如果您在USB 驱动器(USB drive)上携带敏感信息,您应该考虑使用加密来保护数据以防丢失或被盗(loss or theft)。我已经讨论过如何使用 Windows 的 BitLocker 或 Mac 的 FileVault 加密您的硬盘驱动器,这两个(BitLocker)都是(Mac)内置(Windows or FileVault)的操作系统(operating system)功能。
对于USB 驱动器(USB drive),您可以通过多种方式在驱动器上使用加密:在Windows上使用(Windows)BitLocker、从第三方购买硬件加密的USB 驱动器(USB drive)或使用第三方加密软件(encryption software)。
在本文中,我将讨论所有三种方法以及如何实现它们。在我们进入细节之前,应该注意的是,没有任何加密解决方案(encryption solution)是完美和有保证的。不幸的是,多年来,下面提到的所有解决方案都遇到了问题。
在BitLocker(BitLocker)中发现了安全漏洞和漏洞,第三方加密软件(encryption software)和许多硬件加密的USB驱动器都可以被黑客入侵。那么使用加密有什么意义吗?当然是。黑客攻击和利用漏洞非常困难,需要大量的技术技能。
其次,安全性一直在提高,对软件、固件等进行更新以确保数据安全。无论您选择哪种方法,请确保始终保持更新。
方法 1 – Windows 上的 BitLocker
BitLocker将加密您的USB 驱动器(USB drive),然后在连接到 PC 时要求输入密码。要开始使用BitLocker,请继续将USB 驱动器(USB drive)连接到计算机。右键单击驱动器,然后单击(drive and click)打开BitLocker( Turn on BitLocker)。
接下来,您可以选择解锁驱动器的方式。您可以选择使用密码、使用智能卡或两者都使用。对于大多数个人用户来说,密码选项(password option)将是最佳选择。
接下来,您需要选择在忘记密码时如何保存恢复密钥(recovery key)。
您可以将其保存到您的Microsoft 帐户(Microsoft Account)、保存到文件或打印恢复密钥(recovery key)。如果您将其保存到您的Microsoft 帐户(Microsoft Account)中,您以后可以更轻松地恢复您的数据,因为它会存储在Microsoft服务器上。然而,不利的一面是,如果执法部门(law enforcement)想要你的数据,如果得到搜查令,微软(Microsoft)将不得不支付你的恢复密钥。(recovery key)
如果将其保存到文件中,请确保该文件存储在安全的地方。如果有人可以轻松找到恢复密钥(recovery key),那么他们就可以访问您的所有数据。您可以保存到文件或打印密钥,然后将其存储在银行密码箱或(bank lockbox or something)非常安全的东西中。
接下来,您需要选择要加密的驱动器数量。如果它是全新的,只需加密已用空间,添加时它会加密新数据。如果上面已经有东西,那么只需加密整个驱动器。
根据您使用的Windows版本,您可能看不到此屏幕。(Windows)在Windows 10上,系统会要求您在新加密模式(encryption mode)或兼容模式之间进行选择。Windows 10具有更好更强的加密功能,不会与早期版本的Windows兼容。如果您想要更高的安全性,请使用新模式,但如果您需要将驱动器连接到旧版本的Windows,请使用兼容模式。
在此之后,它将开始加密驱动器。时间将取决于您的驱动器有多大以及需要加密多少数据。
现在,如果您转到另一台Windows 10 机器并插入(machine and plug)驱动器,您会看到通知区域(notification area)中出现一条小消息。在早期版本的Windows中,只需转到资源管理器(Explorer)。
当您在Explorer(Explorer)中查看驱动器时,您还会看到驱动器图标(drive icon)上有一个锁。
最后,当您双击驱动器进行访问时,系统会提示您输入密码。如果您单击更多选项(More Options),您还会看到使用恢复密钥(recovery key)的选项。
如果您想稍后关闭BitLocker,只需右键单击驱动器并选择Manage BitLocker。然后单击链接列表中的关闭 BitLocker( Turn off BitLocker)。
您还可以更改密码、再次备份恢复密钥(recovery key)、添加智能卡验证(card verification)以及打开或关闭自动锁定。总体而言,这是一种无需任何第三方工具即可加密闪存驱动器的简单且安全的方法。
方法 2 – VeraCrypt
有很多第三方数据加密软件(encryption software)声称它们是安全可靠的,但没有进行任何审计来确保这种所谓的质量。在加密方面,您需要确保安全专业人员团队正在审核代码。
目前我推荐的唯一程序是VeraCrypt,它基于以前流行的TrueCrypt。您仍然可以下载TrueCrypt 7.1a,这是唯一推荐(recommend version)下载的版本,但它不再被处理。代码已经过审核(code has been audited),幸好没有发现重大安全漏洞。
但是,它确实存在一些问题,因此不应再使用。VeraCrypt基本上采用了TrueCrypt并修复了审计中发现的大部分问题。要开始使用,请下载VeraCrypt,然后将其安装在您的系统上。
当您运行该程序时,您会看到一个带有一堆驱动器号和几个按钮的窗口。我们想从创建一个新卷开始,所以单击Create Volume按钮。
卷创建向导(volume creation wizard)将弹出,您将有几个选项。您可以选择创建加密文件容器(Create an encrypted file container),也可以选择 Encrypt a non-system partition/drive。第一个选项将创建一个存储在单个文件中的虚拟加密磁盘。第二个选项将加密您的整个USB 闪存(USB flash)驱动器。使用第一个选项,您可以将一些数据存储在加密卷中,而驱动器的其余部分可以包含未加密的数据。
因为我只在一个USB 驱动器(USB drive)上存储敏感信息,所以我总是选择加密整个驱动器选项(drive option)。
在下一个屏幕上,您必须在创建标准 VeraCrypt 卷(tandard VeraCrypt volume)或隐藏 VeraCrypt 卷(Hidden VeraCrypt volume)之间进行选择。确保单击链接以详细了解差异。基本上,如果您想要超级安全的东西,请使用隐藏卷,因为它会在第一个加密卷中创建第二个加密卷。您应该将真正的敏感数据存储在第二个加密卷中,并将一些虚假数据存储在第一个加密卷中。
这样,如果有人强迫你放弃密码,他们只会看到第一卷的内容,而看不到第二卷的内容。访问隐藏卷没有额外的复杂性,您只需在安装驱动器时输入不同的密码,因此我建议使用隐藏卷以提高安全性。
如果您选择隐藏卷选项(hidden volume option),请确保在下一个屏幕上选择普通模式(Normal mode),以便VeraCrypt为您创建普通卷和隐藏卷。接下来,您必须选择卷的位置。
单击“选择设备(Select Device)”按钮,然后查找您的可移动设备。请注意,您可以选择一个分区或整个设备。您可能会在此处遇到一些问题,因为尝试选择可移动磁盘 1(Removable Disk 1)时给了我一条错误消息(error message),指出只能在不包含(t contain)分区的设备上创建加密卷。
由于我的U 盘(USB stick)只有一个分区,我最终只选择了/Device/Harddisk/Partition1 E:并且它运行良好。如果您选择创建隐藏卷,下一个屏幕将设置外部卷(outer volume)的选项。
这里你要选择加密算法(encryption algorithm)和散列算法(hash algorithm)。如果您不知道任何含义,只需将其保留为默认值,然后单击(default and click) Next。下一个屏幕将设置外部卷(outer volume)的大小,与分区的大小相同。此时,您必须输入外卷密码(outer volume password)。
请注意,外卷(outer volume)和隐藏卷的密码必须非常不同,因此请考虑一些好的、长而强的密码。在下一个屏幕上,您必须选择是否要支持大文件。他们建议不要,因此只有在您确实需要在驱动器上存储大于 4GB 的文件时才选择是。
接下来,您必须格式化外部卷(outer volume),我建议不要在此处更改任何设置。FAT 文件系统(FAT filesystem)更适合VeraCrypt。单击(Click)“格式化(Format)”按钮,它将删除驱动器上的所有内容,然后开始外部卷(outer volume)的创建过程(creation process)。
这将需要一些时间,因为这种格式实际上是在整个驱动器上写入随机数据,而不是Windows中通常出现的快速格式。完成后,系统会要求您继续将数据复制到外部(Once)卷(outer volume)。这应该是您的虚假敏感数据。
复制数据后,您现在将开始隐藏卷的过程。在这里,您必须再次选择加密类型,除非您知道这意味着什么,否则我将不理会它。单击下一步(Click Next),您现在可以选择隐藏卷的大小。如果您确定不会向外部卷(outer volume)添加任何其他内容,则可以将隐藏卷最大化。
但是,如果您愿意,您也可以缩小隐藏卷的大小。这会给你更多的外卷空间(outer volume)。
接下来,您必须为隐藏卷(hidden volume)设置密码,然后在下一个屏幕上单击“格式化”以创建隐藏卷。(Format)最后,您将收到一条消息,告诉您如何访问隐藏卷。
请注意,现在访问驱动器的唯一方法是使用VeraCrypt。如果您尝试在Windows中单击驱动器(drive letter)号,您只会收到一条错误消息(error message),指出无法识别驱动器并需要格式化。除非(Don)您想丢失所有加密数据,否则不要这样做!
相反,打开VeraCrypt并首先从顶部的列表中选择一个驱动器号。(drive letter)然后单击选择设备( Select Device )并从列表中选择可移动磁盘分区。(disk partition)最后,单击安装(Mount)按钮。在这里,您将被要求输入密码。如果您输入外卷密码(outer volume password),该卷将安装到新的驱动器(drive letter)号。如果您输入隐藏卷密码(volume password),则该卷将被加载。
很酷吧!?现在您拥有一个超级安全的软件(secure software)加密USB闪存驱动器,任何人都无法访问。
方法 3 (Method 3) – 硬件加密的 USB 闪存(– Hardware Encrypted USB Flash)驱动器
您的第三个选择是购买硬件加密的USB闪存驱动器。永远不要(Never)购买软件加密的闪存驱动器,因为它可能使用了公司创建的一些专有加密算法,并且被黑客入侵的可能性要高得多。
尽管方法 1 和 2 很棒,但它们仍然是软件加密(software encryption)解决方案,不如基于硬件的解决方案理想。硬件加密(Hardware encryption)允许更快地访问驱动器上的数据,防止预启动攻击并将加密密钥存储在芯片上,无需外部存储恢复密钥(recovery keys)。
当您购买硬件加密设备时,请确保它使用 AES-256 位或符合 FIPS。对于值得信赖的公司,我的主要推荐是IronKey。
他们从事这项业务已经很长时间了,并且为消费者一直到企业提供了一些非常高安全性的产品。如果您真的需要一些安全的闪存驱动器并且不想自己动手,那么这是最佳选择。它并不便宜,但至少您可以安全地存储您的数据。
你会在像亚马逊(Amazon)这样的网站上看到一大堆便宜的选择,但是如果你阅读评论,你总是会发现当事情发生时会“震惊”的人,他们能够在不输入密码的情况下访问数据或类似的东西(password or something)。
希望这篇深入的文章能让您很好地了解如何加密闪存驱动器上的数据并安全地访问(drive and access)它。如果您有任何问题,请随时发表评论。享受!
How to Securely Encrypt a USB Flash Drive
If you carry senѕitive information around on a USΒ drive, you should consider using encryption to secure the data in case of loss or theft. І’ve already talked about how tо encrypt your hard drive using BitLocker for Windows or FileVault for Mac, both built-in operating system features.
For USB drives, there are a couple of ways you can go about using encryption on the drives: using BitLocker on Windows, buying a hardware encrypted USB drive from a third-party or using third-party encryption software.
In this article, I’m going to talk about all three methods and how you can implement them. Before we get into the details, it should be noted that no encryption solution is perfect and guaranteed. Unfortunately, all the solutions mentioned below have run into issues over the years.
Security holes and vulnerabilities have been found in BitLocker, third-party encryption software and a lot of hardware encrypted USB drives can be hacked. So is there any point to using encryption? Yes, definitely. Hacking and exploiting vulnerabilities is extremely hard and requires a lot of technical skill.
Secondly, security is always being improved and updates are made to software, firmware, etc to keep data secure. Whatever method you choose, make sure to always keep everything updated.
Method 1 – BitLocker on Windows
BitLocker will encrypt your USB drive and then require a password to be entered whenever it is connected to a PC. To get started using BitLocker, go ahead and connect your USB drive to your computer. Right-click on the drive and click on Turn on BitLocker.
Next, you’ll have the option to pick how you want to unlock the drive. You can choose to use a password, use a smart card or use both. For most personal users, the password option will be the best choice.
Next, you’ll need to choose how you want to save the recovery key in case the password is forgotten.
You can save it to your Microsoft Account, save to a file or print the recovery key. If you save it to your Microsoft Account, you’ll have a much easier time recovering your data later on since it’ll be stored on Microsoft servers. However, the downside is that if law enforcement ever wants your data, Microsoft will have to pony up your recovery key if served a warrant.
If you save it to a file, make sure that file is stored somewhere secure. If someone can easily find the recovery key, then they can access all of your data. You can save to a file or print the key and then store that in a bank lockbox or something very secure.
Next, you need to choose how much of the drive you want to encrypt. If it’s brand new, just encrypt the used space and it’ll encrypt the new data when you add it. If there is already something on it, then just encrypt the whole drive.
Depending on which version of Windows you are using, you may not see this screen. On Windows 10, you’ll be asked to choose between the new encryption mode or the compatible mode. Windows 10 has better and stronger encryption, which will not be compatible with earlier versions of Windows. If you want more security, go with the new mode, but if you need to connect the drive to older versions of Windows, go with compatible mode.
After this, it will begin to encrypt the drive. The time will depend on how big your drive is and how much data needs to be encrypted.
Now if you go to another Windows 10 machine and plug in the drive, you’ll see a little message appear in the notification area. In earlier versions of Windows, just go to Explorer.
You’ll also see the drive icon has a lock on it when you view the drives in Explorer.
Finally, when you double-click on the drive to access it, you will be prompted to enter the password. If you click More Options, you’ll also see the option for using the recovery key.
If you want to turn off BitLocker at a later point, just right-click on the drive and choose Manage BitLocker. Then click on Turn off BitLocker in the list of links.
You can also change the password, backup the recovery key again, add smart card verification and turn auto-lock on or off. Overall, it’s a simple and secure way to encrypt a flash drive that doesn’t require any third-party tools.
Method 2 – VeraCrypt
There is a lot of third-party data encryption software out there that claim they are safe and secure, but no audit has been done to ensure this so-called quality. When it comes to encryption, you need to be sure the code is being audited by teams of security professionals.
The only program I would recommend at this time would be VeraCrypt, which is based on the previously popular TrueCrypt. You can still download TrueCrypt 7.1a, which is the only recommend version to download, but it’s no longer being worked on. The code has been audited and thankfully no major security vulnerabilities have been found.
However, it does have some issues and therefore shouldn’t really be used anymore. VeraCrypt basically took TrueCrypt and fixed most of the issues that were found in the audit. To get started, download VeraCrypt and then install it on your system.
When you run the program, you’ll get a window with a bunch of drive letters and a few buttons. We want to start off by creating a new volume, so click on the Create Volume button.
The volume creation wizard will popup and you’ll have a couple of options. You can choose to Create an encrypted file container or you can choose to Encrypt a non-system partition/drive. The first option will create a virtual encrypted disk stored in a single file. The second option will encrypt your entire USB flash drive. With the first option, you can have some data stored in the encrypted volume and the rest of the drive can contain unencrypted data.
Since I only store sensitive information on one USB drive, I always go with encrypting the entire drive option.
On the next screen, you have to choose between creating a Standard VeraCrypt volume or a Hidden VeraCrypt volume. Make sure to click on the link to understand in detail the difference. Basically, if you want something super secure, go with the hidden volume because it creates a second encrypted volume inside the first encrypted volume. You should store the real sensitive data in the second encrypted volume and some fake data in the first encrypted volume.
In this way, if someone forces you to give up your password, they will only see the contents of the first volume, not the second one. There is no extra complexity when accessing the hidden volume, you just have to enter a different password when you mount the drive, so I would suggest going with the hidden volume for extra security.
If you choose the hidden volume option, make sure to pick Normal mode on the next screen so that VeraCrypt creates the normal volume and hidden volume for you. Next, you have to choose the location of the volume.
Click on the Select Device button and then look for your removable device. Note that you can choose a partition or the entire device. You might run into some issues here because trying to select Removable Disk 1 gave me an error message stating that encrypted volumes can only be created on devices that don’t contain partitions.
Since my USB stick only had one partition, I ended up just choosing the /Device/Harddisk/Partition1 E: and it worked fine. If you chose to create a hidden volume, the next screen will set the options for the outer volume.
Here you have to choose the encryption algorithm and the hash algorithm. If you have no idea what anything means, just leave it at the default and click Next. The next screen will set the size of the outer volume, which will be the same size as the partition. At this point, you have to enter an outer volume password.
Note that the passwords for the outer volume and hidden volume have to be very different, so think of some good, long and strong passwords. On the next screen, you have to choose whether you want to support large files or not. They recommend no, so only choose yes if you really need to store files larger than 4GB on the drive.
Next, you have to format the outer volume and I would recommend not changing any of the settings here. The FAT filesystem is better for VeraCrypt. Click the Format button and it will delete everything on the drive and then start the creation process for the outer volume.
This will take some time because this format actually writes random data over the entire drive as opposed to the quick format that normally occurs in Windows. Once complete, you’ll be asked to go ahead and copy data to the outer volume. This is supposed to be your fake sensitive data.
After you copy the data over, you’ll now start the process for the hidden volume. Here you have to choose the type of encryption again, which I would leave alone unless you know what all that means. Click Next and you now have the ability to choose the size of the hidden volume. If you’re sure you’re not going to add anything else to the outer volume, you can just max the hidden volume out.
However, you can make the size of the hidden volume smaller too if you like. That will give you more room in the outer volume.
Next, you have to give your hidden volume a password and then click Format on the next screen to create the hidden volume. Finally, you’ll get a message telling you how to access the hidden volume.
Note that the only way to access the drive now is by using VeraCrypt. If you try to click on the drive letter in Windows, you’ll just get an error message saying the drive cannot be recognized and needs to be formatted. Don’t so that unless you want to lose all your encrypted data!
Instead, open VeraCrypt and first choose a drive letter from the list at the top. Then click on Select Device and choose the removable disk partition from the list. Lastly, click the Mount button. Here you will be asked to enter the password. If you enter the outer volume password, that volume will be mounted to the new drive letter. If you enter the hidden volume password, then that volume will be loaded.
Pretty cool right!? Now you have a super secure software encrypted USB flash drive that will be impossible for anyone to access.
Method 3 – Hardware Encrypted USB Flash Drives
Your third option is to buy a hardware encrypted USB flash drive. Never buy a software encrypted flash drive because it is probably using some proprietary encryption algorithm created by the company and has a much higher chance of being hacked into.
Even though method 1 and 2 are great, they are still software encryption solutions, which are not as ideal as a hardware based solution. Hardware encryption allows for faster access to the data on the drive, prevents pre-boot attacks and stores the encryption keys on a chip, removing the need for externally stored recovery keys.
When you buy a hardware encrypted device, make sure it is using AES-256 bit or is FIPS-compliant. My main recommendation in terms of trustworthy companies is IronKey.
They’ve been in the business for a very long time and have some really high security products for consumers all the way to enterprises. If you really need some secure flash drives and don’t want to do it yourself, then this is the best choice. It’s not cheap, but at least you can feel good that your data is stored securely.
You’ll see a whole bunch of cheap options on sites like Amazon, but if you read the reviews, you’ll always find people who were “shocked” when something happened and they were able to access the data without typing in their password or something similar.
Hopefully, this in-depth article gives you a good idea of how you can encrypt data on a flash drive and access it securely. If you have any questions, feel free to comment. Enjoy!
