How To Encrypt An USB Drive With VeraCrypt (Compatible With Windows, macOS and Linux)

VeraCrypt

VeraCrypt is a free and open source disk encryption utility that can create a virtual encrypted disk within a file or encrypt a partition. In Windows, it can also encrypt the entire storage device with pre-boot authentication.

The application was forked from the TrueCrypt project, and since then it got security improvements along with optimized implementations of cryptographic hash functions and ciphers which boost performance on modern CPUs.

This article explains how to encrypt a USB drive with VeraCrypt with step-by-step screenshots, including what partition type to choose if you want it to be compatible with multiple operating systems (Linux, Windows, macOS), as well as how to mount / access the encrypted USB drive.

It should be noted that you can create an encrypted USB flash drive on Linux, Windows and macOS using VeraCrypt in a similar way, but the VeraCrypt user interface may look slightly different. You may also encounter different options depending on the operating system you're using (for example the filesystem types), but the important steps should be the same. VeraCrypt 1.23 for Linux was used in the screenshots below (in Ubuntu 18.10).

VeraCrypt installation


You can download the VeraCrypt setup binary or source from this page.

On Linux, you can download packages for some Linux distributions, like DEB for Debian (including Raspberry Pi OS) / Ubuntu and Linux distributions based on these, and RPM for CentOS and openSUSE. Or you can download a generic binary that runs on any Linux distribution.

To install this generic Linux installer, download the VeraCrypt setup.tar.bz2 archive and extract it in your home folder. Then enter the extracted VeraCrypt folder using a terminal, make the script ending in setup-gui-x64 (for Linux 64bit) executable, then run it:

cd veracrypt*setup
chmod +x veracrypt*setup-gui-x64
./veracrypt*setup-gui-x64

Ubuntu / Linux Mint / Pop!_OS users may also use a third-party PPA to install VeraCrypt, like this one. But using a PPA for an encryption tool like VeraCrypt is not exactly a good idea. Nevertheless, I'll add Ubuntu and Linux Mint PPA installation instructions below:

sudo add-apt-repository ppa:unit193/encryption
sudo apt-get update
sudo apt install veracrypt

Encryption-related articles you might find interesting:


How to encrypt an USB drive with VeraCrypt


1. Select a slot in VeraCrypt (from the list in the middle of the application), then click Select Device and click on your USB device:


From the Select a Partition or Device dialog that pops up, select your USB stick:


2. Click the Create Volume button and in the window that pops up, select Create a volume within a partition/drive, and then click Next:


This option formats and encrypts the partition so any data on the USB will be lost! If you prefer to create a virtual encrypted disk within a file (which can be placed on the USB drive along with unencrypted files), choose the Create an encrypted file container option instead. This article is about creating an encrypted USB drive though.

On the next screen select Standard VeraCrypt volume and click Next:


You may also use a hidden volume here, but this how-to assumes you're going to use a standard volume. A hidden volume is useful in case you are forced to reveal the password of an encrypted volume and you can't refuse this - in such cases a VeraCrypt volume is created within another VeraCrypt volume, and it should be impossible to prove whether there is a hidden volume within it or not. More information here.

3. On the next screen you'll need to enter the volume location. Click on Select Device and select the USB device (the screen is similar to the one used to select the USB stick in step 1):


After you've selected the USB device, click Next in the VeraCrypt Volume Creation Wizard window.

Make sure you've selected the USB drive that you want to encrypt and not some other device. The device will be formatted and the data on it will be lost! Read the warning displayed by VeraCrypt carefully, then click Yes:

VeraCrypt will prompt you to enter your user or administrator password - enter it and click OK:


A warning that formatting the device will destroy all data on it is now displayed. Click Yes to continue.

4. On the next screen you'll see the VeraCrypt encryption options:


If you're unsure on what to choose here, leave the Encryption Algorithm and Hash Algorithm to their default values (AES / SHA-512) and click Next.

5. VeraCrypt will now ask you to enter a volume password:


Choose a strong password as this will be used to encrypt/decrypt the volume. You can also use a keyfile, which is combined with the password for better protection of the encrypted volume. Make sure you don't forget the password or lose the keyfile because without them it will be impossible to mount the volume.

6. The next VeraCrypt Volume Creation Wizard screen asks if you plan on storing files larger than 4 GB on the volume or not:


This determines the type of filesystem that will be displayed as an option on the next screen. For example, if you select the I will store files larger than 4 GB on the volume option, the next screen won't display the FAT filesystem option because it doesn't support files larger than 4 GB.

7. Now you will need to choose the filesystem type:


If you want your encrypted USB stick to be compatible with Linux, Windows and macOS, choose between exFAT, FAT and NTFS.

I'd like to make some notes here. FAT doesn't support files larger than 4 GB, so keep this in mind. NTFS is supported on both macOS and Linux (and Windows obviously) but its read/write support can be poor on these two operating systems. As for exFAT, it's well supported on Windows, macOS and Linux, but it may require installing some packages on some older Linux systems (for example, on older Ubuntu versions you'll need to install exfat-fuse and exfat-utils). My recommendation is to go with the exFAT filesystem.

For full compatibility between operating systems (but without support for files larger than 4 GB), even older Linux distributions (without having to install anything else) go with a FAT filesystem type.

In case you plan on using the USB stick on Linux machines only, you can choose the Ext4 filesystem type.

8. In the next step, choose if you want to mount the volumes on other platforms and click Next:


After clicking Next, a warning is displayed if you selected that you plan to mount it on other platforms and you choose any filesystem type other than FAT. Click OK since we've already covered this part in the previous step, and so you know what this is about.

9. The next screen is titled Volume Format and here, you need to move your mouse randomly within the VeraCrypt window, to generate a pool of entropy which increases the cryptographic strength of the encryption keys.

Once the Randomness Collected From Mouse Movements bar is filled, you can click the Format button, then click Yes when prompted:


VeraCrypt will now begin creating the volume, displaying the percentage done, speed and time left. Once it's done, click Exit.

How to access the VeraCrypt-encrypted USB drive


When you want to access an VeraCrypt-encrypted USB drive, launch VeraCrypt, select a"slot" (from the list in the middle of the application; this is called "drive" in Windows), then click Select Device, and select your USB device just like in step 1 from the encryption instructions above.

Next, click the Mount button and enter the password you set in step 5:


You may also be prompted to enter your user or administrator password in order to mount the volume.

You should now see the USB drive mounted in your file manager. In recent Nautilus (default Gnome file manager) versions you may need to click on Other Locations to access the mounted VeraCrypt-encrypted USB drive:


You can also double click the mounted entry in VeraCrypt to launch your default file manager with the location of mounted volume, or enable the VeraCrypt option (Settings -> Preferences -> System Integration) to automatically open a file browser window when a volume is successfully mounted.