if you carry sensitive stuff on a flash drive and it’s not encrypted, you’re one lost USB away from someone reading everything on it. that’s not paranoia, that’s just how it works.
VeraCrypt is free, open source, and one of the most widely trusted tools for this. it’s been around since TrueCrypt died in 2014. works on Linux, Windows, BSD, macOS.
what makes it actually good:
- audited - QuarksLab audited it in 2016, and Fraunhofer/BSI examined parts of it in 2020. issues found were fixed publicly. that’s how it should work
- strong defaults - AES encryption, high iteration counts that vary by config; newer versions support Argon2id which makes brute force significantly harder
- hidden volumes - you can have a decoy volume and a hidden one inside the same container, each unlocked with a different password. hand over the decoy password under pressure, real data stays hidden
- cross-platform - your encrypted drive works on any OS that runs VeraCrypt
for a flash drive specifically you create an encrypted container or encrypt the whole partition. mount it, use it like a normal drive, unmount it when done. data at rest is completely unreadable without your password.
your password and the security of the system you unlock it on are the main weak points.