As I’ve mentioned in the BitLocker and FileVault posts on the topic, encrypting external media is important. Flash drives are notoriously easy to lose (I’ve lost a few) and the information on them can be potentially devastating. There is one major advantage to using VeraCrypt instead of BitLocker or Filevault: it is cross-platform compatible. You can access the content of your external media from Mac, Windows, and Linux machines instead of being restricted to one operating system. Today’s post will cover VeraCrypt external media encryption in detail. This post was mostly conducted on a Windows 10 machine; specifics vary slightly for different operating systems. If you experience problems, please consult the VeraCrypt User’s Guide by clicking “Help” and selecting “User’s Guide”.
VeraCrypt External Media Encryption
First, plug in your external media, whether external hard drive, USB flash drive, SD card, or other. If you do not have VeraCrypt, download and install it. Open the VeraCrypt interface and click “Create Volume”.
The next screen allows you to choose what you wish to create. Since we are encrypting a drive, select “Encrypt a non-system partition/drive”. The next screen will ask you to choose the volume type, standard or hidden. Choose “Standard VeraCrypt volume” (hidden volumes will be discussed later).
The next screen will allow yout to select the device. It is important that you know the deive letter and size of the drive you are encrypting. Otherwise you risk encrypting the wrong one. Find the device you wish to encrypt and select the paritition you wish to encrypt. For most external media there will only be a single partition (see bottom left image in the series below). Click “OK” and the next screen will confirm the device. Click “Next”.
The next option you will be given is to “Create an encrypted volume and format it” or “Encrypt partition in place”. If you encrypt the partition in place, any data on the device will be preserved. On Windows machines you can only encrypt the volume in place if it utilizes NTFS storage. This rules out most flash drives which use FAT architecture. If the volume you are encrypting contains files you wish to preserve, you should do the following:
- Create a VeraCrypt volume on your desktop (this will be covered later in the week),
- Copy all files to the desktop volume, and
- Proceed with enrypting and formatting the partition.
- When you have finished, mount both the external media and the encrypted external media, and copy the files back over.
If you do not have files that you wish to preserve on the new drive, select the first option: “Create an encrypted volume and format it”. After clicking “Next” you will be asked to choose your encryption options. I recommend sticking with the tried and true combination of AES and SHA-512. You will not be able to make any changes to the Volume Size. This will automatically be assigned based on the size of the media you are encrypting.
Finally, assign the volume a password. VeraCrypt does not allow you to paste passwords, either here in the Volume Creation Wizard, or later when mounting the volume. As a result, this password should be one that you can manually enter. I recommend using a diceware password.
You will now be asked if you intend to store “large files” within the volume. This means files larger than 4 GB. It is very rare to encounter a file this large, so for most people the answer will be “No”. If you do intend to store large files, choose yes. VeraCrypt will have to set the volume up with a different file system to support this. On the next screen create some random data for the crypto by moving your mouse around as randomly as possible. Do this at least until the green progress bar is completely full.
If there are files stored on the drive, VeraCrypt will give you two stern warnings before you proceed with a format (see bottom two images). If you are ok with overwriting thie files, proceed.
The VeraCrypt external media encryption process has begun. A green progress bar will give you the percentage complete and an estimate of the time remaining. When the encryption process is complete, VeraCrypt will display a prompt letting you know. When you click “OK”, another prompt will appear indicating you cannot mount the volume to the same drive letter it already occupies (see the section below on Using VeraCrypt External Media Encryption). You are now finished with the Volume Creation Wizard and can click “Exit”.
VeraCrypt External Media Encryption
You will doubtlessly notice that when you insert the now-encrypted flash drive into computers, they will report being unable to read it. Both Windows and Mac computers will offer to format the drive for your (see image below). DO NOT choose the format option; this will erase the contents of the drive.
Windows: choose a drive letter to assign to the mounted volume. Do so by clicking on a drive letter in the upper part of the interface. Note that this must be an unoccupied drive letter – you cannot mount to a drive letter tha is already in use. Click “Auto-Mount Devices”. The password prompt will appear. Enter your password. VeraCrypt will begin decrypting the volume. This may take 60 seconds or more. When the volume is mounted it will appear beside the drive letter you selected in the first step. You can now double-click this drive letter to open the volume. Alternatively you can open an Explorer window and navigate to the volume. It will show up as a hard drive. You can now copy or save files directly to this location.
Mac OS X: If you are using a Mac, choose a drive letter by clicking on one in the upper part of the interface. Click “Select Device”. You will be prompted to enter your adminstrator password. A drive list will appear. Select the appropriate partition (see center image in series below). You will now be prompted for your password.
Before you can remove the drive it is very important to dismount the VeraCrypt volume. This is important for both security reasons, and because files can be damaged or corrupted if you remove the volume without properly dismounting. To do so, close any documents that are running from the device. In the VeraCrypt interface select the device and click “Dismount”. Once the the encrypted volume is dismounted you may remove the media from your computer.
Encrypting your external media is at least as important as encrypting its host computer. VeraCrypt external media encryption gives you good security and flexibility. I will cover many more features of this program in coming days, so stay with me!
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.