Ubuntu – Encrypt USB That Is Compatible With Windows

Unfortunately, there is no easy solution to securing your stuff. Think about your use-case, maybe something other than plain AES is better suited.

• Use a password manager like Keyring for passwords
• Encrypt your home directory (very easy to do with the Ubuntu installer)
• Use GPG if you want to communicate securely via email
• OTR with Pidgin if you want secure instant messaging
• Use Cryptocat for secure chat

If you want very simple platform independent encryption, you can use openssl.

Please note: You can use this to hide birthday-gift-ideas.txt from your roommate, but don't expect it to be secure against a determined attacker!

1. As was pointed out in the comments, this method uses a naive key derivation function, so your password needs to be superlatively good in order for you to have a chance of being secure.
2. Additionally, this method doesn't authenticate the ciphertext, which means an attacker can modify or corrupt the contents without you noticing.
3. For many types of security, encryption is simply not enough (e.g. you can't just use encryption to communicate securely)

If you still want to use openssl:

• Encryption:

  openssl aes-256-cbc -in attack-plan.txt -out message.enc

• Decryption:

  openssl aes-256-cbc -d -in message.enc -out plain-text.txt

You can get openssl to base64-encode the message by using the -a switch on both encryption and decryption. This way, you can paste the ciphertext in an email message, for example. It'll look like this:

stefano:~$ openssl aes-256-cbc -in attack-plan.txt -a
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
U2FsdGVkX192dXI7yHGs/4Ed+xEC3ejXFINKO6Hufnc=

Note that you have a choice of ciphers and modes of operation. For normal use, I recommend aes 256 in CBC mode. These are the ciphers modes you have available (only counting AES):

aes-128-cbc ← this is okay
aes-128-ecb
aes-192-cbc
aes-192-ecb
aes-256-cbc ← this is recommended
aes-256-ecb

See also:

• http://en.wikipedia.org/wiki/Symmetric-key_algorithm
• http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation

Please note:

OpenSSL will ask you for a password. This is not an encryption key, it is not limited to 32 bytes! If you're going to transfer files with someone else, your shared secret should be very strong. You can use this site to get a sense of how good your password is:

• https://www.grc.com/haystack.htm (this doesn't take into account any dictionary attacks!)
• http://howsecureismypassword.net (this at least check for common passwords)

Warning: I have checked that these sites don't send your password to the server, but that can change at any time. Use these sites with dev tools / inspector and check if they send anything before typing in your strong password.

• TrueCrypt can create mountable encrypted disk images

You can access TrueCrypt volumes on all three major OS. This is a disk encryption tool rather than a file encryption tool, so the choice of file system inside the disk image is important if you want to be able to mount the file system inside - chose a file system that works on all platforms you intend to use. FAT32 is probably the safest choice.

Note that in order to install the TrueCrypt driver on Windows, you will need to be an Administrator user, or gain the cooperation of one, for every workstation you wish to access a TrueCrypt volume on. In addition, any process with access to the mounted file system will be able to read your files in the clear, so you must trust all systems on which you mount your encrypted volume.

• GnuPG can create individual encrypted files

If you can't use TrueCrypt, or don't like it's caveats, then you can encrypt individual files with GnuPG. Gpg4win provides easy to use Windows tools for GnuPG. While GnuPG will encrypt files at the simple "password" level, you may wish to read up a little on Public Key Cryptography.