user@s3-3:~/s3-3/tools/how-to-encrypt-a-usb-drive $ cat index.md
S3-3 Tech Guides & Tools
~/tools/how-to-encrypt-a-usb-drive
Privacy · Jun 2026

How to Encrypt a USB Drive on Windows and Mac

8 min read · S3-3 Tech

A USB flash drive is one of the easiest ways to lose sensitive data. Drop it in a parking lot, forget it in a library computer, or have a bag stolen — and whoever picks it up has unobstructed access to every file on it. Encryption changes that. An encrypted drive shows the finder nothing useful without the password. The files are still there, but they are scrambled in a way that requires your specific key to unscramble. Both Windows and macOS include encryption tools for removable drives, and they cost nothing to use.

Method 1: BitLocker To Go (Windows)

BitLocker To Go is Windows' built-in encryption for removable drives. It uses AES-256 encryption and is available on Windows 10 and 11 Pro, Enterprise, and Education editions. Home edition users can read BitLocker-encrypted drives but cannot encrypt new ones using BitLocker — see the VeraCrypt section below for the Home alternative.

Encrypting the Drive

  1. Insert the USB drive and wait for it to appear in File Explorer.
  2. Right-click the drive in File Explorer and select "Turn on BitLocker." If this option does not appear, your Windows edition does not support BitLocker encryption (it may be Windows Home).
  3. Choose "Use a password to unlock the drive" and enter a password. Make it strong — a passphrase of three or four unrelated words works well. Avoid using the same password you use for other accounts.
  4. Choose where to save your recovery key. Options include your Microsoft account (convenient but requires internet access), a file (save it somewhere other than the drive you are encrypting), or printing it. The recovery key is your fallback if you forget the password — do not skip this step.
  5. Choose the encryption mode. "Compatible mode" is the right choice for a removable drive you intend to use on different computers. "New encryption mode" is better suited for fixed internal drives.
  6. Click "Start Encrypting." Encryption takes minutes to hours depending on the drive's capacity and speed. You can continue using the drive during this process, but removing it mid-encryption risks corruption.

Using an Encrypted Drive

After encryption, every time you insert the drive on a Windows computer, an AutoPlay prompt or File Explorer notification asks for the password. Enter it to unlock the drive for the current session. The drive re-locks automatically when ejected or when the computer sleeps, depending on settings. On Windows, you can set the drive to remember the password on trusted computers via the unlock dialog — avoid doing this on shared or public computers.

BitLocker on Windows Home: Windows Home can read BitLocker-encrypted drives that were encrypted on a Pro machine, but cannot start new BitLocker encryption. If you are on Home and need to encrypt a drive from scratch, VeraCrypt (covered below) is the free alternative that works on all Windows editions.

Method 2: Encrypted APFS or HFS+ (Mac)

On Mac, the simplest way to encrypt a USB drive is through Disk Utility, which reformats the drive with encryption built in. This requires erasing the drive, so back up any existing content first.

Encrypting the Drive via Disk Utility

  1. Open Disk Utility (Applications → Utilities → Disk Utility, or search with Spotlight).
  2. Select the USB drive in the left sidebar. Make sure you select the drive itself (the physical device), not a volume on the drive.
  3. Click "Erase" in the toolbar.
  4. Give the volume a name.
  5. For Format, choose "APFS (Encrypted)" for modern Macs, or "Mac OS Extended (Journaled, Encrypted)" for older macOS compatibility.
  6. Click "Erase," then enter and confirm the encryption password when prompted. Also add a hint that will help you remember the password but would not give it away to someone else.

The drive is reformatted and encrypted in seconds. Going forward, macOS asks for the password whenever you insert the drive. You can opt to save it in your keychain on trusted personal Macs — on any other Mac, the password prompt appears every time.

Quick Encrypt via Finder (Existing Drives)

If the drive is already formatted as Mac OS Extended (not APFS), you can encrypt it without erasing from Finder: right-click the drive in the Finder sidebar and select "Encrypt [drive name]." Enter a password and hint. macOS encrypts the drive in the background while you continue using it. This method does not work for APFS volumes — for those, the Disk Utility erase-and-reformat path is required.

Method 3: VeraCrypt (Free, Cross-Platform)

VeraCrypt is a free, open-source encryption tool that works on Windows (including Home), macOS, and Linux. It can encrypt an entire USB drive or create an encrypted container — a large file that acts like a drive — on an unencrypted drive. The cross-platform support makes it useful if you move files between operating systems regularly.

Using VeraCrypt for a Full USB Encryption

  1. Download VeraCrypt from veracrypt.fr and install it on the computer you will use for encryption.
  2. Insert the USB drive. Back up its contents — encryption erases the drive.
  3. Open VeraCrypt and click "Create Volume."
  4. Select "Encrypt a non-system partition/drive" and click Next.
  5. Select "Standard VeraCrypt volume" and click Next.
  6. Click "Select Device" and choose your USB drive from the list. Be careful to select the correct device — encrypting the wrong drive is destructive.
  7. Choose "Create encrypted volume and format it."
  8. On the Encryption Options screen, the defaults (AES, SHA-512) are fine and very secure.
  9. Set a strong password. VeraCrypt requires at least 20 characters for maximum security, though shorter passwords are accepted.
  10. Move your mouse randomly in the VeraCrypt window for 30 seconds or more to generate entropy for the encryption keys, then click Format.

Accessing a VeraCrypt Drive on Another Computer

To access the drive on another computer, VeraCrypt must be installed there too. This is the main limitation compared to BitLocker or Mac native encryption, both of which are accessible to any Windows or Mac user without additional software. If your drive will only be used on your own machines where you can install VeraCrypt, this is not a problem. If you need to hand the drive to someone who cannot install software — on a corporate computer, for example — VeraCrypt's portable mode lets you carry the VeraCrypt executable on the drive itself, though running it may require administrator rights.

Choosing the Right Method

  • Windows Pro/Enterprise user, drive stays on Windows machines: BitLocker To Go. Built in, zero setup beyond the initial encryption, no extra software needed on any Windows computer.
  • Windows Home user: VeraCrypt. Free, full-strength AES encryption, no edition restrictions.
  • Mac user, drive stays on Macs: Finder or Disk Utility encryption. Integrated into the OS, no extra software, keychain integration for personal Macs.
  • Cross-platform (Windows + Mac + Linux): VeraCrypt. The only option with native support across all three.

One Thing to Do Before You Start

Write down the recovery key or password somewhere secure and offline — a physical notebook kept somewhere safe, for example. Encrypted drive recovery without the password or recovery key is effectively impossible. No service can decrypt it for you; that resistance to recovery is the entire point of encryption. Losing the password means losing the data permanently.