Encrypting a USB flash drive is one of the simplest things you can do to protect sensitive files. If the drive is lost or stolen, encryption ensures the data is unreadable. The two main options on Windows — BitLocker To Go and VeraCrypt — each have distinct strengths.
BitLocker To Go: Built-In and Convenient
BitLocker To Go is Microsoft’s tool for encrypting removable drives. It’s built into Windows Pro, Enterprise, and Education editions.
Setting Up BitLocker To Go
- Insert your USB drive
- Open File Explorer, right-click the drive, select Turn on BitLocker
- Choose Use a password to unlock the drive and enter a strong password
- Save the recovery key (print it, save to file, or back it up to your Microsoft account)
- Choose Encrypt entire drive (not just used space — this protects deleted files too)
- Select Compatible mode if you need the drive to work on older Windows versions
- Click Start encrypting
BitLocker To Go Strengths
- No extra software — built into Windows
- Transparent operation — once unlocked, the drive works like any other
- Supports smart card authentication in enterprise environments
- Auto-lock on removal — the drive re-locks when unplugged
BitLocker To Go Limitations
- Windows only for write access (a reader for macOS/Linux exists but is read-only and unofficial)
- Requires Windows Pro or higher to create (Home edition can read BitLocker drives but not create them)
- No cross-platform portability
- Closed-source encryption implementation
VeraCrypt: Open-Source and Cross-Platform
VeraCrypt creates an encrypted container file on the USB drive (or encrypts the entire drive). It’s open-source, audited, and runs on Windows, macOS, and Linux.
Setting Up a VeraCrypt Container on USB
- Download VeraCrypt from veracrypt.fr — verify the download with checksums
- Launch VeraCrypt → Create Volume
- Select Create an encrypted file container
- Choose Standard VeraCrypt volume
- Select a location on your USB drive (e.g.,
E:\vault.vc) - Choose AES encryption and SHA-512 hash
- Set the container size (leave some free space on the USB for non-encrypted files if needed)
- Enter a strong passphrase
- Move your mouse randomly to generate entropy, then click Format
To access: open VeraCrypt, select the container file, choose a drive letter, click Mount, enter your passphrase.
VeraCrypt Strengths
- Cross-platform — same container works on Windows, macOS, Linux
- Open-source and audited — verifiable security
- Works on any Windows edition (including Home)
- Portable mode — install VeraCrypt on the USB itself for systems without it installed
- Plausible deniability via hidden volumes (advanced use)
VeraCrypt Limitations
- Manual mount/unmount required
- Requires VeraCrypt installed (or portable mode) on the host system
- Container file can be deleted accidentally
- No auto-lock — you must dismount before removing the USB
Head-to-Head Comparison
| Feature | BitLocker To Go | VeraCrypt |
|---|---|---|
| Platform support | Windows only | Windows, macOS, Linux |
| Windows edition | Pro+ (create) / Home (read) | Any |
| Encryption | AES-128 or AES-256 | AES, Serpent, Twofish, cascades |
| Open source | No | Yes |
| Setup complexity | Simple right-click | Moderate (wizard) |
| Daily convenience | High (auto-unlock available) | Moderate (manual mount) |
| Portable use | Windows built-in | Needs VeraCrypt or portable edition |
| Hidden volumes | No | Yes |
Which Should You Choose?
- Windows-only workflow, convenience priority: BitLocker To Go. It’s seamless, built-in, and requires no extra software.
- Cross-platform needs: VeraCrypt. If the USB must work on macOS or Linux, this is your only practical option.
- Windows Home edition: VeraCrypt (or upgrade to Pro for BitLocker).
- Maximum security / open-source requirement: VeraCrypt. Audited code, cascaded ciphers, hidden volumes.
- Enterprise / managed devices: BitLocker To Go with Group Policy management.
For a broader look at USB encryption options, see our dedicated guide on Secure USB Drives. For help verifying your VeraCrypt download, read How to Verify Checksums.
Practical Tips for Either Tool
- Encrypt the entire drive, not just used space — this covers previously deleted files.
- Use a strong passphrase — at least 20 characters or a Diceware phrase.
- Keep a recovery key/passphrase backup in your offline vault.
- Label the drive but don’t write the password on it.
- Always safely eject before removing the USB to prevent corruption.
- Test recovery — verify you can unlock the drive using only your backup password/key.
Further Reading
- Microsoft — BitLocker To Go overview — Official FAQ
- VeraCrypt — Beginner’s Tutorial — Step-by-step VeraCrypt setup
- NIST SP 800-111 — Guide to Storage Encryption Technologies — Federal encryption guidance
- CISA — Data security best practices — General data protection guidance