by Paul Mah

How to Secure USB Drives and Other Portable Storage Devices

May 28, 20138 mins
Computers and PeripheralsData and Information SecurityEncryption

For all their convenience, misplaced or stolen storage devices often result in the loss of confidential data. To protect against embarrassing, costly and damaging data breaches, take these steps to protect your employees' portable storage devices.

As individuals and organizations digitize more data, they become more susceptible to major data breaches. Though convenient, inexpensive USB flash memory sticks and other portable storage devices certainly don’t help the cause, beacuse workers use them transport databases and other confidential information. On top of the real danger of misused data, major data breaches also cause damaging negative publicity.

It may seem inherently complex, but securing portable storage devices is within reach for small businesses. Here’s what organizations can do to secure their data.

Above All, Encrypt Your Data

Before discussing common methods of securing portable storage devices, it’s worth highlighting an often-underappreciated advantage of encrypting data on portable storage devices. Specifically, properly encrypted data offers a safety net against potentially embarrassing or damaging data surfacing from storage devices that were discarded or sold off.

Many businesses don’t realize how easily deleted files can be retrieved with off-the-shelf recovery software from mechanical storage devices such as hard disk drives (HDD) or USB drives. Reconstituting previously encrypted data, on the other hand, is far more involved, as it that requires the original credentials or even a copy of the decryption key.

Feature: 20 Security and Privacy Apps for Androids and iPhones

An encrypted storage device with a decryption key that’s been erased, or one with a good authentication passphrase, offers a good safeguard against malicious data recovery. A thoroughly wiped or physically destroyed storage device remains the most secure defense against data leakage, though.

Windows 7 and 8: BitLocker To Go

For Windows users, BitLocker To Go is the easiest way to encrypt an entire USB portable storage device. This capability, which first appeared with Windows 7, is initialized to at the disk-volume level of a removable storage drive. The drive’s unencrypted content is password-protected, and data is automatically encrypted as it’s copied over. For convenience, it’s possible to enable auto-unlock, which lets a PC to store decrypted data from specific storage drives.

Though BitLocker To Go volumes can be accessed by any versions of Windows 7 and later, you need Windows 7 Enterprise, Windows 7 Ultimate, Windows 8 Pro or Windows 8 Enterprise to initialize BitLocker To Go on storage drives. For Windows XP or Vista platforms, you can install a BitLocker To Go Reader application onto the target storage device during initialization; this app, available as a download, gives users password-protected, read-only access to encrypted data. Note that the reader app only work on storage devices formatted with the exFAT, FAT16 or FAT32 file systems.

Commentary: Enterprise Version of Windows 8 Focuses on Security

Businesses already using the Domain system can set up a policy to enforce mandatory BitLocker protection before data can be copied onto removable drives, for example. Additional controls can cover password complexity or mandate the use of a smart card. Overall, BitLocker To Go is a robust encryption solution that offers a seamless experience for Windows-only organizations.

Windows XP and Vista: Encrypting File System

The Encrypting File System (EFS) is another way to encrypt data on removable disk drive. Though it’s been recently superseded by BitLocker on the hard disk drive and BitLocker To Go for portable storage devices, EFS has been around longer and works on older versions of Windows, including as XP Professional and Vista Business, Enterprise and Ultimate. Enabling EFS is as simple as choosing the “Encrypt contents to secure data” option under the General properties of a folder or file.

On the flip side, EFS has several obscure quirks can be tricky to understand for nontechnical users. The EFS certificate, for one, must first be exported to another computer before it can be accessed. Moreover, files copied into an EFS folder are automatically encrypted, but those that are moved are not. Moving or copying EFS files to a non-NTFS file system removes the encryption, though performing a system backup preserves it.

Mac: 256-bit AES Encryption

On the Mac, you can create a password-protected, encrypted disk image with up to 256-bit AES encryption on Mac OS 10.5 or later. (For older Mac OS versions, 128-bit encryption is available.) The resulting .dmg file can be mounted into the Finder for file access and will automatically expand as data is added. Most importantly, a disk image file behaves as a regular file and can be copied onto a portable storage device.

There’s one major disadvantage of file-level encryption, though: Employees who are lazy or in a hurry can easily skip this step.

Different Encryption Options With Third-Party Software

For a variety of reasons, your business may prefer third-party encryption software to platform-specific solutions. If that’s the case, you have a few options.

  • The open source TrueCrypt, supported on Windows, Mac OS X and Linux platforms, can create encrypted disk images that mount as real disks. TrueCrypt will also encrypt entire partitions or storage devices.
  • GNU Privacy Guard (GnuPG) is another popular tool. It supports Mac OS X, Linux, FreeBSD, NetBSD and Windows, though not the 64-bit version of Windows.
  • Businesses looking for simpler file encryption offerings often turn to strong AES encryption built into free file archival utilities such as the free 7-Zip and the commercial WinRAR.

Tips: Securing Data on All Devices

Self-Encrypting Hardware: Many Options, But Buyer Beware

Recognizing that software encryption offerings aren’t always convenient, security vendors are beginning to offer storage devices that don’t require software.

The LOK-IT Secure Flash Drive, for example, uses a number pad for authentication—the storage drive initializes and appear on the host computer as a normal drive only after a user keys in the correct passcode. Data is transparently decrypted and encrypted in real time as data is read or copied to it; unplugging the drive relocks it automatically. Other examples include the Aegis PadLock and the StarTech encrypted hard drive enclosure, which use LED lights and an OLED display, respectively, to signal their status.

As you will expect, hardware with built-in self-encryption costs more than standard non-encrypting hardware. That said, the software-free design does allow you to use self-encrypting hardware without taking a specific OS into account. Moreover, these devices stymie brute-force attacks by deleting the on-board decryption key after a predetermined number of errors, rendering the remaining data as nothing more than gibberish.

Businesses should know that not all self-encrypting hardware implementations are created equal. Some hardware encryption devices have been found to implement unreliable “pseudo encryption” or perform flawed password checking. There’s often no easy way to separate fake products from the real McCoy, unfortunately, though it’s safe to say that buying hardware at an overnight flea market or from a seller of unknown reputation on eBay is unlikely to be a wise choice.

Mixing Encryption Hardware and Software May Be Best Medicine

Finally, numerous business-centric products use a mixture of proprietary encryption hardware and custom software. One, the Defender series of encrypted flash drives from Kanguru Solutions, is designed for use in both small businesses and enterprises.

As with the self-encrypting hardware mentioned above, data stored on Defender USB flash drives is automatically encrypted with 256-bit AES encryption. Instead of relying on a keypad, though, the Kanguru Defender uses a software client loaded on an unencrypted (and read-only) portion of the drive to request the user password. This is passed to the USB drive for on-device password matching, making it impossible to bypass the authentication process.

Interop News: PayPal Says It’s Time to Ditch Passwords and PINs

The software client serves a dual role, too, synchronizing with a backend server for the latest device policies such as password expiration, maximum number of password attempts and minimum password complexity. Policies that provide access to the Defender USB flash drive in the absence of Internet connectivity can also be configured.

Encryption Strategy Not Always Ready to Wear

Device encryption, like all password-protected technology, comes with the unavoidable risk of users forgetting their passwords. In some cases, proper recovery-key management or a password-management tool can mitigate this. Along these lines, makes sure the encrypted data is never the sole copy of the information and that a secure back up is available elsewhere.

There’s no doubt that the technology to secure portable storage devices already exists, though ease of use and cost can vary widely. BitLocker To Go is easy to implement, but it isn’t suitable for mixed operating system environments. Self-encryption hardware may be more convenient and versatile, but it often comes at a steep per-device premium. Ultimately, businesses must explore the options carefully to determine the best solution for their needs, but the key is to not leave portable storage devices unprotected.

Paul Mah is a freelance writer and blogger who lives in Singapore. Paul has worked a number of years in various capacities within the IT industry. Paul also enjoys tinkering with tech gadgets, smartphones and networking devices. You can reach Paul at and follow him on Twitter at @paulmah.

Follow everything from on Twitter @CIOonline, Facebook, Google + and LinkedIn.