Locking Your Memory, Revisited
Secure external hard drives can help to minimize your risk
Some time ago, I took you on a tour of a few USB drives that allow you to secure the drive’s contents, whether by locking the interface, encrypting the contents, or both. That analysis still holds, and you will find that some of those devices, such as IronKey, have continued to evolve. However, by their nature, these drives usually had limited storage capacity, at least in comparison to available external hard drives.
Today, I’d like to address this issue, and we’ll examine some of the secure external hard drives available. Yes, there are both file and disk encryption utilities that you can use to secure an external (or internal) hard drive’s contents. Some of these applications are even quite adept at hiding the fact that there ARE any encrypted files on the drive. However, the fact that the encryption programs are actually running on a host PC potentially makes them subject to penetration if the host system has been infected with some type of malware by allowing capture of the application password. To minimize this risk, the preferred solution is to use a hard drive where the actual encryption/decryption takes place within the drive itself.
MiniStation Metro HD PXTU2
Proceeding alphabetically by vendor, our first offering is the MiniStation Metro HD PXTU2 drive from Buffalo Technology (USA). Available in what looks to be a well-engineered plastic case with an integrated wrap around USB flat cable, it is available in Blue Onyx, Pearl White and Ruby Red, with storage capacities of 320 GB (List: $99.99) and 500 GB (List: $119.99). This drive supports full disk Federal Information Processing Standard (FIPS) approved Advanced Encryption Standard (AES) 256-bit hardware encryption using the Initio chipset and can be configured to prompt for an access password or to use MS Windows authentication.
MiniStation Metro |
Because you must first be logged into Windows to access the password utility, this device is not bootable, nor can you use it with other operating systems if you enable a password, as the password utility currently only runs under MS Windows. However, if you do not enable the password feature, you can freely access the drive from other systems supporting USB, such as the current MacIntosh OS and Linux. Note that this does not actually turn the encryption off, but effectively sets the password to Null, so that you do not have to enter one, as the actual drive in the unit is always encrypted. This means that if anyone were to extract the SATA drive from the unit, they would still not be able to access the drives contents. They could reformat it and reuse the drive, but they would not be able to read its encrypted contents.
MiniStation Metro |
The drive does include a number of useful utilities to enhance the performance of your overall system. Among these are TurboPC for Windows to boost transfer speeds up to two times that of standard USB 2.0; Buffalo’s Backup Utility for backing up one or more Windows computers to the drive, as well as providing compatibility with the MacIntosh Time Machine backup utility: Another included utility is ECO Manager to help your PC and MiniStation Metro use available power most efficiently.
ToughTech Secure mini-Q
CRU-DataPort features their ToughTech Secure mini-Q under their WiebeTech brand. Packaged in a sturdy aluminum case, it is available in 250 GB (List: $250/5400 RPM), 320 GB (List: $287/7200 RPM), and 500 GB (List: $280/5400 RPM; $329/7200 RPM) capacities. You can purchase the bare enclosure (List: $189) for those instances where you wish to use an existing drive, just remember this drive will be wiped when the encryption initializes.
ToughTech Secure mini-Q rear |
It comes with three physical security keys. To access the drive, one of these keys needs to be inserted into what appears to be a four circuit FireWire port to enable its AES 128-bit hardware encryption, which is provided by an Enova Technologies Application Specific Integrated Circuit (ASIC) chip. However, once the drive is mounted, you can remove the key and the drive will remain accessible until it is dismounted or power is interrupted.
For your own security, CRU-DataPort sells a key duplicator to enable you to make additional key copies. If you loose all of your keys, they cannot create new ones for you as they do not maintain records of your drive’s keys. To help discourage the drive from walking off, the case also includes a Kensington-style lock port.
ToughTech
ToughTech Secure mini-Q side |
ToughTech Secure mini-Q rear The ToughTech drive is distinguished by the variety of connection interfaces that it supports. In addition to the commonly supported USB 2.0, it also supports the IEEE 1394a and the faster IEEE 1394b interfaces, as well as the even faster eSATA interface. There are actually two IEEE 1394b interfaces on this unit, allowing you to daisy chain multiple drives together. Because the USB and eSATA interfaces share a common port, which results in it not being able to use a standard USB cable for both communication and power, the drive includes a special USB cable to allow you to pull the power off from the USB port and feed it into the drives external power connection.
The drive can be powered directly though an IEEE 1394b communication cable, if a powered port is available. It can be purchased pre-formatted as either NTFS (MS Windows) or HFS+ (Mac) and, on systems that support it, you can directly boot from the ToughTech mini, whether running in FireWire, USB or eSATA mode. In addition, the ToughTech drive comes bundled with ProSoft’s Data Backup application.
ROCBIT FXKT |
ROCBIT FXKT and Commander 2UE
Rocstor and their Rocsecure division appear to carry the largest line of internally encrypted hard drives. For examination in this column they provided one of their ROCBIT FXKT bootable USB drives and one of their Commander 2UE bootable mobile hard drives. The ROCBIT FXKT is stated to contain an enhanced shock-resistant mechanism consisting of an anti-shock chamber and a shock absorbent plastic casing populated with a 250 GB, 320 GB, or 500 GB SATA drive and is available in 5,400 or 7200 rpm versions. No suggested list prices were released, but standard prices appear to range from around $226 to $400, depending on the drive capacity and RPM.
The FXKT drives come with two security keys, one of which must be inserted to mount the drive. The drives encryption functions are provided by an Enova Technologies X-Wall ASIC chip that implements the NIST’s AES 256 bit encryption standard in its ECB mode. If does not come with port for connecting an external power supply, but does come with a special USB Y-cable to allow it to pull power from a powered USB interface or hub.
Rocstor Commander 2ue |
The Commander 2UE is a more ruggedized encrypted drive that sports an eSATA interface in addition to the slower USB interface. Enhancing the FXKT’s shock-resistant mounting, the Commander 2UEs is housed in a sleek black anodized aluminum case, reflective of the care put into its design. Unlike the plastic stick on feet found on some drives, the Commander 2UE has two forged swells across the back of the case with rubber inserts, simultaneously keeping it from sliding around and boosting its heat dissipation by enhancing the air circulation around it. It is available in a variety of storage capacities, currently including 250GB, 320GB and 500GB, with 750GB and 1TB capacities to be available in 2nd and 3rd quarter of 2010).
As with the FXKT, the drive’s encryption functions are provided by an Enova Technologies X-Wall ASIC chip that implements the NIST’s even more secure AES 256 bit encryption standard in CBC Mode. As the eSATA interface standard does not include a provision for supplying power, this unit includes the same USB Y-cable as the FXKT to supply power over the USB interface. Like the FXKT, you must have one of the two included security keys inserted when connecting the unit to your computer. The only additional caveat is that, when using the eSATA interface, it must be connected to the computer before the USB cable, else the system will use the USB interface for its data connection.
Rocstor Rocsafe MX |
Both of these drives are bootable and come with a protective carrying case and include all required cables. In addition, you can download a variety of free back-up tools from the Rocstor Web site. These include FBackup, AceBackup, EZ Back-it-up, and Ice Mirror. For the truly paranoid, or perhaps that’s the more realistic, you might want to investigate Rocstor’s Rocsafe MX Mobile external drive that requires both a FIPS level-2 Smartcard and the manual entry of a PIN via its integrated key pad (avoiding the risk of capture by malware) to activate its communication interface and encryption engine for true two factor authentication!
Rocstor Rocbit |
With the proliferation of state and federal data security and privacy laws, such as HIPAA1, securing your data is no longer an option, but a necessity for many organizations, whether public or private. It seems like there is a new announcement every month about a laptop containing confidential information that has walked off from the Veterans Administration, Homeland Security, or the bank down the street. I think it is safe to say that is definitely a club you don’t want to join. Considering how many laptops are left behind while traveling or are stolen at airport security checkpoints, the only way to prevent this from eventually happening to you is to make sure that your data is securely encrypted (and without leaving the security key or password considerately sitting in your laptop case). Whether you select one of the above drives or one from another vendor will likely depend on your exact needs, including the criticality of the data and how reliable the people using them are to following your defined protocols.
1. Health Information Privacy. U.S. Department of Health & Human Services (2010). www.hhs.gov/ocr/privacy
Related Resources
Buffalo Technology (USA) www.BuffaloTech.com
CRU DataPort www.CRU-DataPort.com
Enova Technologies www.enovatech.net
Initio www.initio.com
Rocstor www.rocstor.com
WiebeTech www.WiebeTech.com
YouSendIt www.YouSendIt.com
John Joyce is the LIMS manager for Virginia’s State Division of Consolidated Laboratory Services. He may be contacted at [email protected].