This project has moved. For the latest updates, please go here.

Encrypting a pendrive

Topics: Technical Issues
Dec 15, 2016 at 9:27 AM
Hi I have a USB pend drive which I would like its content to be encrypted. I want to give this pendrive to a friend of mine to store/remove data on it. Having said that I do not want my friend to be able to format the pendrive so I cannot give him the encryption password. Is there a way to manage this using veracrypt?
Dec 20, 2016 at 8:30 AM
Any ideas please?
Dec 20, 2016 at 9:46 AM
No, you can't prevent anyone from formating the pendrive or erasing any files on it (including vc containers), but you can prevent anyone from seeing your files placed inside encrypted veracrypt container (or in a partition). But you can do at least something ;-)

Good solution how to hide encrypted part of usb flash drive (from technicly unaware people) is to create two partitions on the usb drive, set id for the second partition which windows don't understand and encrypt the second part using veracrypt. The trick here is, that most BFUs use windows and windows ignore partitions they don't know (luckily they don't ask to reformat if you have used unknow partition id), so even if someone reformats your flash disk, he actually reformats the first partition only, flash disk still behaves like normal flash disk and your encrypted partition is still accessible. If you have unbranded flash disk (without printed size) and if you choose reasonable first partition size, noone expects second partion there, not even some guy from IT department.

You can't prevent anyone technical aware to repartition your usb drive (and reformat it) though, but anyone can't ever decrypt the content, no matter how technically skilled he is.

To partition my drives I use fdisk under linux. If I need to partition on windows only, I use gdisk, but it is quite hard to create MBR-only disk using gdisk, because it is intended for GPTs, so you have to create GPT partitions first, then convert them to mbr, then zap GPT and then write. Shame there's no plain MBR fdisk which could work under modern windows. Windows diskpart command and disk manager (diskmgmt.msc) always destroy first 512k of every partition they create, so I don't like them. Using gdisk I can create any partition without destroying data and mainly I am able to specify where on the disk my encryption partition data begin, which is what VC cannot do, at least not now. When I dismout, I repartiton to use full flash and no data are destroyed (as long as I don't fill the disk with data). Random data across the disk are quite plausible, because in the past I could have overwritten free space with random data ;-)