Portable encryption systems – keeping your USB / flash drive data safe

Flash drive securityUSB-based flash drives are a part and parcel of everyone’s life these days. Not only they are dirt cheap, they provide  substantial storage, making them extremely handy tools for carrying around large amounts of data, including personal  and official  information of sensitive nature.

What’s worrisome is that the data on an average flash drive is grossly unsecure and can prove to be a tremendous source of data leakage both from the personal front and an organization network if the drive falls into wrong hands.

Because of their tiny sizes these devices are prone to being lost or misplaced or worse yet – easy targets for thieves.  Both TechRepulic and PCWorld provide lengthy discussions on the kind of damage such an action may cause to an organization.

Good news is that there are numerous commercial and free / opensource solutions (both software and hardware based) to securing your flash drive data. This article attempts to provide brief overviews of the most well-known ones with an emphasis on those which are free and readily available to everyone. In each case, portability is the key criteria, as that’s what USB drives are for.

Hardware

Hardware ChipTo begin with,  hardware-based data protection systems (for flash drives) aren’t all that prevalent yet with not many viable (read inexpensive) options for the mass consumer market. For most part, these devices are targeted towards the SMB (Small and Medium Business) and Enterprise market.

Although dubbed “hardware-based encryption” these flash drives employ a dual layer of software and hardware to secure your files.

These drives come with two partitions – a normal partition for publicly viewable data and an encrypted one for all your sensitive information, with the ability to set the size of this partition (as a percentage of the total flash drive capacity) at will. All data flowing in and out of the latter is encrypted / decrypted on-the-fly using AES-256 by an encoder chip (hardware) built into the flash drive. To access this special partition one needs to provide a password. This authentication mechanism is where the software part comes into play. The whole process is transparent to the end user and doesn’t cause any noticeable loss in data transmission speeds.

Note that the authentication software (in most cases) is Windows compatible only! Hence, on other platforms (Mac, Linux etc.) your encrypted partition cannot be accessed.

Did you know…

even if you ever lose your USB stick it will take someone with a very powerful computer at least 100 years to decrypt the data using brute force?

The drives also sport automated self-destruct systems that securely wipes out  data on the encrypted  partition after a certain number of attempted break-ins. This effectively counteracts any brute-force cracking attempts, although you can give up all hopes of recovering your data. But then again – “Better safe than sorry”.

Some of the vendors offering hardware encryption based USB Flash drives are:

Among these, the drives from Kingston, SanDisk and Verbatim have been awarded the FIPS 140-2 Level 2 certificate issued by the US National Institute of Standards and Technology (NIST), which validates the USB drives for use with sensitive government data. Recently, a potential security hole was discovered in the drives from all three vendors – but that was primarily due to poor coding of the software counterpart. The actual encryption system still remains stands strong. Besides, patches have already been rolled out by all three vendors rectifying this problem.

If you’re the  paranoid kind and / or are strong on security these are the drives for you. But be prepared to shell out a thick wad in the order of $100 – $500 depending on the make and capacity of the drive.

Software

The pure software encryption systems have a couple of distinct advantages over their hardware counterparts:

  • They can transform any given USB disk into a secure storage location
  • Most such systems allow you to set a preferred cipher (encryption routine). Besides the default AES Blowfish, Twofish, DES, Tripple-DES etc. are also offered.
  • And finally, they come much, much cheaper than the hardware variants. The price range starts from “free” and goes up to $50.

As far as modus operandi goes, both hardware-based and software-based systems are virtually alike – except that, for the latter, the functionality of the hardware encoding chip is taken up by an additional layer of software. The same software that handles authentication is also responsible for encoding / decoding of the encrypted partition and a portable copy of the same is usually placed on the USB drive in order to avoid re-installation issues when working on a different PC.

USB EncryptionAnother added advantage is that one can create multiple encrypted partitions on the same USB drive. These so-called encrypted partitions aren’t “real” partitions, per se. Rather they are encrypted files that serve as containers for your data and are mounted as separate partitions by the software on-demand. Hence, it is possible to create as many of these partitions as you wish – each dedicated to a different kind of content (or as you see fit) – the only limitations being the total capacity of the flash drive and the availability of drive letters (on Windows). Like the hardware version, these data can be read from / written to these partitions on-the-fly.

Well-known commercial tools for this task are:

  • Encrypt-Stick – Employs Polymorphic Encryption. $40/license.
  • WinEncrypt CryptArchiver – Can choose between AES and Blowfish. $18 to $50/license depending on edition. A free edition – which limits volumes to 25MB – is also available.
  • I-Secure Key – Pricing and features are not clear from their website, but a fully functional trial version is available for download. This isn’t an encryption software per se and utilizes TrueCrypt behind the scenes to create and maintain the encrypted volumes.
  • Master Voyager – Apart from creating encrypted volumes on USB drives, this tool is also capable of creating encrypted CDs and DVDs. $70/license.
  • Discryptor – A pretty robust application with a strong set of features (and a lot of excess baggage like Parental Control, Employee Monitoring etc.) Licenses can range from $85-$2500 depending on edition. A free but limited Basic edition is also available.

And finally, onto the free and opensource ones.

  • TrueCrypt – Perhaps the best that there can be in this category in terms of features (and pricing). This utility offers support for unlimited encrypted volumes (as long as there are drive letters to mount on) and can encrypt entire existing partitions. The recent versions support something called Hidden Volumes where your actual data resides with a Fake counterpart stuffed with junk data to provide you with “plausible deniability” – in case you are forced to give-up your volume password to an adversary. Supported algorithms: AES, Twofish and Serpent. Probably, the only one to work on both Windows & Linux. Here is an excellent tutorial on using TrueCrypt. Advanced users will benefit from this tool.
  • Rohos Mini Drive – Easy to use portable application targeted at newbies. It creates hidden, encrypted volumes and can run on a guest computer without Administrative rights using File Virtualization technology. Caps the storage volumes at 2GB. Has virtual keyboard for protection from keyloggers. If it’s your first venture into the world of encryption, I recommend this utility.
  • SafeHouse Explorer – Another great utility with a similar set of features as Rohos. This tool presents you with an ever-familiar Windows Explorer like interface which you can use to drag & drop files and folder into the “private storage vaults”. Sports a graphical password strength meter to help you choose a good master password. A cool feature is the creation of self-executing click-and-run encrypted volumes. Recommended for basic users.
  • USB Safeguard – A free, lightweight and portable utility that works in drag & drop mode. Also features a safe-surfing mode that one can use while browsing from an internet cafe. Also a good recommendation for basic users.
  • FreeOTFE – A no frills yet powerful and portable opensource utility that supports numerous hash (including SHA-512, RIPEMD-320, Tiger) and encryption algorithms (including AES, Twofish and Serpent) in several modes (CBC, LRW and XTS) – providing a much greater level of flexibility than a number of other (including commercial!) OTFE (on-the-fly-encryption) systems. Has support for Linux volumes (Cryptoloop “losetup”, dm-crypt and LUKS). Works on PCs without no Administrator rights and has a PDA version too. Intended audience: both basic and advanced users.

Before I end, I’d like to mention this one other way which helps you encrypt data in a similar fashion without the aid of any third party software. This system utilizes the native data encryption mechanism of NTFS and works only on Windows-based computers. Online Tech Tips has a step-by-step tutorial on this. Be advised that this method limits your read / write activities to the encrypted partition on the originating computer only unless you are ready to export and carry around your EFS certificates.

Safe computing 🙂