Encrypt your memory sticks (HMG)

Yet another security breach fo the Home Secretary to wrestle with. This time PA Consulting managed to lose a memory stick containing some rather sensitive information. According the BBC, “The memory stick contained un-encrypted details about 10,000 prolific offenders as well as names, dates of births and some release date of all 84,000 prisoners in England and Wales – and 33,000 records from the police national computer.”

It’s quite unbelievable that the information was not encrypted before placing it on the stick. Or that the stick didn’t have some built-in encryption itself.

“It can’t be rocket science,” thought I. And, in about two minutes, I’d Googled an answer. It’s possible to encrypt these drives easily and at zero cost, apart from some time, using an open source program from TrueCrypt.

So, for anyone uneasy about securing the information that leaves their organisation on memory sticks, here’s how to protect yours. If it looks too techie, give this blog and your sticks to a techie and he or she will sort you out. A special folder will be created on the stick which, when plugged into a computer, acts exactly like a disk drive. Except, of course, everything in it is encrypted.

Preparing an encrypted drive on your memory stick

1 ) Visit TrueCrypt http://www.truecrypt.org/downloads.php and download the version for your computer type. The instructions that follow are biased towards a Windows PC. (Vista in my case.)

2 ) Run the downloaded program, accept the licence terms and select the ‘Extract’ option. This puts all the TRUECRYPT files into a folder.

3 ) Empty the memory stick of its contents – I copied mine to a folder on my computer and then deleted them.

4 ) Copy across TrueCrypt.exe, truecrypt.sys and TrueCrypt Format.exe from the TrueCrypt folder to your memory stick. They may come in handy when you go to another computer.

5 ) Run TrueCrypt.exe from your computer or from your stick and click on Create volume then, in the dialogue that appears, choose the ‘Create a file container’ option. Click Next.

6 ) In the Volume Type dialogue that appears, choose ‘Standard TrueCrypt volume. Click Next.

7 ) Type the drive letter of your thumb drive followed by : then the name you want to give the folder. I chose f:myfolder. ‘Never save history’ is already checked, so I left it alone. Click Next.

8 ) You’ll be asked to choose your encryption options. Unless you have mugged up on the subject, you may as well accept the defaults. Click Next.

9 ) You’re shown how much space you have and are invited to provide a container size. I was using a 500MB card, so I settled for 400MB, in case I needed to keep some non-encrypted files on the thumb-drive as well. (Such as the TrueCrypt files that I copied just now.) Click Next.

10) Now it’s time to provide the password. Helpful suggestions are provided on screen. Hope you don’t mind if I keep mine a secret! I left ‘Use keyfiles’ and ‘Display password’ unchecked. Click Next.

11) Waggle your mouse over the next box for thirty seconds or so in order to generate an encryption key. Accept the defaults (unless you know what you’re doing) and click Format. Wait until a dialogue box appears to announce that it has finished – it will be a litle while after the onscreen counters stop counting.

12) A ‘Volume Created’ dialogue box appears. Click OK then click Exit in the Volume created dialogue.

That’s it. 12 steps that need to be taken only once to protect (part of) a thumb drive. Is this too much to ask of government employees and contractors?

Mounting the encrypted drive

Whenever you want to use the encrypted part of the drive, you need to run TrueCrypt. If it’s not on the target machine, run it from your memory stick.

The first thing you need to do is to assign the encrypted folder to a spare drive letter. TrueCrypt provides a list of spares – take your pick. Z is good, and unlikely to be claimed by the system for anything else.

Use ‘Select file…’ to locate your encrypted folder on the memory stick. Click Open.

Now Click Mount.

You will be asked for your password. Provide it and Click OK.

You will see that details appear against the appropriate drive letter. You can open it immediately by double clicking on it.

You will not be asked for your password again until you need to remount the drive.

Using the encrypted drive

Now just use it as a normal drive – you can open files and drag and drop them just as you would on any other drive.

When you’re done, choose the dismount option from TrueCrypt. You should then perform the ‘Eject’ operation if available (right-click the device in the ‘Computer’ or ‘My Computer’ list), or use the ‘Safely Remove Hardware’ function (built into Windows, accessible via the taskbar notification area). Otherwise you could lose some data.

If you have a power cut or the memory stick is removed any other way, the content of the encrypted folder always remains encrypted

A user guide is provided as part of the download. It will give you all sorts of additional clever tricks and advice. But what I’ve outlined here is safe. It works.

Perhaps someone should tip off PA Consulting and the Home Office about this blog…