In addition to procedural controls, such as banning the use of USB drives or limiting the types of data that employees may place on them, there are three common approaches to protecting data on USB flash drives: operating system encryption features, software-based encryption, and hardware-based encryption.
Operating system encryption features such as Windows BitLocker, Apple’s FileVault, and Linux LUKS can encrypt USB drives as well as hard drive partitions. The benefit of using these built-in features is that no additional software is required and inexpensive USB drives can be used. This approach might make sense to protect data on USB drives that will only be used on one computer. While it is possible to use the same USB drive on two computers with the same operating system, cross-platform operation is not available.
Software-based encryption is offered by several USB drive vendors and a few third-party developers. In summary, data is encrypted and decrypted at the driver level. These solutions work with commodity USB drives. Some products claim to provide encryption, but in fact the encryption has nothing to do with the drive itself. This approach requires the user to install software and administrative rights are usually required, making it problematic in many corporate environments. Cross-platform functionality is limited.
Software-based encryption provides basic protection if the USB device is lost or stolen. However, malware can steal the encryption keys, prevent data from being encrypted, or otherwise defeat the security controls. Software-based approaches are therefore only suitable for low-risk applications.
USB drives intended for high-security applications include hardware-based encryption on the drive itself. Once unlocked, the drive presents an ordinary partition to the operating system. Encryption and decryption is transparently performed on the device at the sector level. Some of these devices meet standards such as FIPS 140-2.
Three methods are commonly used to unlock USB drives with hardware encryption: a password sent from the operating system, an integrated fingerprint reader, or an integrated keypad. Entering a password on the computer to unlock the drive requires software and makes it possible for malware to capture the password. USB drives with integrated fingerprint readers are available, and may be reliable in an office environment. However, additional management software is required, and override passwords are necessary in the event that biometric authentication fails. The most secure solution is to place a keypad directly on the USB drive itself. This allows the user to authenticate to the device without any software, providing complete cross-platform capabilities.
Several factors are important when choosing a USB drive: the sensitivity of the data, the threat environment, how the device will be used, and budget. In some cases an inexpensive off-the-shelf USB drive with BitLocker makes sense. But after looking at many products, my recommendation for sensitive data is the Apricorn Aegis Secure Key 3.0.
Security products should be easy to use, provide effective security, and operate exactly as advertised. Apricorn sent me a device to test; it clearly met those criteria. The Aegis Secure Key 3.0 FIPS 140 level 3 validated USB 3.0 flash drive is available in 30, 60, 120, and 240 GB capacities. For the cryptographically inclined, it uses 256-bit AES encryption in XTS mode. Keys are generated and stored internally on the epoxy-sealed device. Access is controlled with a 7 to 16 digit PIN.
The Aegis Secure Key 3.0 is designed to operate only in a secure configuration; it can not be used without a PIN. If desired, an administrator can set an admin PIN in addition to a user PIN. In the event that the user forgets his or her PIN, the administrator can use the admin PIN to access the device and allow the user to set a new PIN. The device limits the number of unsuccessful PIN attempts. If exceeded, the device will delete the encryption key and all data.
An interesting feature of the Aegis Secure Key 3.0 is an optional self-destruct (or duress) PIN. Once configured, entering the self-destruct PIN will delete the encryption key and all data, set the self-destruct PIN as the new admin PIN, and unlock the device. In other words, entering the self-destruct PIN and plugging the device into a USB port results in an unlocked device with an unformatted data partition. Data previously stored on the device can not be retrieved.
Overall, the user experience is optimal. Just enter the PIN and plug it in. Ejecting or unplugging the device automatically returns it to a locked state. I tested the Aegis Secure Key 3.0 on Windows, OS X, Linux, and Chrome. It worked flawlessly across all platforms.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…