The Deliverator – Wannabee

So open minded, my thoughts fell out…

Poor Man’s IronKey

Posted by Deliverator on October 22nd, 2008

I recently had a chance to play around with an IronKey for a few hours. IronKey is a USB flash drive with a twist. The Ironkey incorporates a hardware encryption chip to keep your data safe from prying eyes. The chips are epoxied in place inside a solid metal casing, making the Ironkey extremely rugged, waterproof and tamper resistant. The chip has an internal “wrong password guessed” register which increments each time a wrong password is entered. If the wrong password is entered 10 times in a row, the Ironkey erases the flash memory. As an anti-brute forcing technique, it sounds very effective, although I can also see scenarios where your data might get permanently wiped accidentally. Supposedly the crypto chip itself incorporates silicon design features which make even advanced microscopic examination techniques impossible. The device is reasonably cross platform (Linux and OS X are both supported), although it must be initialized on a Windows system. On XP and Vista, the UI for unlocking the secured storage on the device comes up automatically and doesn’t require administrator privileges and doesn’t install any drivers. Certain versions of the Ironkey come with a pre-installed suite of portable applications such as portable firefox, email and backup applications. I view this last as a fairly nominal feature.

The IronKey does have its downsides. It is physically quite a bit larger than most USB flash sticks. It is definitely not something I would want to carry around on my already overcrowded keyring in a pants pocket. IronKey is currently only available in capacities from 2-8 GB, which is far smaller than many flash drives available cheaply at market. Lastly, the price per GB is quite high, with the 8 GB model costing $275 as of this date via Amazon. A 32 GB Corsair USB flash drive currently sells for ~$90 at Amazon, giving you 4 times the storage for 1/3rd the price. With a little effort, that 32 GB Corsair offers almost as much data protection as the Ironkey and a whole lot more storage at a fraction of the cost.

The first thing you will need to do is to download and install a copy of Truecrypt. Truecrypt is one of only a few products on the market today that can encrypt your whole hard drive and it is free to use and open source. It is worth check out for that reason alone.

Once you have Truecrypt downloaded and installed, Format your USB flash drive using NTFS. The default filesystem which many USB drives are formatted with from the factory is FAT, which while widely recognized by many systems and comparatively free of patent encumbrances, unfortunately has a number of drawbacks which makes it inappropriate for our uses. In particularly, FAT doesn’t allow for filesizes larger than 4 GB. If you are only going to be using a 4 GB or smaller USB drive, than you might be able to get by with FAT.

Once you have your USB drive formatted, start Truecrypt and start the Volume Creation Wizard from the tools menu. Create a “file container” type volume on your memory key. Make sure your container doesn’t take up all the available space on the USB drive. You will probably want to leave some space free for non-private files that you just want to access quickly without having to type in a password. You will also need a fairly nominal amount (30 MB is more than enough) of space free to install a mobile copy of Truecrypt, which it calls “Traveler Mode.”

Next, click on the tools menu in Truecrypt and click Traveler Disk Setup. Create the traveler disk files on the root directory of your USB drive and chose the Automount Truecrypt Volume and select the file container you selected earlier. Click create and you should now have a secure USB key which will prompt the user for the password to be unlocked when you insert it.

Disadvantages of a Truecrypt USB key compared to an Ironkey:

-The traveler disk feature appears to be Windows only, which means that you will need to have Truecrypt installed to use your secure volume on a Linux or OS X machine.

-For the auto-prompt for password on insertion feature to work, your Windows machine must have auto-play enabled. You can manually launch Truecrypt from the USB key and select the container file, but this is much less convenient.

-The account with which you are using it must be an administrator level account, unlike the Ironkey. This may make it difficult to use a Truecrypt protected USB drive on a library terminal or corporate computer, where you often do not have administrative privileges and where autoplay is often disabled by group policy.

-The encrypted volume resides as a container file on the unencrypted portion of the USB key. If someone were to momentarily gain access to your drive without your knowing it, or if it were lost, they could copy off this file and subject it to brute-force password guessing methods. The Ironkey in this scenario would self destruct after a mere 10 bad guesses. In practice, so long as your password is sufficiently long and complicated (uses upper and lowercase characters, numbers and punctuation symbols), the best supercomputers in the world could guess passwords from now to eternity without unlocking your data. Of far greater risk is your plugging an Ironkey or Truecrypt encrypted drive into a malware infected machine with a keystroke logger present. This risk is currently equal for both methods, so I declare a tie on this account.