Why do we need flash drives with hardware encryption?

Hello, Habr! In the comments to one of our materials about flash drives, readers asked an interesting question: “Why do we need a flash drive with hardware encryption when there is TrueCrypt?”, And even expressed some concerns about “How can you make sure that the software and hardware your Kingston drive has no bookmarks? ”. We answered these questions succinctly, but then decided that the topic deserves a fundamental analysis. This is what we will do in this post.







AES hardware encryption, like software encryption, has been around for a long time, but how exactly does it protect sensitive data on flash drives? Who certifies these drives, and can these certifications be trusted? Who even needs such "complex" flash drives when you can use free programs like TrueCrypt or BitLocker. As you can see, the topic set in the comments really raises a lot of questions. Let's try to figure it out.



How is hardware encryption different from software encryption?



In the case of flash drives (as well as HDD and SSD), a special chip located on the printed circuit board of the device is used to implement hardware data encryption. It has a built-in random number generator that generates encryption keys. Data is automatically encrypted and instantly decrypted when a user password is entered. In this scenario, accessing data without a password is nearly impossible.



When using software encryption, the data on the drive is “locked” by external software, which acts as a low-cost alternative to hardware encryption methods. The disadvantages of such software may be the trivial requirement of regular updates to offer resistance to ever-improving hacking techniques. In addition, the power of the computer process (and not a separate hardware chip) is used to decrypt data, and, in fact, the level of protection of the PC determines the level of protection of the drive.



The main feature of drives with hardware encryption is a separate cryptographic processor, the presence of which tells us that encryption keys never leave a USB drive, unlike software keys, which can be temporarily stored in the computer's RAM or hard drive. And since software encryption uses the PC's memory to store the number of login attempts, it cannot stop brute force attacks on the password or key. The counter of login attempts can be constantly reset by an attacker until the automatic password cracking program finds the desired combination.



By the way ..., in the comments to the article “ Kingston DataTraveler: a new generation of secure flash drives”Users also noted that, for example, TrueCrypt has a portable mode of operation. However, this is not a big advantage. The fact is that in this case the encryption program is stored in the memory of the flash drive, and this makes it more vulnerable to attacks.



As a result, the software approach does not provide the same high level of security as AES encryption. Rather, it is basic protection. On the other hand, software encryption of important data is still better than no encryption at all. And this fact allows us to clearly distinguish between these types of cryptography: hardware encryption of flash drives is a necessity, rather, for the corporate sector (for example, when company employees use drives issued at work); while software is more suitable for user needs.







However, Kingston splits its drive models (such as the IronKey S1000) into Basic (base) and Enterprise (enterprise) versions. In terms of functionality and protection properties, they are almost identical to each other, but the corporate version offers the ability to manage the drive using SafeConsole / IronKey EMS software. Thanks to this software, the drive works with either cloud or local servers to remotely enforce password protection and access policies. This provides users with the ability to recover lost passwords, and administrators - switch no longer used drives to new tasks.



How do Kingston AES Flash drives work?



Kingston uses AES-XTS 256-bit hardware encryption (using an optional full-length key) for all of its secure drives. As we noted above, flash drives contain in their component base a separate chip for encrypting and decrypting data, which acts as a constantly active random number generator.



When you connect a device to the USB port for the first time, the Initialization Setup Wizard prompts you to set a master password to access the device. After activating the drive, the encryption algorithms will automatically start working according to user preferences.



At the same time, for the user, the principle of operation of the flash drive will remain unchanged - he will still be able to download and place files in the device's memory, as when working with a regular USB flash drive. The only difference is that when you connect a flash drive to a new computer, you will need to enter the set password to gain access to your information.



Why and who needs flash drives with hardware encryption?



For organizations in which sensitive data is part of the business, be it financial, medical, or government agencies, encryption is the most reliable means of protection. In this regard, flash drives with support for 256-bit AES hardware encryption are a scalable solution that can be used by any company, from individuals and small businesses to large corporations, as well as military and government organizations. To be a little more specific, using encrypted USB drives is necessary:



  • To ensure the security of confidential company data
  • To protect customer information
  • To protect companies from loss of profits and customer loyalty


It is worth noting that some rugged flash drive manufacturers (including Kingston) provide corporations with customized solutions tailored to the needs and challenges of customers. But mass lines (including DataTraveler flash drives) do an excellent job of their tasks and are able to provide corporate-class security.







1. Ensuring the security of confidential company data



In 2017, a Londoner discovered a USB drive in one of the parks, which contained unprotected information regarding the security of Heathrow Airport, including the location of security cameras, detailed information on protective measures in case of the arrival of high-ranking officials. The flash drive also contained the data of electronic passes and access codes to the closed areas of the airport.



Analysts say the reason for such situations is cyber literacy of company employees, who can “leak” classified information through their own negligence. Flash drives with hardware encryption partly solve this problem, because if you lose such a drive, you will not be able to access the data on it without the master password of the same security officer. In any case, this does not negate the fact that employees need to be trained to handle flash drives, even when it comes to encrypted devices.



2. Protection of customer information



Even more important for any organization is caring for customer data, which should not be exposed to the risk of compromise. By the way, it is this information that is most often transmitted between different business sectors and, as a rule, is confidential: for example, it may contain data on financial transactions, medical history, etc.



3. Protection against loss of profits and customer loyalty



Using hardware-encrypted USB devices can help prevent disruption to organizations. Companies that violate personal data protection laws can face large fines. The question therefore needs to be asked is whether it is worth taking the risk of sharing information without adequate protection?



Even disregarding the financial implications, the amount of time and resources spent on fixing security bugs that occur can be just as significant. In addition, if a data breach has compromised customer data, a company risks brand loyalty, especially in markets where there are competitors offering a similar product or service.



Who guarantees the absence of "bookmarks" from the manufacturer when using flash drives with hardware encryption?



In the topic we have raised, this question is perhaps one of the main ones. Among the comments to the article about Kingston DataTraveler drives, we came across another interesting question: "Do your devices have an audit from third-party independent specialists?" Well ... it's a logical interest: users want to make sure our USB drives are free of common bugs like weak encryption or the ability to bypass password entry. And in this part of the article, we will tell you what certification procedures Kingston drives go through before becoming truly safe flash drives.



Who guarantees reliability? It would seem that we could well say that, they say, "Kingston has produced - he guarantees." But in this case, such a statement will be incorrect, since the manufacturer is an interested party. Therefore, all products are tested by a third party with an independent examination. Specifically, Kingston hardware-encrypted drives (excluding DTLPG3) are members of the Cryptographic Module Validation Program (CMVP) and are certified to the Federal Information Processing Standard (FIPS). Also drives are certified according to GLBA, HIPPA, HITECH, PCI and GTSA standards.







1. Program for validation of cryptographic modules



CMVP is a joint project of the National Institute of Standards and Technology under the US Department of Commerce and the Canadian Cybersecurity Center. The goal of the project is to stimulate demand for proven cryptographic devices and provide security metrics to federal agencies and regulated industries (such as financial and medical institutions) that are used in the procurement of equipment.



Checks of devices for compliance with a set of cryptographic and security requirements are carried out by independent laboratories for cryptography and security testing accredited by NVLAP (National Voluntary Laboratory Accreditation Program / "National Voluntary Laboratory Accreditation Program"). In addition, each laboratory report is checked for compliance with the Federal Information Processing Standard (FIPS) 140-2 and confirmed by the CMVP.



Modules confirmed to be FIPS 140-2 compliant are recommended for use by US and Canadian federal agencies until September 22, 2026. After that, they will be included in the archive list, although they can still be used. On September 22, 2020, the acceptance of applications for validation according to the FIPS 140-3 standard ended. Once verified, the devices will be moved to the Active Trusted and Trusted Devices list for five years. If the cryptographic device fails the verification, its use in the US and Canadian government agencies is not recommended.



2. What are the security requirements of FIPS certification?



Hacking data even from an uncertified encrypted disk is difficult and for few people, so when choosing a consumer drive for home use with certification, you don't have to bother. In the corporate sector, the situation is different: when choosing secure USB drives, companies often attach importance to the levels of FIPS certification. However, not everyone has a clear understanding of what these levels mean.



The current FIPS 140-2 standard defines four different levels of security that flash drives can meet. The first level provides a moderate set of security features. The fourth level implies strict requirements for self-defense of devices. Levels two and three provide a gradation of these requirements and form a kind of golden mean.



  1. : USB-, , .
  2. : , , - .
  3. : «» . . : , .
  4. The fourth security level: the highest level, which assumes complete protection of the cryptographic module, which ensures the maximum probability of detection and resistance to any attempts of unauthorized access by an unauthorized user. Flash drives that have received a Level 4 certificate include such security options that do not allow hacking by changing the voltage and ambient temperature.


The following Kingston drives are FIPS 140-2 Level 3 certified: DataTraveler DT2000, DataTraveler DT4000G2, IronKey S1000, IronKey D300. The key feature of these drives is the ability to respond to an attempt to penetrate: if the password is entered incorrectly 10 times, the data on the drive will be destroyed.



Besides encryption, what else can Kingston flash drives do?



When it comes to complete data security, along with hardware encryption of flash drives, built-in antiviruses, protection against external influences, synchronization with personal clouds and other chips come to the rescue, which we will talk about below. There is no big difference in flash drives with software encryption. The devil is in the details. And here are the ones.



1.Kingston DataTraveler 2000







Take, for example, a Kingston DataTraveler 2000 USB stick.... This is one of the flash drives with hardware encryption, but at the same time the only one with its own physical keyboard on the case. This 11-key keypad makes the DT2000 completely independent from host systems (to use the DataTraveler 2000, you must press the Key button, then enter your password and press the Key button again). In addition, this flash drive has an IP57 degree of protection against water and dust (surprisingly, Kingston does not state this anywhere either on the packaging or in the specifications on the official website).



The DataTraveler 2000 has a lithium polymer battery (40mAh capacity) inside, and Kingston advises customers to plug the drive into a USB port for at least an hour before using it so the battery can recharge. By the way, in one of the past materialswe talked about what happens to a flash drive that is charged from a power bank : there is no reason for worry - the flash drive is not activated in the charger, because there are no requests to the controller by the system. Therefore, no one will steal your data through wireless intrusions.



2. Kingston DataTraveler Locker + G3







If we talk about the Kingston DataTraveler Locker + G3 model , it attracts attention with the ability to configure data backup from a flash drive to Google cloud storage, OneDrive, Amazon Cloud or Dropbox. Data synchronization with these services is also provided.



One of the questions that readers ask us is: "How can we get encrypted data from a backup?" Very simple. The fact is that when synchronizing with the cloud, information is decrypted, and the protection of a backup on the cloud depends on the capabilities of the cloud itself. Therefore, such procedures are performed solely at the discretion of the user. Without his permission, there will be no data upload to the cloud.



3.Kingston DataTraveler Vault Privacy 3.0







But the Kingston DataTraveler Vault Privacy 3.0 devicesalso come with built-in Drive Security from ESET. The latter protects data from viruses, spyware, Trojans, worms, rootkits from intrusion on a USB drive, and, one might say, is not afraid of connecting to other people's computers. Antivirus will instantly warn the owner of the drive about potential threats, if any. In this case, the user does not need to install antivirus software on his own and pay for this option. ESET Drive Security is preinstalled on a flash drive with a five-year license.



Kingston DT Vault Privacy 3.0 is designed and focused primarily on IT professionals. It allows administrators to use it as a standalone storage device or add it as part of a centralized management solution, and can also be used to configure or remotely reset passwords and configure device policies. Kingston even added USB 3.0, which allows secure data transfer much faster than USB 2.0.



Overall, DT Vault Privacy 3.0 is a great option for the corporate sector and organizations that require maximum protection for their data. It can also be recommended to all users who use computers on public networks.



For more information on Kingston products, visit the company's official website...



All Articles