Using a USB flash drive (also called a thumb drive, USB stick, etc.) to transfer data from one computer to another is more secure than any electronic means of transmission… unless your flash drive is lost or stolen. You don’t need us to tell you that small, portable items are easily lost or stolen. If your USB drive contains information you don’t want strangers to see, encryption is one potentially free solution.
You can encrypt individual files or the entire contents of a flash drive, and in this article, we’ll go through the best methods of encrypting a USB, plus how to do it.
What do we mean by encrypting a USB stick?
First things first, encryption is a security tool that works like a secret code. It encodes data by scrambling it during encryption and decodes the data during decryption. The encoded data is gibberish that cannot be read or translated by anyone without a password or key. The common standard for encryption is called AES-256. Weaker and stronger methods of encryption also exist.
Password protection is a simpler solution. Although it is not as secure as encryption which provides two layers of security (data-scrambling and password) while password protection only provides one. Microsoft Office documents, pdfs, other common types of files, and folders can be password-protected.
Whether you choose to password-protect files, encrypt them, or neither, a password manager is an essential tool to have in your security software collection. If you don’t already have a password manager, see our guide to the best products. A password manager eliminates the risk of losing or forgetting a password, except for the fact that you have to remember the password manager’s password.
Encryption has other risks and drawbacks. In most cases, you need to use the same operating system and encryption software on the front end (encryption) and the back end (decryption). Otherwise, you will be locked out of your own files. Many recent versions of the major operating systems have built-in or free downloadable encryption software. The complexities and compatibility issues with the Windows tools make free or commercial third-party encryption software a better option for some people.
Encrypting files vs encrypting USB flash drives
If you have a lot of files you need to secure, encrypting an entire flash drive is clearly the faster and easier option. If you just have a few files and you don’t regularly transport files on flash drives, you can skip using dedicated encryption software. Recent versions of Microsoft Office include a built-in encryption tool. You can also encrypt pdf files in Adobe Acrobat. Any type of files and folders can be encrypted in a 7-Zip archive (see below).
If you regularly work with sensitive or confidential information, you may already be encrypting your files for use on a single computer, or you may wish to do so. If the files you wish to transport or back up on a flash drive are already encrypted, then encrypting an entire flash drive would be an unnecessary redundancy.
A hidden disadvantage to encrypted or password-protected files is that they may be skipped by your back-up software. Whether you back-up locally or to the cloud, these programs commonly ignore files they can’t access. You won’t encounter that problem if you encrypt a flash drive and leave the files on your computer(s) unprotected.
Preparing a USB drive for encryption
Any method of encryption you use can also be used with external hard drives and solid-state drives. Larger flash drives and other types of drives can be partitioned. Partitioning a drive means dividing it into two or more sections. It’s like adding walls to a house: you have two or more rooms, each of which is smaller than the entire house.
Many encryption programs will partition a drive for you. By creating multiple partitions, you can replicate the encryption process for multiple operating systems. That’s a cumbersome process but may be practical if you are regularly transferring files between a computer with Windows 7 and a computer with Windows 11, for example.
You may be tempted to load the installation file for your encryption software onto the flash drive. That will make it easier to install on another computer that doesn’t already have it. The risk is that anyone who finds or steals your drive knows which encryption program you used and can also easily install it on their computer. Granted, that risk is minimized by the fact that they still need your password to access the drive.
If your flash drive has been previously used, especially if it’s been used by another computer, run an on-demand virus scan before encrypting your drive. If you don’t have an antivirus program with this capability, you can right-click on the drive icon and scan it with Malwarebytes or Windows Defender. Malwarebytes is an effective free antimalware program.
Pre-encrypted USB drives
You can also buy USB flash drives with pre-installed encryption. With these drives, you create a password the first time you use it and enter the password for each subsequent use. This is the simplest method, although it lacks flexibility. If you use one of these drives, you don’t need any encryption software on any of the computers you use. These drives have the advantage of working with any operating system.
Basic USB flash drives with pre-installed encryption cost no more than commercial encryption programs do. For instance, a SanDisk 128 GB encrypted drive is only $11 from Amazon.com. It does not have a high level of encryption.
You can buy USB flash drives that use fingerprint recognition instead of a password. Fingerprint recognition is not flawless technology, and seems to work better for some people than others. If you’ve had good luck with it, you might consider one of these drives. If the reader gets scratched or too smudged or fails for any other reason, you are locked out of your drive. Check user reviews of any drive you wish to consider.
A more elegant option, although considerably more expensive, is a pre-encrypted USB flash drive with an integrated keypad. These drives are still small enough to fit in a pocket but are probably too large to put on a keychain. At press time, you can buy a highly rated 8 GB Apricorn drive from Amazon for $72 or a 32 GB INNÔPLUS drive for $54. The INNÔPLUS drive may sound like the better deal, but it is slower (only USB 2.0) and has a slightly lower average user rating.
Flash drives have a finite number of write/erase cycles. While they should last many years, even expensive drives will not last forever.
Do it yourself with encryption software
You may already have encryption software, and it may be sufficient for your needs. Some operating systems and programs made for other purposes include encryption capability. If you already have software that can encrypt a drive, and you aren’t protecting military secrets or equally sensitive information, you don’t need to buy anything
Other than third-party programs, such as a disk-partitioning program that may include encryption capability, you can choose from four options for encrypting a USB flash drive:
- 7-Zip or another compression/decompression utility
- free Microsoft or Apple encryption software
- a dedicated commercial encryption program
- a dedicated free encryption program
Commercial software of any type is not necessarily better than free alternatives, but included technical support is often an advantage with commercial software. The developer’s websites for nearly all free and commercial encryption programs have tutorials for using the programs.
Compression/Decompression software
Most computer users need a compression/decompression program, which means you probably already have one. These programs shrink the size of files so that they will download faster. When you double-click on an archive in a compressed format, it should automatically open your compression program. When you download software or large media files, they are often in compressed archives.
WinZip and WinRAR are probably the most popular commercial compression programs. However, neither program is free, nor are they as bug-free and reliable as 7-Zip. 7-Zip is an excellent free compression/decompression utility. It has no catch, no upselling, and no bait-and-switch to a commercial version. Versions are available for Windows, MacOS, and Linux. It is compatible with all versions of Windows from this century. Versions of WinZip and WinRAR are made for Windows and MacOS.
While you are likely to have used a compression program to open archives, you may not have created an archive. All of these programs can create archives from a single file or folder or any combination of multiple files and folders. They offer the opportunity to encrypt the archive. The major compression programs can all decompress (open) archives in a wide variety of compressed file formats, including the formats created by the competing products. For example, 7-Zip can open .ZIP (WinZip) or .RAR (WinRAR) archives.
Creating an encrypted archive and then copying it to a flash drive is not identical to encrypting the drive itself. However, it accomplishes exactly the same result because you can copy all the files you want to put on the drive into a single archive.
Follow these steps to create an encrypted archive in 7-Zip:
- (optional) Put all the files you want to put on a flash drive into a single folder.
- Select the item or items you want to include in the archive. In the screenshot, five different types of items are randomly selected.
- Right-click on a selected item and choose 7-Zip.
- From the drop-down menu, choose Add to archive.
- Note the default name for the archive in the top box, and change it if you want. The default settings are fine. The bottom right quadrant shows your encryption options. All you need to do here is create a password, but you can also check the box to encrypt file names.
- Open your password manager. Add a new entry and give it the same name being used for the archive (Classic Shell in the illustration). Create a password, and then paste it into the two password fields.
- Click OK. 7-Zip will then create the archive.
- Copy the archive to your flash drive.
Microsoft encryption software
Various versions of Windows offer programs for encryption. BitLocker may be included in your version of Windows. If not, you may be able to download it. However, Microsoft now imposes the same hardware requirements it uses for Windows 11 to be able to use BitLocker. Microsoft says you also need to have a Microsoft account. If you don’t already have one, this is a steep price to pay in loss of privacy for software that isn’t worth it.
BitLocker works on the Professional and Enterprise versions of Windows Vista through Windows 11. Microsoft only lists Windows 10 in its system requirements, but multiple sources say BitLocker will work with older systems.
Follow these steps to encrypt a flash drive with BitLocker:
- Insert your flash drive into an open USB port.
- Open This PC (Windows key + e)
- Right-click on the icon for your flash drive and choose Turn on BitLocker from the dropdown menu (as shown). You may need administrator privileges.
- You will get a window that says “Choose how you want to unlock this drive.” Check the box that says “Use a password to unlock the drive.”
- Open your password manager. Add a new entry and name it “X” flash drive, with X being the brand of the drive, your name, or a description of the included files.
- Create a password, and then paste it into the two password fields.
- Click next. You will be asked how you want to back up your recovery key. You can save it to a file or print it.
- You will be asked whether to encrypt the entire flash drive or just the used portion. Choose one. Click next.
- You will be asked if you want the encrypted drive to be compatible with older versions of Windows. Check that box unless you know you will only be using the drive with the same version.
- Click Start Encrypting. Wait for it.
- Go to the taskbar and click on the circumflex icon. Choose the “safely remove hardware and eject media” icon and eject your flash drive.
You will need your password to access the drive, and BitLocker must be installed on any computer you want to use to do that. However, the latest version of Cryptsetup, the Linux encryption program, is fully compatible with BitLocker. Thus, you can use BitLocker on a Linux-based computer by installing Cryptsetup.
These instructions are for Windows 10 Pro. Some steps might not be identical in other versions of Windows.
All the newer versions of Windows also include a feature called Encrypting File System (EFS). EFS is for encrypting individual files. It cannot encrypt a flash drive. Conversely, BitLocker will not encrypt individual files or folders.
Apple encryption software
Apple’s macOS has built-in encryption software that can encrypt an entire flash drive. Follow these steps to use it:
- Insert your flash drive into an open USB port.
- Open the Finder and find the Disk Utility.
- Find the icon for your flash drive on the list in the sidebar on the left. Right-click on the icon.
- Your drive must be formatted for macOS before encryption. It is, if you’ve already used it with your Mac. If it isn’t, you will need to erase the drive first. Under the Erase tab, choose “Extended (Journaled, Encrypted).”
- Name your drive “X” flash drive, with X being the brand of the drive, your name, or a description of the included files.
- Open your password manager. Create a new entry with the name you just gave the drive.
- Create a password, and then paste it into the two password fields. You are also given the opportunity to enter a hint, which is unnecessary because you used a password manager.
- Click “Encrypt Disk.”
Any files you copy to the drive will be encrypted and password-protected. Your drive will work with other Macs, but not with computers running Windows, Linux, or Chrome OS.
Linux encryption software
Cryptsetup is a free encryption command-line utility for Linux. It is now compatible with Windows BitLocker, and some sources say an extension will also enable it to work with VeraCrypt (see below).
Information about Cryptsetup can be found in the Linux manual and the Linux man page. You can find tutorials for using Cryptsetup to create encrypted drives through the command line here and here.
A much simpler solution is to use Disks (formerly called GNOME Disk Utility) to encrypt your flash drive. To format a flash drive with Disks:
- Open Disks (or GNOME Disks, if you have a different or older version).
- Insert your flash drive into an open USB port. It should appear in the list in the left-hand windowpane.
- Select the drive. You have the option to just format part of the drive, create a new partition and format it, or format the entire drive and encrypt it.
- To format the entire drive (which erases all existing files), click the more options icon (three vertical dots) in the upper right corner. Select “Format Disk.”
- Click Format. Click Format in the next window when asked if you really want to do that. Click next.
- In the next window, name your drive “X” flash drive, with X being the brand of the drive, your name, or a description of the included files.
- In the Type section, choose the compatibility option you want: Linux only, Windows, or all operating systems. Click the “Password protect volume” box. Click next.
- In the final window, enter your password twice and click “Create.”
Free encryption programs
See our article, 7 Best USB Encryption Tools, for reviews of the best free and commercial programs. John Cirelly rates VeraCrypt, a free program, as the best overall, and his endorsement is widely supported by experts elsewhere, as well. VeraCrypt works on Windows, MacOS, and Linux. You can also download a portable version. VeraCrypt is considerably more flexible than BitLocker, but you may find it harder to use.
To use VeraCrypt, download the appropriate version for your operating system. Install the software.
Follow these steps to encrypt a flash drive with VeraCrypt in Windows:
- Insert your flash drive into an open USB port.
- Open VeraCrypt.
- Click Create Volume. Click next.
- You are presented with a window titled VeraCrypt Volume Creation Wizard with three options. Choose the middle option: “Encrypt a non-system partition or drive.” Click next.
- The Windows User Account Control may pop up at this time. Click yes to let it know the software may proceed.
- You are presented with a window titled Volume Type. For a flash drive, choose “Standard VeraCrypt volume.” Click next.
- You are presented with a window titled Volume Location. Click the Select Device button.
- You are presented with a list of your drives. In the example shown, Removable Disk 4 is the flash drive. Be careful to avoid accidentally selecting one of your fixed drives. Choose your flash drive and click OK.
- If your drive has files on it, you are presented with a warning about partitions. You will then need to reformat your drive before proceeding. If your drive is empty, choose “Create encrypted volume and format it” from the next window.
- You are presented with a window titled Encryption Options. Here, you choose the level of security you need. The default settings will be more than sufficient for most users. Click next.
- Click next in the Volume Size Window. You have no options with a flash drive. That brings you to the password window.
- Open your password manager. Add a new entry and name it “X” flash drive, with X being the brand of the drive, your name, or a description of the included files.
- Create a password, and then paste it into the two password fields. Click next.
- Follow the instructions to move your mouse in the Volume Front Window. After the progress bar turns green, click the Format button.
- When formatting is finished, click Exit.
This process is long, and you may find it too complicated. If so, try one of the free alternatives to VeraCrypt that are recommended by Cirelly or other trustworthy sources. Some are:
- SecurStick (Windows, Mac OS X, and Linux)
- DiskCryptor (Windows only)
- Cryptainer Lite (Windows only)
Commercial encryption programs
A slew of commercial encryption programs are available, some for purchase and some by subscription. John Cirelly chose Endpoint Protector by CoSoSys as the top commercial encryption program but says it is better suited for businesses than individual users. The company will not reveal pricing without your name and email address. If you work for a large employer, it may already use encryption software that is supported by its IT department. If not, Cirelly says Endpoint Protector is the best choice for system administrators.
Some of the commercial alternatives that are recommended by other trustworthy sources are:
- Rohos Disk Encryption (Windows only)
- USB Flash Security (Windows only)
- KakaSoft USB Security (Windows only)
- USB Safeguard (Windows, MacOS, and Linux) is software that runs on the flash drive, not the host computer. It costs 19.99€ for an unlimited number of drives (no price is quoted in U.S. dollars).
However, Folder Lock, made by NewSoftwares.net, costs $31.79 from Amazon.com. It has an unimpressive 3.6/5 average rating, cannot be returned, and is only available only to customers located in the United States. The negative reviews are horrifying. Use something else.
In our article, “AxCrypt Review and Alternatives,” Amakiri Welekwe does recommend AxCrypt, a subscription service. AxCrypt costs $3.75 per month, but the company shows it as regularly being $5.00 per month ($60/year). Versions are made for Windows and Mac. The price is steep for an individual user, but you can try it for free for a month.
Many commercial encryption program developers offer full-featured one-month free trials. If you try a program, be careful not to encrypt drives that you won’t be able to reopen unless you continue with the program.