What are your thoughts on USB storage drives that have keypad encryption?

Nice just look at the most worn buttons

Ironkey has been more careful than some other vendors but the concept still seems dubious to me, if you are trying to stop serious attackers. You want the decryption key to be completely separated from the storage.

Do encryption in software. History taught us hard lessons about this.

I had one of the SanDisk flash drives that had some launcher thing on it and I had a password for some reason on it.

In high school, a classmate tried to guess it, 3 times and I lost everything on it forever, since it stupidly locked forever after 3 tries.

I had software projects from back then that I can never get back.. including a web browser. I could have had the next Firefox..

If you're out there, Liz: I'll never forgive that.

Hardware signing devices have lots of utility because they keep the key from ever being on the machine (which is more likely to be compomised). Think ledger or trezor for your Bitcoin. Hardware encryption devices are just really expensive and black-box ways to avoid Veracrypt.

If your encryption algorithm is secure, you have no use for automatic lock-out. If it's not, automatic lockout won't do much against an attacker with physical access to the device. Unless they are dumb enough to trigger the lockout AND the internal memory wipes itself sufficiently well AND/OR the attacker doesn't have the resources to reverse engineer the device.

The IronKey has been cracked

Yeah i dont see how this would be better then a run of the mill thumb drive (that doesnt scream im worth stealing) and just creating a cryptomator vault on it.

Obligatory XKCD

They occupy a strange niche full of contradictions.

Entering the code on the device itself should increase security as opposed to entering it on a compromised computer.

But plugging it into a compromised computer means the data is compromised anyway.

Their security is way harder to audit than a software solution like PGP. The actual "encryption" varies from actual decent setups to "entering the code connects the data pins with no actual encryption on the storage chip"

Not having to instal/use software to use them means they are suitable for non-technical users which in turn means more support calls for "I forgot the pin, it wiped itself, can you restore my data"

They are kind of useful to check the "data is transported on encrypted media" box for compliance reasons without having to manage something bigger.

These are handy if you have to move sensitive information but I've experienced more than one event at work where irreplaceable files were lost due to user error on these type of drives.

I couldn't tell you about the lifespan of these devices either, something tells me the keys won't last more than a few years if it's being used regularly.

Looks find to me, depending on your use case, everything would have a use case

Many people mention airport red flags and checks, for me I never had any issues with the airport stuff, except one time in China when I had a full case of wires, really 10kg of wires, and they just asked me me to open and show, np

I wouldn't trust any part of its hardware and software to store anything worth encrypting on it

I don't trust hardware implementations of encryption in the same way I don't trust hardware raid arrays.

The ones that went through FIPS 140-2 Type 3 or above validation are legit. We used Apricorn for CUI data…examples: https://www.archives.gov/cui/registry/category-list

Too expensive. Use software encryption instead

Useful for what? Hiding stuff from family-member or coworkers? Yeah sure. Why not.

Hiding stuff from professionals that really want your data? Probably not very helpful.

Also what about backup? One controller-malfunction and your stuff goes poof. I just assume the data is somehow important or else you wouldn't care about such a device 😊

First time I've seen something like that, but my initial thought was: wow, that's a lot of parts that can break and things that can go wrong (compared to only encrypting the data itself before storage).

Same problems as any firmware based encryption (encrypting SSDs, etc.). Firmware is quickly outdated and the triangle price - speed - security usually neglects the security part.

like everyone else has said hardware level encryption doesn’t seem like the most sound option.

Personally i’ve just encrypted sensitive files with picocrypt, only just started looking into better encryption techniques though so there’s probably better alternatives.

As long as the security software it uses is solid I think it's a decent idea.

Good until you spill a Cuppasoup on it's chinesium keyboard.

Stopping low effort attempts to get data it seems good, as an addition too software encryption it seems great. Of course hardware can range from child toys, gimmicks, to serious hardened hardware, so results WILL vary.

They are interesting. But they are a huge red flag and scream examine me if it's in your luggage and your crossing a boarder.

I'm somewhat dubious about a hardware system not having long term undiscovered flaws. Be sure to use software based data protection on top of the hardware solution.

Overkill and overpriced. If you're on Windows, bitlocker is enough. If you're on Linux, LUKS is enough.

I've used Apricorn drives at previous jobs. They're cool and very much fit for purpose, but I'd have a hard time justifying the significant price premium when software is nearly as good, free, and works with any drive.

What is your use case for this?

• Confidential files in a public setting? Don't fucking bring confidential files to a public setting. But if you must, a big bulky laptop with (good) FDE is a lot more sequre than a flash drive someone can pickpocket.
• Border crossing? Guess what? You paint a MASSIVE red flag on your back and get to learn that you don't actually have all that many rights in the time between stepping on foreign soil and being admitted by customs. Congrats, you gave them the wrong code three times and it got wiped. They are going to break your face and put you in a black site.
• Hiding sensitive/highly illegal content in the event of a police investigation: Yeah... if you are at the point where there is a warrant (or black van) out for your arrest than it really doesn't matter if they can see whatever you were looking at last night.

At my old job we required these for "thumb drives" and all they ever did was make reformatting machines pure hell.

I have one as a 'last resort' option. It's got backups of BitWarden, Aegis and Standard Notes and is only connected to my machine during backups.

I have a USB drive with a keypad on it, it stores my FIPS Compliant SSH-key for IL-5 government systems. I unlock it to add my key into my ssh-agent, and don't use it for anything else. Though it is an 8gig USB stick, so I could in theory run some kind of security/pen testing flavor of linux plus a VPN Client to connect to said systems.

I have this device and use it to store my keepassxc and onlykey backups, and it's useful to me because I've stopped using passwords (I only need to remember the pins for these devices which can unlock my keepass dbs that have everything else).

It seems secure enough for my use case, especially since the files I store in it are themselves encrypted (the onlykey backup still requires a pin), but I still want them to be difficult to access.

I've had to rely on it before but only because I didn't prepare a backup onlykey ahead of time- ideally it should be one of many recovery methods. But so far it's worked great for me.

I'll store my weird shit on an unsecured hard drive stashed in the woods. Like those that came before me, and those before me.

Seems like it's a good starting point.

I wonder if you can encrypt the files prior to storing them on the key, which would then encrypt them a second time with a different method. Would the compromise the data in any meaningful way? Or would it mean that you had to decrypt the key and then decrypt the data a second time?

Couldn't the data be cloned and cracked off device without having to worry about the pin code?

I see one use-case, If you're going w/ sth illegal as hell to a place where you might get arrested and searched for just being there i.e a protest, nuking your (illegal) data might save your ass.

I use them in my job and I find them better than the software only solution and I like them when I have to use them for sensitive file transfers.

Something else to break down.

It's very hard to actually secure something someone has physical access to and that can be disassembled.

One thing I can tell you, it's that you can't use them as bootable drives to install an OS from. And if you try to pass the USB connection from an ESXi host to a VM on it, it won't work.

Aside from that, they're really annoying to work with.