Always Encrypt USB Sticks when Traveling with Information

Tuesday, January 30, 2018 by Michael Nuncic

USB sticks have become much smaller, can contain more data, and with USB 3.0, are faster than ever before. But due to their size, USB sticks have a downside: They can be easily lost.

My partner recently went on a business trip to the lovely city of Freiburg, Germany, known for its famous churches and the nearby black forest. While having a coffee on the main market square, she found a USB stick laying on the pavement. She gave it to me to check the content and for the owner of the stick.

Using a secured computer, what I found completely shocked me: It was fully loaded with personal and sensitive material: scans of two different identification cards of a man and a woman, a home loan application, bank statements of  the two individuals, salary statements, a credit application, a calculation of the expected pension payments, and tax assessments of the last three years. Additionally, there were lots of detailed documents of two different houses in the Freiburg area regarding future construction and renovation costs. And that's not all: The stick also contained a folder with more than a dozen software products along with the necessary serial numbers and keys.

Obviously, the owner of the stick – probably a sales representative of real estate firm – wanted to have all the necessary information with them all the time to have it available when necessary.

However, as you can imagine, criminals can use this information on USB sticks to easily steal the owners identity, transfer money, or sell the personal info to others in the darknet - or even worse - to a bad credit classification, which in some cases can take years to repair.

Therefore, storing personal information on unsecured USB sticks is a risky business and should be absolutely avoided!

When traveling with an USB stick, you should also encrypt the device. There are many solutions on the market – even free of charge – which can be used. Often, when purchasing a brand new stick, an encryption solution is already supplied by the manufacturer.

In case your USB does not come with an encryption tool, there are several products available. Among them are:

  • VeraCrypt . The successor to the well-known (but no longer developed) TrueCrypt, works on Windows, OSX, and Linux. After downloading and installing the program, click on "Create Volume", select "Encrypt a non-system Partition/Device" and click on "Next."  Under "Select Device," select your USB stick, enter a password, and your stick should be safe. However, you should perform this procedure before uploading your data, as all data on the stick will be deleted.  To access the encrypted data, you also need VeraCrypt.  Click on the button "Select Device."  You select the stick, click on "Mount" and enter your password. With "Dismount" you release the stick again.
  • If you own a Windows PC and have installed an "Ultimate," "Pro," or "Enterprise" version, you can also use on-board resources. The well-known Bitlocker encryption tool is included in Windows 7, 8, and 10 (with the exception of the Home version).

To start you must click on the stick in the Windows Explorer with the right mouse button. Under "Properties" you will find the tab "General." Click on "Advanced," and activate "Encrypt content to protect data" and confirm with "OK." You should be advised to back up the data encryption certificate and the key - if lost you will no longer be able to access the data in the directory. Therefore, please click on "Back up now (recommended)."  In the dialog "Security," you can set your password. If it says, "File Encryption is enabled on this computer," click "Start," then "Properties" and "System." Under "Info" you can change the "BitLocker settings" and activate the program. The USB stick is addressed under "Removable Disk - BitLocker To Go."  For more information read this article from Tom's Guide.

These two are just some of the many products available, but are the most important ones and will do the job without you having to spend a lot of money as they are free of charge.

However, there are quite a few experts who find software encryption is not secure enough.  If you too do not trust this type of encryption, you can opt for a USB key with hardware encryption. These options include a small keyboard that allows you to unlock the stick.

Remember: When you lost your decryption or hardware key, there is no way that you (or even data recovery experts) can recover the files stored on the medium. So make sure of the following:

  • Never lose your decryption key.
  • Always store another copy somewhere else as an emergency backup.
  • Always keep your USB stick and your decryption key in separate and secure places when traveling.
  • In case you have difficulties getting access to the content on the stick, it might have come to the end of its product life. In this case, it's better to destroy it. A big hammer and several hits will do the job. However, make sure that nobody can reassemble the included controller and storage chips again. So totally destroying them is absolutely necessary here.
  • In case you do not want to use the USB stick again with personal information, but for other purposes, make sure that you erase the old files with a proper erasure software solution, like Flash Erase from Blancco, or a similar product. It's only through proper erasure methods that you can be sure that no one will be able to gather your personal information.

P.S.  After I found the address of one of the individuals ID cards in one of the document provided, I returned the USB stick to this original owner and gave them the same advice as I just did here.