Protect USB Memory Sticks – Mac Kung Fu, 2nd Edition

Tip 106Protect USB Memory Sticks

Lots of people use USB memory sticks to transfer data from one computer to another or just to keep their files with them at all times.

OS X lets you format a USB memory stick so that its contents are encrypted. You’ll need to enter a password whenever it’s inserted.

Essentially this turns any USB stick into a ultra-secure portable file storage device, of the type often sold at a premium. However, there are a number of caveats, as follows:

  • The memory stick must be Mac-formatted, which is to say it must use the GUID Partition Table (GPT) system. Out of the box, most memory sticks are formatted as Windows-compatible FAT32/FAT32X, which your Mac can read and write to but cannot encrypt. Therefore, the first step is usually to reformat a memory stick to GPT format.

  • The memory stick will work only on Macs running OS X Lion or Mountain Lion and not on Macs running earlier versions of OS X or on PCs running Windows or Linux. To those operating systems, the memory stick will appear to be unformatted or corrupted. For a way of creating a cross-platform encrypted archive that you can store on a USB memory stick, see Tip 209, Create Encrypted Archives for All Computers.

Therefore, there are two potential paths from this point: formatting and encrypting the memory stick with GPT format or simply encrypting the disk if it’s already GPT formatted. The following instructions explain all you need to know, although you should note that they apply equally well to any kind of removable storage device, including FireWire, Thunderbolt, and USB external drives.

Converting a Memory Stick to GPT and Encrypting It

The following steps detail how to first format a memory stick in Mac-compatible GPT format and also encrypt it at the same time. Theoretically, these two steps can be done separately, but it makes sense to do them at the same time.

Be aware that files already on the stick will be deleted during the formatting process, so you should temporarily copy them to a safe location and then copy them back once the following procedure is finished.

  1. Start by opening Disk Utility (open Finder, select the Applications list, and then double-click Disk Utility in the Utilities folder), and then insert the USB memory stick you intend to use.

  2. Look for the memory stick’s entry in the list of disks on the left side of the Disk Utility window. It will probably be identified by its size. Select the entry, but make sure you select the disk itself and not the partition(s), which will be listed below and indented slightly.

  3. Click the Erase tab in the Disk Utility window. In the Format drop-down menu, select Mac OS Extended (Journaled, Encrypted). In the Name field, type whatever you want to call the memory stick. This name will appear in Finder’s sidebar whenever you insert the stick in the future.

  4. Click the Erase button. You’ll be prompted to enter a password and verify it by typing it again immediately below. It’s important that you don’t forget this password! If you do, there is absolutely no way of recovering the contents of the memory stick—they’re lost forever. However, you will be able to reformat the memory stick so you can keep using it. Because of the risk, it’s a good idea to type something in the Hint field that might provide a clue to what the password is—the hint will appear in the future should you get stuck when entering the password. For an example, see Figure 17, Encrypting a removable storage device like a USB stick.

  5. When you are done, click the Erase button in the dialog box. Erasing, partitioning, and encrypting will take a minute or two depending on the size of the memory stick. Once you’re done, the new memory stick will be ready for use. You can copy files to it by selecting its entry in the sidebar of Finder. You can also close Disk Utility.


Figure 17. Encrypting a removable storage device like a USB stick

Encrypting a USB Memory Stick Already Formatted for Macs

Encrypting a USB memory stick already Mac-formatted is easy—just right-click the memory stick’s entry on the left of a Finder window under the Devices heading, and select the Encrypt option. This is possible because encryption can be done “on the fly,” which is to say it can be done invisibly and in the background, without destroying the existing contents of the memory stick and while you’re still using the memory stick to save and retrieve files.

You’ll be prompted to enter a password and verify it by typing it again, so do so. You’ll also be prompted to enter a password hint in case you forget your password.

Once you’ve done both, click the Encrypt Disk button, and the encryption process will begin. The memory stick will be unmounted and then mounted again a minute later, after which the background encryption process will begin. You’ll see no progress display, and, in fact, the only way you’ll be aware of it is either to watch the flashing LED light on the USB stick itself, indicating activity, or to right-click the memory stick’s icon and watch until the Encrypting menu option ceases to be grayed out.

Note that you can sleep the computer, reboot, or even shut down while the stick is being encrypted, and the process will pick up automatically where it left off the next time the computer is used. However, you shouldn’t remove the memory stick until encryption has completed, which—in the case of a very large memory stick containing many files—could take several hours.

Using the Protected Memory Stick

Regardless of how you activated encryption, you can use the encrypted memory stick just like any other. Before physically unplugging it, be sure to eject it by clicking the Eject button next to the disk’s entry within Finder.

When you insert the memory stick, you’ll be prompted for the password. If when prompted for the password you check the box Remember the Password in My Keychain, you’ll never be prompted for the password again on that computer. However, if it’s inserted into another Mac, the password prompt will appear. Therefore, you’ll have a USB memory stick that—essentially—works seamlessly on your computer but whose data is inaccessible to anyone else.