What are your thoughts on USB storage drives that have keypad encryption?

AnnaFrankfurter , 4 months ago

Obligatory XKCD

fruitycoder , 4 months ago

Stopping low effort attempts to get data it seems good, as an addition too software encryption it seems great. Of course hardware can range from child toys, gimmicks, to serious hardened hardware, so results WILL vary.

alphafalcon , 4 months ago

They occupy a strange niche full of contradictions.

Entering the code on the device itself should increase security as opposed to entering it on a compromised computer.

But plugging it into a compromised computer means the data is compromised anyway.

Their security is way harder to audit than a software solution like PGP.
The actual "encryption" varies from actual decent setups to "entering the code connects the data pins with no actual encryption on the storage chip"

Not having to instal/use software to use them means they are suitable for non-technical users which in turn means more support calls for "I forgot the pin, it wiped itself, can you restore my data"

They are kind of useful to check the "data is transported on encrypted media" box for compliance reasons without having to manage something bigger.

morgin , 4 months ago

like everyone else has said hardware level encryption doesn’t seem like the most sound option.

Personally i’ve just encrypted sensitive files with picocrypt, only just started looking into better encryption techniques though so there’s probably better alternatives.

MonkderZweite , 4 months ago

Same problems as any firmware based encryption (encrypting SSDs, etc.). Firmware is quickly outdated and the triangle price - speed - security usually neglects the security part.

Imprint9816 , 4 months ago

Yeah i dont see how this would be better then a run of the mill thumb drive (that doesnt scream im worth stealing) and just creating a cryptomator vault on it.

fidodo , 4 months ago

Is that solution portable for any device and os you might plug it into?

Pantherina , 4 months ago

No its not I think, at least Androids restricted af model doesnt allow that.

Same with veracrypt

fidodo , 4 months ago

I view portability to be the main benefit of a hardware solution. I agree that software options will allow for better security, but imo a less secure hardware option is better than nothing if portability is a requirement.

Imprint9816 , 4 months ago

Its available on linux mac and windows so id say it's pretty portable. You could even keep unencrypted installers on the same thumb drive in case internet access is an issue.

fidodo , 4 months ago

Available or built in? Because there are a lot of jobs and use cases where you need to transfer to systems you don't have full control over.

Imprint9816 , 4 months ago

At that point you should probably use a cloud based solution anyway. Any decently secured system wouldn't let you plug in a random usb drive anyway.

I had assumed the use case was more for travel not for trying to access sensitive data on systems that you have limited access.

inclementimmigrant , 4 months ago

I use them in my job and I find them better than the software only solution and I like them when I have to use them for sensitive file transfers.

Churbleyimyam , 4 months ago

Good until you spill a Cuppasoup on it's chinesium keyboard.

HowMany , 4 months ago

Something else to break down.

csm10495 , 4 months ago

I had one of the SanDisk flash drives that had some launcher thing on it and I had a password for some reason on it.

In high school, a classmate tried to guess it, 3 times and I lost everything on it forever, since it stupidly locked forever after 3 tries.

I had software projects from back then that I can never get back.. including a web browser. I could have had the next Firefox..

If you're out there, Liz: I'll never forgive that.

THE_MASTERMIND , 4 months ago

Was it going to be open source ?

csm10495 , 4 months ago

I didn't know what that was yet.. but probably.

TonyTonyChopper , 4 months ago

Liz taught you to make backups of data you value

HelixDab2 , 4 months ago

Seems like it's a good starting point.

I wonder if you can encrypt the files prior to storing them on the key, which would then encrypt them a second time with a different method. Would the compromise the data in any meaningful way? Or would it mean that you had to decrypt the key and then decrypt the data a second time?

CorrodedCranium OP , 4 months ago

I believe you would have to decrypt them a second time. For example if you wanted to be real secure you could have the USB device, an encrypted folder that holds important documents and files you want to back up, and inside of that could be a password database that requires a Yubikey or similar device.

I believe what you are talking about is kind of like using a combination of cascading algorithms like AES->Twofish–>Serpent.

I could be wrong though. If I am I hope someone can correct me.

HelixDab2 , 4 months ago

So if that's correct, then a single company breaking the IronKey isn't, by itself, that big of a deal unless and until the knowledge bcomes fairly widely available.

CorrodedCranium OP , 4 months ago

I think it's a factor to consider but it depends on your threat model. A few people have linked an article about a Bitcoin wallet that was on one of these drives that was cracked. I imagine replicating the process would be difficult but with a big enough group going after you who knows?

The extra layers of security always helps though.

HelixDab2 , 4 months ago

I think that if your threat model is the NSA, then them having physical control over the drive--and probably you in a black site--is probably going to be the end of the road for you.

hanke , 4 months ago

The IronKey has been cracked

Toribor , 4 months ago

Like most things, it's important to remember what threats you're trying to protect yourself against.

Are you trying to protect yourself against dropping a USB in a parking lot and someone picking it up? Or are you trying to protect yourself from a nation state?

potatopotato , 4 months ago

Just my opinion but I don't really like the common belief of separating nation and non nation state actors. We're getting to the point where nation states are making up a large portion of the really damaging attacks, and it's frequently ones own government or a government they're in conflict with which means there are very kinetic consequences for failure even if you're a nobody. It's not just someone stealing some money anymore.

Pantherina , 4 months ago

Only buy stuff with upgradeable firmware.

Count042 , 4 months ago

I don't trust hardware implementations of encryption in the same way I don't trust hardware raid arrays.

YeetPics , 4 months ago

These are handy if you have to move sensitive information but I've experienced more than one event at work where irreplaceable files were lost due to user error on these type of drives.

I couldn't tell you about the lifespan of these devices either, something tells me the keys won't last more than a few years if it's being used regularly.

kevincox , 4 months ago

If your only copy of critical data is on a portable storage device you are doing so many things wrong.

YeetPics , 4 months ago (edited 4 months ago)

Agreed.

Have to stay within hipaa, sadly that means tech-illiterate c suite dipshits make decisions on hardware.

INHALE_VEGETABLES , 4 months ago

I'll store my weird shit on an unsecured hard drive stashed in the woods. Like those that came before me, and those before me.

THE_MASTERMIND , 4 months ago

You meant and those before them right ?

INHALE_VEGETABLES , 4 months ago

You heard what I said. You heard it just like those before me.

Churbleyimyam , 4 months ago

Store it in your bosses garden.