Jump to content
Hak5 Forums
RickD

looking for easy way to protect data of standard usb stick on my key chain

Recommended Posts

RickD   

Hello all,

I'm looking for an easy way to password protect the data of the usb stick that is on my key chain (should work on at least any windows machine without special software on it). Doesn't have to be nsa grade protection , just not easy to use if i lose it and somebody finds it.

Until now i used an u3 stick with a build in partition loader and password option, but that one has become too small, and the new one doesn't have any kind of build in protection.

And rebuilding the new stick as a u3 seems to be hard if not impossible.

I still find it strange that these days regular usb sticsk don't come with some kind of hardware pin code option.

And most encrypted container software options are either not free or need to be installed on the host computer.

There are probably some good methods to do this out there, but so far i've not been able to locate them.

Any help on this is appreciated !

Regards,

Rick

Share this post


Link to post
Share on other sites
digip   

There is a tool similar to true crypt, can't remember the name, but you can create a hidden encrypted partition on the drive on NTFS for windows or EXT3/4 on Linux. You would then mount with the encrypting program and it will prompt for a password to show the contents of the files. You'd need to install the encrypting program on the hosts, but some are portable and can just be copied to the drive, or to be stealthy, put it on a separate thumb drive.

Edited by digip

Share this post


Link to post
Share on other sites
6 hours ago, digip said:

There is a tool similar to true crypt, can't remember the name, but you can create a hidden encrypted partition on the drive on NTFS for windows or EXT3/4 on Linux. You would then mount with the encrypting program and it will prompt for a password to show the contents of the files. You'd need to install the encrypting program on the hosts, but some are portable and can just be copied to the drive, or to be stealthy, put it on a separate thumb drive.

I was just talking to someone about having 2 USBs in a RAID 0. You can only access the data on a USB if you plug both in a specific position/port (or just have both of them in..).

But yeah, encrypting a USB like that is the way to go. You can create an AES encryption script with PowerShell or C or even VB as well.

Edited by Dave-ee Jones

Share this post


Link to post
Share on other sites
digip   
19 minutes ago, Dave-ee Jones said:

I was just talking to someone about having 2 USBs in a RAID 0. You can only access the data on a USB if you plug both in a specific position/port (or just have both of them in..).

But yeah, encrypting a USB like that is the way to go. You can create an AES encryption script with PowerShell or C or even VB as well.

Not sure you can RAID removable media, but that would be interesting to see how it worked. I don't see how it protects the data though. Partial file recovery still would expose some data with forensic tools. You'd want an encrypted file or container to really be effective, so RAID with encryption maybe, just not RAID by itself.

Share this post


Link to post
Share on other sites

Well, depending on the array type, there would be very little chance of getting data from the array. It would be corrupt if all USBs weren't present (pretty much stuffed if a USB dies).

But yeah, it wouldn't be as effective as encryption but if we're talking about forensics it's not like it's impenetrable either.

I think it's possible to put USBs in a RAID (just found this video), but trouble would be if a USB died or if the computer didn't have enough USB ports (or one was dead). Not cool.

This one makes a Mirrored Drive (RAID 1): https://www.techwalla.com/articles/how-to-use-usb-keys-as-raid-drives

I think you can get RAID USB Hubs as well (hardware RAID).

 

Edited by Dave-ee Jones

Share this post


Link to post
Share on other sites
digip   
29 minutes ago, Dave-ee Jones said:

Well, depending on the array type, there would be very little chance of getting data from the array. It would be corrupt if all USBs weren't present (pretty much stuffed if a USB dies).

But yeah, it wouldn't be as effective as encryption but if we're talking about forensics it's not like it's impenetrable either.

I think it's possible to put USBs in a RAID (just found this video), but trouble would be if a USB died or if the computer didn't have enough USB ports (or one was dead). Not cool.

This one makes a Mirrored Drive (RAID 1): https://www.techwalla.com/articles/how-to-use-usb-keys-as-raid-drives

I think you can get RAID USB Hubs as well (hardware RAID).

 

Interesting. Great find.

If it were USB 3.0, then I'd say probably advantageous even as a spare RAID setup, but I would think even USB in raid(if it can be done, which looks like MAC can. but I'm on windows, and would have to try to find out) would still be slower than say, a SATA raid, even with conventional HDD's. Read and write on regular USB is generally pretty slow unless on 3.0. Still if this is merely for splitting the file so it required a pair of USB sticks to be be used at the same time to protect the data, then it would be useful merely for the storing of an encrypted file, that can't be read without the second drive, so might be worth a try.

This all being more or less conceptual, but maybe not as practical for everyday use purposes if you want just one drive to carry around with you. You'd have to make sure you never lost the other drive(s) or format them, or all your shit is gone if just one of them is gone.

I'm going to have to get a couple of cheap USB drives now and see about setting them up as RAID on windows. Linux can probably do it if a MAC can, so will have to test this. Curious how well it will work on windows regardless of the encryption aspect; just want to see the RAID setup on a flash drive in action. I've got both USB 2.0 and 3.0 ports on my machine, so will need to also invest in a 3.0 hub to give this a try. With the right setup, this could also make a nice storage array that can be easily moved between machines.

Share this post


Link to post
Share on other sites
17 minutes ago, digip said:

Interesting. Great find.

If it were USB 3.0, then I'd say probably advantageous even as a spare RAID setup, but I would think even USB in raid(if it can be done, which looks like MAC can. but I'm on windows, and would have to try to find out) would still be slower than say, a SATA raid, even with conventional HDD's. Read and write on regular USB is generally pretty slow unless on 3.0. Still if this is merely for splitting the file so it required a pair of USB sticks to be be used at the same time to protect the data, then it would be useful merely for the storing of an encrypted file, that can't be read without the second drive, so might be worth a try.

This all being more or less conceptual, but maybe not as practical for everyday use purposes if you want just one drive to carry around with you. You'd have to make sure you never lost the other drive(s) or format them, or all your shit is gone if just one of them is gone.

I'm going to have to get a couple of cheap USB drives now and see about setting them up as RAID on windows. Linux can probably do it if a MAC can, so will have to test this. Curious how well it will work on windows regardless of the encryption aspect; just want to see the RAID setup on a flash drive in action. I've got both USB 2.0 and 3.0 ports on my machine, so will need to also invest in a 3.0 hub to give this a try. With the right setup, this could also make a nice storage array that can be easily moved between machines.

Yeah, USB 2.0 RAID would be very painful. I was just thinking it adds an extra layer of security, so if you had something really important you can keep one USB and give the other to someone you trust (sounds like your carrying around the 2 keys for a nuke, haha).

But yea, it would be a pretty mobile RAID setup, carrying from one machine to the next. No real practical use for a daily-carry USB RAID array, but it's an interesting project.

Then you could take it a step further and do some hot-swapping in RAID 5/6, or having a backup drive just in case the others fail. I think that would be the hardest thing (unless you could find some software to do it for you, but then it would have to support USBs - unless you change the headers of the USB to unremovable and spoof them being HDDs).

Share this post


Link to post
Share on other sites
haze1434   

I use Veracrypt for both USB sticks and my hard drive.

256 AES, free software. It's very good.

*edit* This may be the one digip is remembering; it allows hidden drives to be created also.

Edited by haze1434
  • Like 1

Share this post


Link to post
Share on other sites
digip   
9 hours ago, haze1434 said:

I use Veracrypt for both USB sticks and my hard drive.

256 AES, free software. It's very good.

*edit* This may be the one digip is remembering; it allows hidden drives to be created also.

Yes, I think that is the same one, similar to TrueCrypt, only still being developed. TrueCrypt has a security flaw and I think they stopped updating it few years ago.

Share this post


Link to post
Share on other sites

I'm pretty sure TrueCrypt ended in 2014.  They still have some info on there website.  If I remember right, they stopped development due to lack of support on Windows because of BitLocker.  I have used Veracrypt before,  seems to be pretty good.  It is very similar to TrueCrypt if you have ever used it before.

Share this post


Link to post
Share on other sites

I still use truecrypt on a flash drive.  It still works plenty good enough for this purpose.  Will it keep the NSA out?  Probably not.  Will it keep 99% of the rest of the people who would find it if you lost it?  Sure.

 

Also @digip I've raided a bunch of usb floppy drives on a mac once.  It worked, wasn't really useful though.

Share this post


Link to post
Share on other sites

I use bitlocker on my USB drive that I have on my key chain. I don't have anything sensitive on it.

You can also unencrypt bitlocker in Linux using dislocker (on GitHub)

Share this post


Link to post
Share on other sites
RickD   
On 11-9-2017 at 1:54 PM, haze1434 said:

I use Veracrypt for both USB sticks and my hard drive.

256 AES, free software. It's very good.

*edit* This may be the one digip is remembering; it allows hidden drives to be created also.

Is it possible to use veracrypt from the usb stich only (without it being present on the host,only a container with the data and a veracrypt executable to unlock it on the stick) ?

 

Share this post


Link to post
Share on other sites
5 hours ago, brianzimm said:

I use bitlocker on my USB drive that I have on my key chain. I don't have anything sensitive on it.

You can also unencrypt bitlocker in Linux using dislocker (on GitHub)

Good to know.  Thanks!

Share this post


Link to post
Share on other sites
digip   
19 hours ago, RickD said:

Is it possible to use veracrypt from the usb stich only (without it being present on the host,only a container with the data and a veracrypt executable to unlock it on the stick) ?

 

If it's like TrueCrypt, you  still need the TrueCrypt app to open the encrypted files, but this goes for any container, including a RAR or 7Z file with encrypted files and password protection. ZIP files, do not encrypt the files by default but can password protect, but you'll see the file names in plain text if you open a ZIP in a text editor. You can in most things, put the Vera/True crypt app on the thumb drive as well, but this gives away that there might be a hidden encrypted file on the drive without having to dig deeper into the drive to look for it. Putting the encrypted files on one drive and carrying a portable version of the app on another would make more sense, but no OS will natively open TrueCrypt/Veracrypt files. If you need to be able to open it on ant system then basic ZIP with password protection is about the best you're going to have out of the box. The rest of the solutions would require installing something or having the portable version on the same drive or second flash drive.

Share this post


Link to post
Share on other sites

Yeah, what put me off of Veracrypt is it still uses it's own "format", so you need a Veracrypt client to read the contents of the USB (once you get the password) correct. Or at least, that's how I read it. It's a "Veracrypt" file.

Share this post


Link to post
Share on other sites

Same as truecrypt.  The biggest problem is you need admin rights on the machine you're opening the file on.  I suppose you could use the bashbunny and make a luks container on the usb partition.  Would be kind of a pain in the ass though.  See, there's what you need.  One of the newer solid state based usb drives, a small usb hub, and a raspberry pi.  Set up the pi to power off usb and ndis.  DMCrypt the ssd and have it shared over the local usb network.  That way it's os agnostic.  3D print an nice enclosure for it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×