Users have been hauling unsecured data around on portable hard or flash drives for years now, but there is no need to live that dangerously any more. A wide range of drives now offer integrated encryption (or some other form of onboard security), as an optional extra and it could only be a matter of time before all portable drives come with it built in as standard.
Security in mainstream products started with USB flash drives but has spread to every section of the storage market, including fixed drives found inside laptops and PCs as well as the portable flash, hard disk drive and solid-state drive (SSD) options found in portable products.
The point about buying integrated encryption is that is avoids the problem of adding it after the fact using software. Will each PC need to use this software to access the data? Does software encryption tie down the PC when copying data? For the average user, these uncertainties are inhibiting.
This is a quick roundup of a representative sample of some of the best security-oriented/encryption portable drives available today. It is not exhaustive but it does give an idea of the different ways drives can now be secured, and what it sometimes costs to get that extra layer of guaranteed security that some businesses require.
We review here the iStorage's diskGenie, the IronKey S200, Freecom's Hard Drive Secure, Stonewood's Eclypt Freedom, and Systematic Development - LOK-IT flash drive.
What is going on when a drive is ‘unlocked’ will depend on the design. Most use a standard encryption design in which the supplied key or PIN allows a user to open the drive, from where each file read from or saved to that volume is decrypted or encrypted on the fly after going through a dedicated software driver.
A second variant – used by the iStorage DikGenie and LOK-IT – is to keep the whole process on the drive itself. Because these designs use built-in keypads they requires no software to be loaded on the PC itself which means they will work on any OS that supports USB without the need for OS-based drivers. The encryption key never leaves the drive.
Either way, incidentally, drive makers build encryption co-processors into drives to speed bulk file encryption/decryption but it is still safe to assume that encryption drives are slower than conventional drives.
A third but rarer type simply secures the drive using some form of token without the need to do for full-disk encryption at all – see the Freecom Hard Drive Secure reviewed here. Freecom doesn’t go into detail as to how it works but as far as we can tell this type of design is basically a locking/unlocking mechanism that uses RFID and a small, encrypted access partition. Once the drive is open, files are accessible in unencrypted form. When the drive is closed it simply can’t be accessed by the operating system without accessing the encrypted root partition; the underlying data is not encrypted.
A final type we didn't look at are external drives with two-factor token authentication, using PIN access and a smartcard. A good example of this would be iStorage's DiskCrypt Mobile. Accessingh this type of drive means having the PIN (something known) and a physical object (the smartcard), which boosts security but also possible inconvenience.
The advantage is simplicity (and therefore cost) and speed. No encryption = no encryption overhead. The disadvantage is that the drive could be removed and, with the right sort of expertise, accessed. We should emphasis that this explanation is inferred from the little Freecom has revealed.
Now to the drives...
iStorage – diskGenie
Available in 128-bit or 256-bit AES encryption versions, the pull of the diskGenie is its admirable simplicity. There are no drivers to load, simply an ATM-like PIN key interface built into the black, rubberised, shock-absorbing shell of the drive itself. The interface has 12 physical keys and one status light which changes colour according to the drive mode, locked (red), unlocked (green) and admin (blue).
There is nothing more to say about it externally other than note that the built-in USB cable that wraps around the side of the unit is slightly on the short side. An extension cable is provided for such situations, which doubles to provide power if your USB port can’t supply the necessary power.
The first setup task is to enter a new PIN, which involves entering admin mode and entering a new PIN. Once the PIN has been confirmed a second time, that PIN is needed to access the contents of the drive from there on. User PINs can be from 6 to 16 digits, and in admin mode up to 10 can be set per drive (plus the admin) which means that it can be used securely across a number of users.
The diskGenie comes in a variety of capacities and with cheaper 128-bit or more expensive 256-bit AES encryption; the 500GB with 128-bit encryption costs around £115 (approx $180) while the same capacity with 256-bit AES costs around £160 inc. VAT. Consumers are highly unlikely to need anything beyond the 128-bit version given that the lesser security it provides is largely theoretical.
An SSD version is also available but this cuts capacity while increasing cost. You really have to want the speed to pay for this.
Bottom line: PIN idea is clever and works without drivers. Modestly priced.
IronKey S200 USB flash drive
The IronKey is a mature 256-bit AES encrypted flash drive design that comes in three versions, Basic, Personal and Enterprise. There is also a fourth version that is handed out by a number of online banks for secure browser access to accounts.
All versions feature the same basic tamper and water-proof steel case which gives the S200 the look of an extremely hard-wearing drive that happens to be FIPS 140-2 Level 3 certified if that matters. To minimise the possibility of malware-infected files getting on to the drive, it comes with a basic McAfee antivirus utility for checking the PC into which the drive is being plugged before files are moved.
Plugging the S200 in launches a control panel screen that offers a range of features. On the Personal and Enterprise versions, the drive comes with a version of the Firefox browser which can be used to launch secure (i.e. encrypted and using secure DNS) sessions, plus an identity management app for securely storing passwords and web logins. The encrypted contents of a drive can be backed up and restored from this interface too, as they can to an online web portal that can also be used to reset the drive’s passphrase.
The Enterprise version is basically the same drive with longer-life flash memory (more write cycles) and a layer of policy enforcement and activity tracking. Lost units can be remotely reset.
Be warned: with all versions, exceeding a defined number of consecutive incorrect password attempts and the drive permanently self destructs. This is not merely data destruction – the drive itself becomes useless.
Users needing a rugged drive for securing valuable files up to 16GB in capacity will probably be prepared to pay the premium for this excellent piece of kit. Consumers worried about online banking fraud might also want to give the secure browser a look. Expensive but highly recommended.
Bottom line: Incredibly rugged and good for online banking too.
Freecom Hard Drive Secure
As we noted in our August 2009 review of the Hard Drive Secure, the security design uses an unusual token approach, which involves ‘unlocking’ the drive by holding an credit card-sized encrypted RFID card near the front of the drive. Accessing the drive is impossible without this card.
As far as we can tell (and Freecom avoids explaining how the system works), the drive has only a small encrypted partition accessed by the card, access to which unlocks access to the data partition. The advantages are that no on-the-fly encryption is needed and there is no passphrase to remember and change from time to time, the disadvantage is that anyone with the card has access to its contents. The card is key.
Lose the card, you can get more from Freecom at some expense but there is a backup ‘master’ card in case.
A quirk of the review model we looked at was the slowness with which it recognised the RFID card on some occasions though against this has to be factored that encrypted drives require a password login splash screen.
The Freecom is also a 3.5 inch unit – this is not really a mobile drive - that comes in capacities of up to 2TB which at around £190 (approx $300) makes it rather expensive.
Bottom line: More of a desktop drive but easy to share among users (just hand over the card, temporarily)
Stonewood Eclypt Freedom
The metal-clad Eclypt Freedom is the high-end drive for corporate users who cannot or won’t compromise on achieving that small but sometimes extra level of encryption security. It is not intended as a consumer drive.
Before describing the drive, it is fair to point out that this extra security comes at a price. A 320GB drive will set you back around £280 inc. VAT (approx $430), at least double that of the iStorage diskGenie which also features 256-bit AES encryption. That is, however, not much more than the 16GB IronKey, which is smaller in size but markedly smaller in capacity too.
For some types of user, however, the extra features and robust construction on offer will be worth it or indeed necessary for compliance purposes. The drive is tamper-proof, for a start, and allows admins to set password parameters for up to 128 accounts per drive, necessary when sharing among groups of users.
The model looked at was the Freedom; even more specialist features come with the three other drives in the Eclypt Freedom series, the Baseline, the Baseline Plus, and the Enhanced, which add CESG certifications necessary for very specialised uses. The Eclypt mounts without the need for drivers, which means it will work across platforms.
As with the DiskGenie, solid state disk (SSD) version of the Eclypt is also available but this cuts capacity while hiking cost.
As an aside, the UK-based company that makes this drive is currently in the process of being bought by ViaSat of the
Bottom line: No expense spared design but only for pros
Systematic Development - LOK-IT flash drive
Encryption has crept on to a wide range of USB sticks, but they tend to involve loading some kind of key-entry interface from the drive itself. Nothing wrong with that, but a new drive from US company Systematic Development takes the concept of simplicity a stage further by including a Keypad on the drive itself.
The LOK-IT drive comes in two forms, a secure ‘consumer version’ with five number keys, and a more expensive hardcore version with ten keys which is also designed to resist physical tampering. We reviewed the simpler five-digit version.
The drive is set up by putting the drive into key setting mode and entering a chosen PIN of between seven and fifteen digits from 10 numbers printed two for each of the five keys. The status is indicated by red (locked), green (unlocked) and blue (docked) LEDs. The USB connector slips back inside a retractable hood for protection.
As with the DiskGenie, the advantage of using PIN entry is that it requires no software (so will run on any OS that supports USB) and involves carrying a number sequence around in your head. A security aid is that PINs cannot feature consecutive or repeated numbers, so 1234567 is out.
In case of forgotten PINs, a master PIN can be set by admins, and the drive protects itself from guessing numbers by resetting itself after 10 incorrect attempts. And the battery to power the LEDs? The makers say that this recharges when it is plugged into the PC.
The five-key LOK-IT can be fiddly. Setting up a seven digit PIN with such tiny numbers is hard enough but doing it when there are two numbers per key requires careful pressing for anyone with adult fingers. We found turning the drive by 180 degree to access PINs on one side or other of the keypad the easiest way to avoid mistyping. If this is an issue we’d recommend either the more manageable 10-digit model or just using a conventional plug-in and password flash drive.
That said, anyone who wants a cross-platform drive (assuming you format it in a compatible way), and no software complexity will find this fairly cost-effective.
Bottom line: PIN access on a flash drive. Five-digit version is fiddly to use.
The first rule of encrypted drives is to buy only the capacity of drive needed. Encryption adds cost to storage and buying a smaller one is a way to claw some of that expense back if the full capacity is not really needed. Most consumers will be trying hard to exceed 1GB of sensitive files.
A second issue is form factor. If consumers only have up to 1GB of really important data, a flash drive is more than adequate. Hard drives are for people for whom every file is sensitive, whether personal or not. Do you want strangers watching your digital holiday clips? Probably not so get an external hard drive.
Is the drive bootable? This isn't a big deal for everyone and many aren't because the security interferes. Higher-end drives tend to come with the feature, however. The drive should be checked before purchase.
Finally, there is the arrival of USB 3.0. None of the encrypted models we looked at yet supported the higher-speed standard, although its encroachment is only a matter of time. USB 3.0 is a good thing but users still need an equivalent interface on their PC to make use of it. With laptops, we reckon it’s not worth it for the modest speed boost possible using the ExpressCard 1.0 interface found on most laptops. Some drives feature eSata, which is faster than USB 2.0 by some margin.
You still pay for the security of encryption but the days of drives without it might be drawing to a close.