Portable encryption systems – keeping your USB / flash drive data safe

Flash drive securityUSB-based flash drives are a part and parcel of everyone’s life these days. Not only they are dirt cheap, they provide  substantial storage, making them extremely handy tools for carrying around large amounts of data, including personal  and official  information of sensitive nature.

What’s worrisome is that the data on an average flash drive is grossly unsecure and can prove to be a tremendous source of data leakage both from the personal front and an organization network if the drive falls into wrong hands.

Because of their tiny sizes these devices are prone to being lost or misplaced or worse yet – easy targets for thieves.  Both TechRepulic and PCWorld provide lengthy discussions on the kind of damage such an action may cause to an organization.

Good news is that there are numerous commercial and free / opensource solutions (both software and hardware based) to securing your flash drive data. This article attempts to provide brief overviews of the most well-known ones with an emphasis on those which are free and readily available to everyone. In each case, portability is the key criteria, as that’s what USB drives are for.

Hardware

Hardware ChipTo begin with,  hardware-based data protection systems (for flash drives) aren’t all that prevalent yet with not many viable (read inexpensive) options for the mass consumer market. For most part, these devices are targeted towards the SMB (Small and Medium Business) and Enterprise market.

Although dubbed “hardware-based encryption” these flash drives employ a dual layer of software and hardware to secure your files.

These drives come with two partitions – a normal partition for publicly viewable data and an encrypted one for all your sensitive information, with the ability to set the size of this partition (as a percentage of the total flash drive capacity) at will. All data flowing in and out of the latter is encrypted / decrypted on-the-fly using AES-256 by an encoder chip (hardware) built into the flash drive. To access this special partition one needs to provide a password. This authentication mechanism is where the software part comes into play. The whole process is transparent to the end user and doesn’t cause any noticeable loss in data transmission speeds.

Note that the authentication software (in most cases) is Windows compatible only! Hence, on other platforms (Mac, Linux etc.) your encrypted partition cannot be accessed.

Did you know…

even if you ever lose your USB stick it will take someone with a very powerful computer at least 100 years to decrypt the data using brute force?

The drives also sport automated self-destruct systems that securely wipes out  data on the encrypted  partition after a certain number of attempted break-ins. This effectively counteracts any brute-force cracking attempts, although you can give up all hopes of recovering your data. But then again – “Better safe than sorry”.

Some of the vendors offering hardware encryption based USB Flash drives are:

Among these, the drives from Kingston, SanDisk and Verbatim have been awarded the FIPS 140-2 Level 2 certificate issued by the US National Institute of Standards and Technology (NIST), which validates the USB drives for use with sensitive government data. Recently, a potential security hole was discovered in the drives from all three vendors – but that was primarily due to poor coding of the software counterpart. The actual encryption system still remains stands strong. Besides, patches have already been rolled out by all three vendors rectifying this problem.

If you’re the  paranoid kind and / or are strong on security these are the drives for you. But be prepared to shell out a thick wad in the order of $100 – $500 depending on the make and capacity of the drive.

Software

The pure software encryption systems have a couple of distinct advantages over their hardware counterparts:

  • They can transform any given USB disk into a secure storage location
  • Most such systems allow you to set a preferred cipher (encryption routine). Besides the default AES Blowfish, Twofish, DES, Tripple-DES etc. are also offered.
  • And finally, they come much, much cheaper than the hardware variants. The price range starts from “free” and goes up to $50.

As far as modus operandi goes, both hardware-based and software-based systems are virtually alike – except that, for the latter, the functionality of the hardware encoding chip is taken up by an additional layer of software. The same software that handles authentication is also responsible for encoding / decoding of the encrypted partition and a portable copy of the same is usually placed on the USB drive in order to avoid re-installation issues when working on a different PC.

USB EncryptionAnother added advantage is that one can create multiple encrypted partitions on the same USB drive. These so-called encrypted partitions aren’t “real” partitions, per se. Rather they are encrypted files that serve as containers for your data and are mounted as separate partitions by the software on-demand. Hence, it is possible to create as many of these partitions as you wish – each dedicated to a different kind of content (or as you see fit) – the only limitations being the total capacity of the flash drive and the availability of drive letters (on Windows). Like the hardware version, these data can be read from / written to these partitions on-the-fly.

Well-known commercial tools for this task are:

  • Encrypt-Stick – Employs Polymorphic Encryption. $40/license.
  • WinEncrypt CryptArchiver – Can choose between AES and Blowfish. $18 to $50/license depending on edition. A free edition – which limits volumes to 25MB – is also available.
  • I-Secure Key – Pricing and features are not clear from their website, but a fully functional trial version is available for download. This isn’t an encryption software per se and utilizes TrueCrypt behind the scenes to create and maintain the encrypted volumes.
  • Master Voyager – Apart from creating encrypted volumes on USB drives, this tool is also capable of creating encrypted CDs and DVDs. $70/license.
  • Discryptor – A pretty robust application with a strong set of features (and a lot of excess baggage like Parental Control, Employee Monitoring etc.) Licenses can range from $85-$2500 depending on edition. A free but limited Basic edition is also available.

And finally, onto the free and opensource ones.

  • TrueCrypt – Perhaps the best that there can be in this category in terms of features (and pricing). This utility offers support for unlimited encrypted volumes (as long as there are drive letters to mount on) and can encrypt entire existing partitions. The recent versions support something called Hidden Volumes where your actual data resides with a Fake counterpart stuffed with junk data to provide you with “plausible deniability” – in case you are forced to give-up your volume password to an adversary. Supported algorithms: AES, Twofish and Serpent. Probably, the only one to work on both Windows & Linux. Here is an excellent tutorial on using TrueCrypt. Advanced users will benefit from this tool.
  • Rohos Mini Drive – Easy to use portable application targeted at newbies. It creates hidden, encrypted volumes and can run on a guest computer without Administrative rights using File Virtualization technology. Caps the storage volumes at 2GB. Has virtual keyboard for protection from keyloggers. If it’s your first venture into the world of encryption, I recommend this utility.
  • SafeHouse Explorer – Another great utility with a similar set of features as Rohos. This tool presents you with an ever-familiar Windows Explorer like interface which you can use to drag & drop files and folder into the “private storage vaults”. Sports a graphical password strength meter to help you choose a good master password. A cool feature is the creation of self-executing click-and-run encrypted volumes. Recommended for basic users.
  • USB Safeguard – A free, lightweight and portable utility that works in drag & drop mode. Also features a safe-surfing mode that one can use while browsing from an internet cafe. Also a good recommendation for basic users.
  • FreeOTFE – A no frills yet powerful and portable opensource utility that supports numerous hash (including SHA-512, RIPEMD-320, Tiger) and encryption algorithms (including AES, Twofish and Serpent) in several modes (CBC, LRW and XTS) – providing a much greater level of flexibility than a number of other (including commercial!) OTFE (on-the-fly-encryption) systems. Has support for Linux volumes (Cryptoloop “losetup”, dm-crypt and LUKS). Works on PCs without no Administrator rights and has a PDA version too. Intended audience: both basic and advanced users.

Before I end, I’d like to mention this one other way which helps you encrypt data in a similar fashion without the aid of any third party software. This system utilizes the native data encryption mechanism of NTFS and works only on Windows-based computers. Online Tech Tips has a step-by-step tutorial on this. Be advised that this method limits your read / write activities to the encrypted partition on the originating computer only unless you are ready to export and carry around your EFS certificates.

Safe computing 🙂

How about a personalised Firefox 3 Download Day Certificate?

Hopefully, by now you’ve grabbed your copy of Firefox 3 and consequently played an active role in helping our favourite browser set a new Guinness World Record. Here’s an added perk for being such an avid follower of Firefox – a personalised Firefox 3 Download Day Certificate stating your role in helping Firefox achieve the world record. I got mine just now and here’s what it looks like…

Firefox 3 Download Day Certificate

Getting the certificate is as easy as filling up this form (with just your name) and grabbing the generated PDF File.

Incidentally, I managed to grab my copy of Firefox 3 only today morning – almost 12 hours after the official release. Last night it was literally impossible to access any of the Firefox download sites due to the initial download rush.

Installation went smoothly and all my earlier settings & bookmarks were preserved – though a couple of extensions failed to work (Fasterfox, FEBE and TabMixPlus). None that I will sorely miss, (for the time being) except  for FEBE.  On the good side, FF3 DOES take a shorter time to fire-up. How about you? How was your initial experience with FF3?

Free 18-week Online AJAX Course

AJAX On ToiletFor those who want to make some serious headway into the insanely booming technology called AJAX, here’s a golden opportunity. Boston based Sang Shin, who’s a technology architect, consultant, and evangelist at SUN Microsystems offers a free 18-week online course on AJAX.

The course commences on 18th of February, 2007 and covers some hot new topics such as the opensource JavaScript toolkit named Dojo, the NO-JavaScript AJAX Framework called ZK, DynaFaces – the thin application layer that renders AJAX capabilities to JSF, and Phobos – the lightweight, scripting-friendly, web application environment running on the Java platform.

This is the second session of the course in offering. Earlier it was offered as a ten-week course but it’s been extended by eight more weeks to cover all the new & important aspects of this rapidly expanding technology. Literally anyone can sign-up for it by simply sending a blank mail to ajaxworkshop-subscribe@yahoogroups.com. There’s no eligibility criteria as such. However, it is assumed that you’ve got some prior programming experience with the common web programming/scripting languages such as JavaScript / PHP as well as core Java itself. The course will continue on a weekly basis till June 11th, 2007.

One word of advice – don’t take this course lightly. The course is really content rich and if you’re sincerely interested in learning AJAX, you can really reap the benefits. Though the course allows you to progress at your own learning pace, you’re supposed to submit a homework at the end of each week with a maximum grace period of two weeks after the course ends.

Upon successful completion of the course, you’re entitled to an online certificate signed by Sang Shin. Though the certification isn’t through affiliation with any colleges, educational institution, company it recognises you as someone who clearly stands out from the crowd and enlists you in the graduates website.

If you’re interested, you can find further information on the course here.