.

Your USB hard drive will say that it is “Formatting”.  When it’s finished, it should read “Healthy”.  You can now close the window.  More than likely File Explorer automatically opened to the new formatted USB directory.  If it didn’t, open File Explorer now.

Like most things computer-related, there are lots of ways to set things up.  Here, we’re going to do it in a way that will allow you to take your new encrypted USB hard drive with you and use it on any computer you wish (barring the caveats I mentioned at the beginning of thins article pertaining to the the limitations of software encryption).  To do this, we’ll copy all the necessary files onto the USB drive itself.

Let’s start with the VeraCrypt executable file we downloaded earlier.  Copy and paste this onto your USB hard drive, and then double-click on it.  Veracrypt’s Setup Wizard should launch.

Select your language and click “OK”, then accept the terms of the licence and click “Next” again.

On the following screen, click “Extract” and then click “Finish”.

You’ll notice that there is now a VeraCrypt folder (as well as the Veracrypt Portable file) on the root of your USB drive (the root is simply the top most directory on a hard drive, from where you can navigate down into all of the files and folders contained within it).

Next, delete the Veracypt Portable file, as it’s no longer needed.

Double-click the VeraCrypt folder.

Then double-click the Veracrypt application, as shown below.

Click “Yes” to allow UAC (User Account Control) and the VeraCrypt window will open.

Encrypt the volume

It’s time to create our encrypted volume.  This is simply a file that will hold all of our data securely.  Even though it is just a single file, you can think of it like a virtual hard disk.  Later, we’ll mount this so that we can use it just like any other drive.

But first we need to create it.  So, to get started, click on “Create Volume”.  This will open the VeraCrypt Volume Creation Wizard.  Here we’ll select “Create an encrypted file container”, if it’s not already, and click “Next” to proceed.

You now have the option to create a Hidden Veracrypt volume for extra security.  As we’re going to be using strong encryption, we don’t really need to do this, so click “Next” to continue with the selected “Standard VeraCrypt volume”.

On the Volume Location screen (shown above), click “Select File”.  We’re going to save our encrypted file on the root of our USB hard disk, so navigate up one level to the root directory; “USB (E:), in my case.  Now give your encrypted file a name.  I’ve called mine “FortKnox” – feel free to do the same, though you can use any name you like – and click “Save”.

Click “Next” to carry on through the wizard. Next up, we come to Encryption Options. AES (or Advanced Encryption Standard) is a good secure option, so we can leave it on the default. Again, SHA-512 is a nice strong Hash Algorithm, so we can leave that on the default as well.

Tech Terms Turned into Plain English (click here to skip to the next step)

SHA (stands for Secure Hash Algorithm) and is a cryptographic hash function. Sounds complicated, doesn’t it? Fret not, it’s basically just a way of taking data, and then, using a mathematical algorithm, jumbling it all up into seemingly random-looking gibberish. Most importantly, this is a one-way process. In other words, it’s extremely difficult to reverse the procedure, which is good for us as it means the encryption is hard to crack.

Onwards we go

Click “Next” to go with the encryption defaults.  Now we set the size of our volume.  Obviously it can’t be larger than the physical size of the hard drive itself.  Since my 1 TB hard drive has 930.05 GB of free space, I set my encrypted volume to 900 GB.  So set yours to a suitable size and click “Next”.

Okay, this next step is an important one.  We’re going to set the Volume Password.  You could opt to use a keyfile, but this adds an additional layer of complexity; and you have to be very careful not to lose this file, or you’ll also lose access to your encrypted data.  For our purposes, we’re going to use a password only – so make sure it’s a good one!

Note. Your data will only be as safe as your password.  For this reason, 20 characters or more is recommended, as is the use of upper and lowercase letters, and special characters, such as @=^*+, etc.

Tone’s Tip. Trying to come up with a good, strong password?  Think of the lyrics to your favourite song.  Now take the first letter from each word and jot it down.  Write some as lowercase, some as capitals, and others convert to symbols.  “@” could be used in place of “a”, for example.

Take a moment to come up with your super secure unhackable password – no pressure! – and then type it in.  You’ll also need to type it again to confirm.

Important. Make a note of your password and keep it somewhere safe (like in an actual physical safe).  Without your password, all of your precious data will be inaccessible.

Don’t tick any of the options on the Volume Password screen and click “Next”.

Next we have the Large Files screen.  The key question is, will you be using individual files larger than 4GB?  I suggest clicking “Yes” for this one, as you never know how big your files might become in future – media files, especially HD videos seem to get ever larger – then click “Next”.

Now we come to the Volume Format part of the setup wizard.  Since we’re working on a Windows computer, set the “Filesystem” to “NTFS” and leave “Cluster” set to “Default”.  You may be tempted to tick the “Dynamic” option, as this creates the encrypted volume more quickly by growing it as you add more data.  I would advise against this, as it will result in the encrypted drive being slower (you only have to do this once, so best to take longer now and benefit from a faster encrypted hard drive).

Okay, the fun part! Wiggle your mouse around to create a series of random movements that the software will use to generate the encryption.

Tone’s tip. Short random movements are more effective than large ones.

When the line has turned green, click the “Format” button and the program will set to work.  The bigger your USB hard drive, the longer this will take.  A coffee break is always a good idea 🙂

Once it’s finished, you will be notified that “The VeraCrypt volume has been successfully created”.  Click “OK” and on the Volume Created screen, click “Exit”.  Finally, “Exit” out of Veracrypt.

Let’s make life a little easier

To make things a bit easier, let’s create a shortcut to launch VeraCrypt each time we use it.  To do this, open File Explorer, if its not already, and navigate to your USB hard drive and the VeraCrypt folder.

Right-click on the VeraCrypt application and click “Create shortcut”.  Find the “VeraCrypt – Shortcut” and cut and paste it into the root of your USB hard drive.

Okay, now that we’ve created our encrypted USB hard drive, how do we use it?

Right, down to business.  Open File Explorer, locate your USB hard drive and double-click the “VeraCrypt – Shortcut” link that we just created.  Click “Yes” to open the software.

First we need to pick a drive letter to assign to our new encrypted volume.  I’ve gone with S (for Super Secure!)

Now click “Select File” and browse to the encrypted file you saved on your USB hard drive (in my case, FortKnox).  Select it and click “Open”.

Lastly, we need to mount our encrypted file so that we can access it.  This will allow us to open and save to it as though it were a standard drive.  To do this, click the “Mount” button.

You will be asked to enter your password.  NB. Don’t check any of the boxes.  Just enter your password and click “OK”.

VeraCrypt will mount your USB hard disk’s encryped volume.  Let’s go check it out.  Open File Explorer and go to “This PC”.  You’ll see that you now have a Local Disk (S:) – if you used the same drive letter as me.

Use this as you would any other directory on your computer; the difference being, anything you put in this folder is encrypted and secure.

What about once I’ve finished working.  How do I remove my encrypted hard drive?

You’re right to ask.  It’s important that you NEVER just unplug the USB cable as you may corrupt the data on your disk.  So here’s the procedure to safely remove your encrypted drive.

If VeraCrypt is still open, you can simply click the “Dismount” button to unmount it.  The program can now be closed and the USB drive unplugged.  If you’ve closed Veracrypt before dismounting your encrypted volume, you need to reopen the program and click “Dismount All”.  You can now close VeraCrypt and safely unplug your USB hard drive.

Tones Tip. After you’ve mounted your encrypted volume, I suggest minimizing the VeraCrypt window so that it’s out of the way.  Then maximize it to dismount your encrypted volume before closing the program.

Important. Do not try to access your data directly through the physical USB drive letter (E: in my case).  You should only access it after first mounting the encrypted volume in the VeraCrypt software and then using the drive letter you have assigned (S: on my computer).  If you put data directly on the USB hard drive without mounting it first, it will NOT be encrypted.

Let’s make things even easier (optional)

This last step is optional, but it definitely makes things a LOT easier (you don’t have to go through any of that manual mounting process), but it does require creating a couple of batch files to simplify things.

The technical bit (click here to skip to the next step)

A batch file is just a small file containing a little bit of code that tells the computer how to do something.  Think of it like talking to the computer in its own language.  Don’t worry, we only need to briefly converse and you can just copy what I do.

Let’s create some batch files

We’re going to create the following two files: “Open.bat” and “Close.bat”.

As the names suggest, we’ll use these batch files to open and close our encrypted volume.  So let’s get to it.  Open Notepad (this is a handy little text editor built into Microsoft Windows).  To open it, go to the Start Menu, and select “All apps”.  You’ll find “Notepad” buried under “Windows Accessories”.

Inside Notepad, type the following line.

\VeraCrypt\VeraCrypt.exe” /v FortKnox /l s /a /e /b /q

Tone’s Tip. Rather than typing, why not copy and paste the above text to avoid any typos.  Ctrl + C and Ctrl + V are the keyboard shortcuts for Copy and Paste respectively.

Substitute “FortKnox” for the name of your encryted file, and change the “s” to the drive letter you want to use.  Keep everything else as is.  Now save the file as “Open.bat” (without the quotes) to the root of your USB hard drive, as shown below.  Ensure that the “Save as type:” is set to “All Files”, before clicking “Save” – this is important as we don’t want to save it as a text file, which is Notepad’s default file type.

That’s the first one done.  Now let’s create the second batch file.  Again open Notepad, and this time type the following line (don’t forget, you can copy and paste).

\Veracrypt\Veracrypt.exe” /q /d s

Again, save this file to the root of your USB hard drive, but this time call it “Close.bat” (without the quotes), as in the screenshot below.  As with Open.bat, ensure that the “Save as type:” is set to “All Files” before clicking “Save”.

A Spot of Spring Cleaning

We now have our two batch files: one for opening our encrypted volume (Open.bat), and another for closing it when we’re done (Close.bat).  We could quite easily leave things there, but let’s just do a quick bit of housekeeping.

We don’t need to see the “VeraCrypt” folder, “FortKnox” encrypted file, and “VeraCrypt – Shortcut” anymore (in fact, it’s probably best that we don’t, so we can’t accidentally delete them), so lets hide them.  First select them all.

Tone’s Tip. Hold down the “Ctrl” key on your keyboard while single-clicking each one to select them.

Now right-click one of them (it doesn’t matter which).  On the menu that appears, select “Properties”.  In the windows that opens (shown below), tick “Hidden” and click “OK”.

It will ask you to Confirm Attribute Changes.  Leave this on the selected “Apply changes to the selected items, subfolders and files”, and click “OK.

You should be looking at the root of your USB hard drive in File Explorer and only seeing “Open” and “Close” (everything else is now hidden).

And that’s it.  To open you’re encrypted USB hard drive, you simply double-click “Open”. Click “Yes” to allow UAC, and you’ll be asked to enter your password.  After you do this and click “OK” your encrypted volume will mount and you can start to use it.

Once you’ve finished, just come back to your USB hard drive root directory and double-click “Close”.  Click “Yes” to allow UAC, and you can then safely unplug your USB hard drive.

If you’ve made it this far, congratulations.  You now have a super secure USB drive that you can take with you wherever you go, secure in the knowledge that everything on it is strongly encrypted.  So, should the worst happen, no unwanted snoopers will be spying on your data.

Now go encrypt every external USB hard drive and memory stick you own!  Don’t forget, you’ll have to transfer any data off them first, as carrying out this procedure will completely wipe the device.  You can always copy your stuff back on to them afterwards and have it safe and secure.

Happy Encrypting!