1 What is a USB?
2 Considerations when choosing to use USB devices
3 Alternatives to using USB storage devices
4 Using a USB device securely
5 Recommended options
- 5.1 Windows – BitLocker To Go
  - 5.1.1 Unlocking the Encrypted USB
  - 5.1.2 Manage BitLocker To Go Encryption
- 5.2 macOS – APFS
  - 5.2.1 To format the USB drive before encrypting
  - 5.2.2 To encrypt the USB drive with APFS
  - 5.2.3 Unlocking the encrypted USB drive

What is a USB?

A USB flash drive, also known as a thumb or jump drive, is an external storage device which can be plugged into a computer’s USB ports to store and retrieve files. They are a popular option for storing and transporting files as they are readily available, inexpensive, and portable. These drives are removable, rewritable, and have a storage capacity ranging from 8GB to 2TB.

Considerations when choosing to use USB devices

The convenience of a USB device’s small size and its portability make them popular for users and also make them easy to misplace and attractive to cyber attackers. These devices could be loaded with Malware designed to infect the machine and/or the network. This type of attack or the loss of a device containing sensitive data can lead to loss of productivity, and a costly data breach. It could result in damage to the University of Waterloo’s reputation.

Alternatives to using USB storage devices

Before storing sensitive data on a USB device consider alternative options for file sharing, collaboration and back-ups, such as:

Sendit – secure file transfer service
- Recommended for large files that contain information classified as Restricted
- Log in at sendit.uwaterloo.ca using your WatIAM credentials and refer to the IST knowledge base article, Sendit, for detailed instructions
Cloud computing
- SharePoint - collaboration environment
  - Share/create files with cross-functional groups on campus
  - Configured as an intranet and requires a nexus login to access
- Microsoft 365 – cloud storage and a collaboration environment
  - 5TB available to store files in one place via OneDrive
  - Share/Create files internally and externally and retrieve them from any device
- Microsoft Teams – Secure chat application for communication
  - Collaborate in real-time with users across campus by creating a team
  - Share/Create files among Team members

Please see the Guidelines for secure data exchange to determine the security classification of the information and to ensure the transmission method chosen is appropriate. For support for any of these options, submit a request using the Jira Service Desk Portal.

Using a USB device securely

Although portable USB drives have inherited security risks, there may be times that it is the most practical option. Follow these tips to use a USB securely:

Do not plug an unknown USB device into your computer. A found USB should be submitted to IT support.
Disable “autorun” features on removable media.
Scan the USB using an anti-virus software before opening the device.
Encrypt the device. Encryption is a great way to prevent data breaches, security incidents and sensitive data falling into the wrong hands. When retrieving the encrypted files from the device, ensure that the machine used to open files is also encrypted to maintain the security integrity.

Recommended options

Windows – BitLocker To Go

BitLocker To Go uses Advanced Encryption Standard (XTS-AES-128) with key lengths of 256 bits. It is not compatible outside its respective OS. The following instructions are only for currently supported version of Windows: 10 and 11.

Plug the USB drive into the correct port on a Windows device.
Search for ‘Manage BitLocker’ from the Windows search menu and open.
Under Removable data drives – BitLocker to Go, select the drive to be encrypted.
Select Turn on BitLocker.
Create a strong password that will meet BitLocker To Go’s requirements and IST’s Password Standards.
Enter the secure password a second time and click Next.
Save or print the recovery key to a secure location. The USB drive contents can be recovered when the password if forgotten using the recovery key. The key can be saved by printing it as a PDF and can be saved to a different location other than the USB device. This location should also be encrypted.
- Select Print the recovery key
- Select Microsoft Print to PDF
- Save the PDF in a secure location or print the document and file securely
Click Next
Select how much of the drive to encrypt initially.

Please note that BitLocker automatically encrypts new data as it is added
- For a new drive, select “Encrypt used disk space only”
- For a previously used drive, select “Encrypt entire drive”.

10. Click Next to start the encryption process.

11. Click Close. The drive is now encrypted.

Unlocking the Encrypted USB

Plug the USB drive into the correct port on a Windows device.
Search for ‘Manage BitLocker’ from the Windows search menu and open.
Under Removable data drives – BitLocker to Go, select the drive to opened and click the Unlock drive option.
Enter the password and confirm.
If the password is forgotten, click More options and enter the 48-digit recovery key.

Manage BitLocker To Go Encryption

Plug the USB drive into the correct port on a Windows device.
Search for ‘Manage BitLocker’ from the Windows search menu and open.
Under Removable data drives – BitLocker to Go, select the drive to be managed
From this menu you can:
1. Back up the recovery key: obtain the recovery key for the drive encryption
2. Change password: to revise the password
3. Remove Password: remove the password protection (not recommended)
4. Add smart card: add a smart card instead of a password.
5. Turn on auto unlock: USB drive opens automatically (not recommended)
6. Turn off BitLocker: decrypts the USB drive

macOS – APFS

APFS uses the Advanced Encryption Standard (XTS-AES-128) encryption with key lengths of 256 bits. It is not compatible outside its respective OS. Flash drives with the FAT file system must be formatted, therefore, the flash drive should have everything deleted before starting the process. The following instructions are only for currently supported versions of macOS: 10.15 Catalina, 11.x Big Sur, and 12.x Monterey.

To format the USB drive before encrypting

Plug the USB drive into the correct port on the Mac device.
Open the Disk Utility app from the Applications/Utilities menu.
From the toolbar click the View button and select Show All Devices if it is not already ticked.
From the sidebar click on the top-level name of the USB drive and select Erase.
Name the USB drive.
Select GUID Partition Map from the Scheme dropdown menu to see the encryption option in the Format dropdown.
Select APFS (Encrypted).
Click the Erase button.
The USB drive will now be ready for encryption.

To encrypt the USB drive with APFS

Plug the USB drive into the correct port on the Mac device.
Select the drive from the desktop, right-click, and select Encrypt.
Create a strong password that will meet APFS’ requirements and IST’s Password Standards. Enter the secure password a second time. This password cannot be recovered or reset.
Enter a password hint and click Choose.
Click Encrypt disk. The drive is now encrypted.

Unlocking the encrypted USB drive

Plug the USB drive into the correct port on the Mac device.
Launch Finder and right-click the encrypted USB drive.
Select the Decrypt option.
Enter the password and confirm.

Page:

How to encrypt email messages with Microsoft 365 Message Encryption
Page:

Outlook for Mac - mailbox delegate access
Page:

Eduroam certificate verification
Page:

Getting Started with Jira Service Management
Page:

iClicker Cloud Student Accounts

Need help?

Contact the IST Service Desk online or 519-888-4567 ext. 44357.

Article feedback

If you’d like to share any feedback about this article, please let us know.