How Does an Encrypted USB Flash Drive Work?
By Ken Burnside
Flash drives have become a standard in removable media because they're small, easily swapped between systems, and can be read and rewritten. Their portability and small size also makes them easier to lose, even if they're attached to a key chain or another object. Having your flash drive encrypted means that if the drive is lost or stolen, your personal data isn't easily recovered.
Hardware-encrypted flash drives come with a small chip that handles the encryption and are configured with two logical volumes: a small, hidden one and a larger one where your data goes. This is similar to hidden drive partitions on laptop drives for software recovery. When the drive is plugged in for the very first time -- after being removed from its packaging -- you'll be prompted to enter a password. Once the password is created, the larger partition is encrypted and the password will be required each time the drive is inserted. After the password is entered, the drive behaves like any other flash drive.
It's also possible to encrypt a thumb drive using encryption software like TrueCrypt. You can duplicate the functionality of hardware encrypted drives by putting the decryption binaries on the thumb drive, and then convert the rest of the drive into an encrypted partition, specifically encrypt single file folders, or encrypt the volume in such a way that it can be read by only a computer that has TrueCrypt installed, for example. You can also make a hidden encrypted partition for added security.
Because of the processor-intensive nature of encryption algorithms, writing data to or reading data from an encrypted flash drive is slower than an unencrypted drive. As USB 3.0 becomes more widespread, and USB 3.0 encrypted drives hit the market, this performance hit will become less noticeable, but it's there.
Encryption Algorithm and Certification
As of early 2013, the encryption algorithm used by both TrueCrypt and hardware-encrypted flash drives is Advanced Encryption Standard 256. Alternatives to TrueCrypt include DiskCryptor, Dm-crypt and BitLocker. All of these solutions use AES 256 to meet the Federal Information Processing Standard 140-2 Level 2. Level 1 requires the encryption algorithm be 256-bit or better. Level 2 requires a way to reveal tampering with the device; for hardware encrypted drives, this means physically removing the encryption chip. Level 3 requires further protection for the encryption mechanism, and Level 4 requires that removal of the encryption mechanism render the encrypted data unreadable.
Additional Management Features
Security doesn't stop with hardware encryption. A lot of hardware encrypted flash drives have tools that enable an administrator to remotely track login attempts, force password changes, and set a minimum password strength. They can even ensure that the data partition is hidden unless the drive is connected to an approved server over an approved connection.
Ken Burnside has been writing freelance since 1990, contributing to publications as diverse as "Pyramid" and "Training & Simulations Journal." A Microsoft MVP in Excel, he holds a Bachelor of Arts in English from the University of Alaska. He won the Origins Award for Attack Vector: Tactical, a board game about space combat.