VeraCrypt: 4 ways to encrypt a flash drive in Linux

The information you store on your flash drives is the most vulnerable because you can lose it any day. So, you better protect the most sensitive data on your flash drive with encryption. In this post, you will learn how to encrypt a flash drive in Linux using four different ways with varying levels of complexity and security.

INTRODUCTION

Although nowadays everything is moving to the cloud and flash drives are not used often, they are still handy sometimes. Especially, if you are concerned about your privacy. Because your online accounts can get hacked, but in case of a flash drive, someone first needs to get physical access to it. And if your flash drive is encrypted, that person would also have to decrypt it, which is not easy.

It does not matter if your stored data is not too important, you never know what someone else might do with it. In addition, it is also very simple to encrypt a flash drive in Linux.

So, in this post, you will see several options to encrypt a flash drive in Linux.

  1. The first option is to create an encrypted file container. This way, you can store both encrypted and regular data.
  2. Another option is to split your flash drive into two parts, so you will have an encrypted partition for your important files and another partition for less important files.
  3. If all your data are very important, encrypt the whole flash drive. However, with this method, you will have to use the encryption passphrase every time you use your flash drive.
  4. Finally, there is a possibility of creating a hidden encrypted volume. It is the best option if you have very sensitive data that requires maximun protecting.

As you can see, you have several options, it all depends on you and the level of security you prefer.

VIDEO TUTORIAL

For all the encryption options, I will use VeraCrypt. It is the most user-friendly and flexible encryption tool. First of all, it is available for all platforms. So, you will be able to access your encrypted data from Linux, Windows, and Mac OS. Besides flash drives, VeraCrypt can be used to encrypt Linux hard drives too. The program has a fairly simple but powerful graphical interface.

1. Encrypt with a file container

Create an encrypted file container

To encrypt a flash drive in Linux with a file container, it is necessary to create a container. So, you need to click on the Create Volume button.

Create a new Volume in VeraCrypt
Create a new Volume

First, you have to select the Create an encrypted file container option in the following screen.

Creating an encrypted file container in VeraCrypt
First step: creating an encrypted file container

In this case, we will use the standard VeraCrypt volume option. I will show the Hidden Volume option later in this post.

Choose the Volume Type in VeraCrypt
Choose the Volume Type

Now, you have to select the location and give a name to your encrypted volume. For example, I will name it “EncryptedVolume” and place it on the flash drive. Of course, you can choose the name you want. Then, click on the Next button.

Set the volume location in VeraCrypt
Set the volume location

On the next screen, it is necessary to define the encryption algorithm. The default AES algorithm should be fine.

Encryption Options in VeraCrypt
Encryption Options

Now, you need to decide on the size of the encrypted volume. You will see the maxim available size, it is 14.7 Gb in my case. Choose the size based on the amount of data you intend to store in this encrypted volume. I will create one of 1 Gb size.

Set the volume size in VeraCrypt
Set the volume size

Next, you have to set a password for the volume. Try to make is reasonably long and include letters, numbers and special characters.

For the flash drive encryption, using a key file is not practical. But if you are going to mount your flash drive to 1-2 specific computers only, you can enable the key file to increase the security. I have shown how to use a key file in the post about Linux graphical encrypting program.

Set a Password for the VeraCrypt encrypted volume
Set a Password for the volume

I recommend keeping the FAT file system for the encrypted volume as it will work across all operating systems in spite that you encrypt a flash drive in Linux.

Format Options screen where you can choose the volume filesystem
Format Options screen where you can choose the volume filesystem

On the next screen, you need to move your mouse randomly until the bar is filled in the next screen. This is done to generate random numbers for better encryption. When the bar is filled, click on the Format button.

The VeraCrypt encryption process has started
The encryption process

Now, VeraCrypt will create an encrypted volume on your flash drive. It may take a while, depending on the size of the volume you are creating. If all goes well, you should see this screen where it says that the volume has been created correctly.

VeraCrypt encrypted volume is created successfully
Volume created successfully

Mount the encrypted file container

Now, I am going to test this encrypted volume. To mount the encrypted volume, go to the main window of the program and click on any free slot. Then select an encrypted file container we have just created and click on the Mount button.

Mount the newly created volume in  VeraCrypt
Mount the newly created volume

Now, you need to enter the encryption passphrase. You may also be requested to enter your administrative password.

Entering the passphrase to mount the  encrypted volume in VeraCrypt
Entering the passphrase to mount the encrypted volume

Most likely, the encrypted file container will open in a new window automatically. If it does not, you should be able to find it in the Devices section of your file manager.

The encrypted volume is listed among devises in the file manager
The encrypted volume is listed among devises

Test the encrypted file container

To test the encrypted volume, you place there any files. After you finished placing the data in this encrypted volume, close it and dismount.

Dismounting the encrypted volume in VeraCrypt
Dismounting the encrypted volume

When the encrypted volume is dismounted, open the USB drive again. So, the file you placed into the volume should not be accessible in the flash drive. You should only see the encrypted volume file and even if you try to open it, the system should not recognize it. So, all the data located in this file is securely encrypted and the only way to access it is to mount it with VeraCrypt.

This was the easiest and the least paranoid way to encrypt a flash drive in Linux. The only problem here is that the encrypted file container will be visible to anyone who mounts your USB drive.

2. Encrypt with an encrypted partition

One way to hide the encrypted part is to split your flash drive into two parts, one will be encrypted and not visible by default, while another part will be a regular partition. To do that you need to re-partition your flash drive.

Re-partition your flash drive

You can use Disk Utility, Gparted or any other partition program. In this case, I will use Disk Utility. Open it from the main menu.

First, delete your partition.

Deleting the partition in Disks
Deleting the partition

NOTE: This will also remove all the data from your USB drive. So make sure you copied it somewhere else before this step.

Next, you have to create one main partition that will be your regular partition. You probably would like it to format it with the FAT file system.

Create the main partition for the USB flash drive in Disks
Create the main partition for the USB flash drive

Now, you should see one partition and some free space which we will use for the encrypted partition.

Applied changes on the USB flash drive  in Disks
Applied changes on the USB flash drive

Click on the free space and create the second partition.

Creating the second partition on the USB flash drive in Disks
Creating the second partition on the USB flash drive

The file system does not matter here, it will be re-formatted anyway. Do not assign any name to it. This way it will look less obvious that there is some information in this partition. When this partiton is created you can start encrypting it as described below.

Encrypt one partition

Go back to VeraCrypt and click on the Create Volume button. And instead of the File container option, select the Create a volume within a partition/drive option.

Create an encrypted partition in VeraCrypt
Create an encrypted partition

Keep it as a standard VeraCrypt volume and select the partition you want to encrypt.

Select the partition you want to encrypt in VeraCrypt
Select the partition you want to encrypt

In this screen, you can see that sdb is my USB drive because of its size. And sdb1 and sdb2 are the two partitions we have just created. We need to encrypt the second one. In you case, the device name may be different. For example, it can be sdc2, sdd2, sde2, etc. Just looks at the size of available partitions and select the needed one.

Selecting the partition to encrypt in VeraCrypt
Selecting the partition to encrypt

The next steps are the same as before. First, select the Encryption algorithm option, set the passphrase, select the FAT filesystem, and move the mouse to get randomness and format the volume.

When the volume has been created, check how the system sees it. In the file manager, if you look at the Devices section, you only see the first FAT partition and the encrypted partition is not shown. The Linux systems and I believe other systems will not show this partition in a file manager because the file system of this partition is not recognized.

There is only one way to see the encrypted partition: you have to mount it with VeraCrypt.

Mounting the encrypted partition

The mounting process for an encrypted partition is very similar to the mounting of an encrypted volume, you have seen above. There are a few differences. Wehn you mount the encrypted partition, you need to click on the Select Device option, not Select file as it was for the encrypted file container.

Select the encrypted partition to mount in VeraCrypt
Select the encrypted partition to mount

After the device is mounted, you should be able to to find the encrypted partition in the Devices section of your file manager. You can select it and start placing files into this encrypted partition. When you finished, do not forget to unmount it.

So, this encryption option is one level more secure than a file container because someone who wants to get access to your data also needs to know about this partition and also needs to know that it is encrypted.

3. Encrypt the whole flash drive

Similarly to the previous method, you can also encrypt the whole flash drive in Linux. The difference from the previous option: you do not split your flash drive into two partitions.

This is the less practical way to encrypt a flash drive in Linux because the only way you can use your flash drive is to mount it with VeraCrypt. So, you will not be able to place any file on it any other way.

4. Encrypt with a Hidden encrypted volume

All these three options are to protect your data if you lose your flash drive. However, you may also need to hide the information that you have some encrypted information on the flash drive. You can use a hidden encypted volume.

Basically, you create one encrypted volume within another one. So, you can disclose the password from the outer partition that does not have any sensitive data. So, you can reveal the password, but you do not disclose the truly encrypted data, you only give access to your falsely encrypted data. The data you are really hiding is still encrypted.

How hidden encryption works
How hidden encryption works

So, lets encrypt a flash drive in Linux with a hidden volume.

Create the falsely encrypted volume

First, create a new volume by clicking on the Create Volume button. After that, select the Create a volume within a partition/drive option and in the Volume type window select the Hidden VeraCrypt volume option.

Choose the volume type in VeraCrypt
Choose the volume type

Similar to the encryption procedure described above, select the device you want to encrypt and choose the encryption algorithm.

Now comes the different part. In this case you have to create two passwords.

First, you create a password for the outer volume. This is so-called your falsely encrypted partition. You can use a simple password here because it is not important. This is a password you can reveal.

Create the password for the outer volume in VeraCrypt
Create the password for the outer volume

You can read more about the outer volume on the screenshot below.

Description of the outer encryption volume used to hide the real encryption volume in VeraCrypt
First outer volume is created

Create the hidden encrypted volume

In the next step will promt you to create a real encrypted volume where you store the data you want to hide.

First window to create the hidden volume in VeraCrypt
First window to create the hidden volume

First, select the encryption algorithm for the hidden partition. Then, you specify the size of the hidden volume.

After that, you have to enter the real passphrase. It is better to make it long complex.

Set the passphrase for the hidden volume in VeraCrypt
Set the passphrase for the hidden volume

Next, on the Format options screen, select the filesystem type. Finally, format and create the volume.

Format and create the hidden volume in VeraCrypt
Format and create the hidden volume

So, the hidden volume has been created. Let us test it.

Test the hidden volume

First, select a slot and mount the encrypted partition as it was shown above. You will be asked to enter the password. Now, depending on what password you enter, different volumes will be mounted. For example, I enter my longer passphrase. This password will mount the real hidden encrypted partition. On the other hand, if I use my shorted password, the fake encryption volume will be mounted.

Enter the real password to mount the hidden volume in VeraCrypt
Enter the real password for the hidden volume

So, now everything depends only on what passphrase you use to mount an encrypted partition. Just be careful not to reveal a wrong passphrase if unluckily you happen to have to reveal your passphrase.

CONCLUSION

Now, you know four ways to encrypt a flash drive in Linux, for the cases if you lose it or even if you are forced to reveal a password from an encrypted volume. So, you can sleep well at night and do not worry about your data being insecure.

I also have a post about Make a bootable USB drive on any Linux distro.

Average Linux User
Average Linux User I am the founder of the Average Linux User project, which is a hobby I work on at night. During the day I am a scientist who uses computers to analyze genetic data.

Comments


user 12345

how can i avoid saving decrypted data on my hard drive? I use Ubuntu, when i mount the USB stick its copy the data in computers drive or RAM, and i can still access the data without USB stick plugged in the PC.



Learn how to write in Markdown with this Quick Reference.
Notify me of new comments on this post.
* E-mail is used to display Gravatar.