Creating a secure USB drive

Creating a secure USB drive

This guide will show how to create a secure environment on a USB flash drive for portable data and applications. If you follow this guide you don't need to worry if you lose it (assuming you have a backup!) as your personal data is encrypted. It can also slightly increase performance of some portable applications.

To do this we will use several free programs...

  • TrueCrypt for creating one or more encrypted drives.
  • PStart to use as a menu of programs and data.
  • USB Disk Ejector to ensure it's always ejected properly when done.
  • A helper application I have created to make the whole thing easier to use.

 

Note: Using TrueCrypt from a USB drive requires either that you have administrator rights on the PC, or TrueCrypt has been previously installed on that PC. This may prevent you from using it in libraries, internet cafés and some workplaces.

 

First prepare the USB drive

I recommend you start with a completely empty drive (we'll call this the host drive). This will allow the encrypted drive(s) to be created without fragmentation. Generally the host drive will be formatted as FAT32, however this will limit your encrypted drives to 4Gb maximum. If you want a single encrypted drive larger than 4Gb, the host drive will have to be formatted as NTFS.

Create the folder structure on the host drive, with folders called "Data" and "Programs". Actually you can call these folders whatever you like, but these names will be assumed from here on. You may also wish to have other folders for unimportant stuff you don't want encrypted, or want to share with others who use your drive (eg. "Unsecured" in the screenshot below).

Virus protection (optional but recommended)

Many viruses are spread by USB drives using the autorun functionality of Windows. Download and install Panda USB Vaccine and use it to vaccinate your USB drive, which permanently disables autorun on the drive. This is all it does, it's not a full virus protection package.

  

Install TrueCrypt and create your encrypted drive

Download the latest version of TrueCrypt and run the setup program. Choose the “Extract” option and extract to the Programs folder on your host drive.

Now run TrueCrypt.exe that was just extracted, and go to Settings > Preferences. Enable "Mount volumes as removable media" and disable the TrueCrypt background task. It is not needed for portable use.

Next, create an encrypted file container on the USB drive in the "Data" folder by clicking the "Create Volume" button.

Create it in your Data folder, and call it whatever you like, with a .tc extension (eg. F:\Data\Portable.tc).

Use the default encryption options, they are the fastest and most secure. Decide how big you want the encrypted volume; generally you would make it fill up most of the USB drive, leaving a small amount of space for your non-encrypted files. If the host drive is FAT32 format, the maximum TrueCrypt volume size is 4095Mb (not 4096Mb, as the TrueCrypt header takes a small amount of space).  In this example I'm using a 1Gb drive so 800Mb will do.

In the next two screens, you must specify the password to open the volume and the format to use, then click the Format button. After some time your encrypted volume will be ready; how long it takes depends on the size and speed of your flash drive. For more help with creating TrueCrypt volumes, see the tutorial here.

Once created, you can mount your encrypted volume using the TrueCrypt GUI interface. Select an available drive, select your .tc file, and click the Mount button. Enter your password when prompted, and leave TrueCrypt open for now.

 

Install PStart Menu on the encrypted drive

Download the latest version of PStart and run the setup program. Choose portable setup and select your new encrypted drive (not the host drive).

There are many options for configuring PStart, you can experiment with these yourself. For example you can change the colour of the tray icon, and add a tooltip to display when hovering over it. for now at least you should disable "Show panel on startup", so only the tray icon is shown when it starts.

Note that you could also use the PortableApps Platform as your menu, but personally I prefer PStart.

Files and Portable Applications

I suggest creating at least a "Documents" folder and a "Portable Apps" folder on your encrypted drive, but that's up to you. Then you can start copying stuff onto it. You can download whatever portable applications you like and install each in it’s own sub-folder. Some suggested links are…

https://portableapps.com/

https://www.portablefreeware.com/all.php

https://en.wikipedia.org/wiki/List_of_portable_applications

 

Create shortcuts in PStart menu

Once you have something on your drive, you can create shortcuts to them. To do this, either drag and drop to, or right click on, the PStart window.For this example, I have installed OpenOffice portable and a couple of documents.

These are now shown when you click the PStart icon in the system tray.

For now you can Exit PStart and go back to TrueCrypt, Dismount your drive and Exit.

 

Install USB Disk Ejector on the host drive

Download the latest version of USB Disk Ejector and unzip the program to your host drive (eg. F:\Programs\USBDiskEjector). There is no installer. The screenshot shows IZArc being used to extract it, but you can use whatever program you have to handle Zip files.

 

Install USB.exe helper program

I have created this program to tie it all together and make it easier to use. Basically it just automates the steps.

  1. Mounts the TrueCrypt volume after you enter your password
  2. Optionally, runs a program (eg. to sync folders)
  3. Runs the menu program on the mounted volume, and waits until it exits (eg. PStart menu)
  4. Checks that no programs have been left running from the mounted volume (to prevent data loss/crashes)
  5. Optionally, runs a program (eg. to sync folders again)
  6. Dismounts the TrueCrypt volume
  7. Ejects the USB drive

Download USB.exe (225,7 kB) and save it in the root folder of your host drive, then run it. On the first run, default settings are created and you need to edit them to match your folders and programs used. If you have followed this guide exactly no changes should be needed, except your preferred drive letter. The optional backup commands can be added later. On most computers, this file will open in Notepad.

How to use it...

Simply plug your USB drive into any computer, find it in Windows explorer, and run USB.exe. Enter your password when prompted, and wait for the menu icon to appear in the system tray.

When finished, exit the menu. If any programs are left running on the drive, you will see a warning message. Close the program and retry, or cancel (restart the menu).

Wait for the drive to be dismounted and ejected; a message will be shown when it's safe to remove the drive. Do not unplug the drive without doing this first, as it may lead to data loss or corruption.

Backup, backup, backup!

As with all computer data, it is important to have a backup of your USB drive. There are many ways to do this and it's beyond the scope of this guide. One way is to use my MultiBackup program to backup the entire drive to your hard disk. You can also use it to synchronize folders with your own PC on mounting and/or dismounting the drive. To do this you can enter commands in the USB.ini file.

 

That's it for now... If I think of anything else I'll add it!

Tags:

| | | |