Protecting USB Flash Drives

While I was getting interested in Palm security, I started to think about other portable options. A USB Flash drive is a great way to keep data portable, but what if you lose the thing? A USB Flash drive would also need to be secured.

Flash drives are great. At the last trade show I worked at, my flash drive got used by others almost more than by me. We had a lot of people with laptops with varying degrees of access to the internet and their files back home. Naturally these files needed to be moved from this machine to that, along with digital photos, faxes, and other stuff. Fortunately my drive was really just a way for me to get files out of my camera into my computer and I didn’t have any really critical, sensitive, or personal stuff on it. But what if I had? What if I lost it? These things are incredibly handy, but they’re also very risky.

The ultimate solution is the BioStick – a biometric USB Flash Drive. It requires your thumprint to unlock and give you access. It can learn more than one print which is insurance against thumb loss, I guess. I want one. I have no real use for it, but I want it anyway. This thing is uber-cool and For $200 (for a reasonably sized one) it should be.

Assuming you already have a $30 drive that you aren’t going to replace, what are the options? Well some drives come with software already. My Cruzer drive from Sandisk came with CruzerLock, an encryption package, that seems like it would work fairly well. Except for two things: 1) The source is not open to peer review, which is heavily frowned upon by the serious-crypto crowd. With no chance to look at the source, how can you judge the quality of the system, and make sure there’s no back doors installed? What if it’s bad encryption?2) It doesn’t let you treat the thing like a drive. It opens a special window where you can open/access one file at a time. Not real flexible. In general I don’t trust what the drive companies are supplying for free. I know that in their shoes I would be far more worried about reliability (and a low return/problem rate) than quality of encryption. Besides, a separate solution helps provide more options if things go wrong.

The idea solution for this would have the following characteristics:

  • It would be platform independant – you can get to the data on a Mac, PC or Linux box.
  • It would not require special software or access on the host computer.
  • It allows the drive to be used as a drive, with drag and drop ease.
  • It doesn’t take a lot of space – no more than a megabyte.
  • It has strong encryption.

So, does a system meeting these criteria exist? I don’t know, but I have found a few that are close:

TrueCrypt is an open-source encryption system that can be installed on a flash drive. It can create a file that can be mounted to look like a disk drive. The cool part is that you can have both the unencrypted and encrypted drives open at the same time. The not so cool parts are that it requires admin access, a windows computer, and the encrypted drive file is fixed size – you decide how big it will be when you make it, and it can’t be changed. Still, the system is free.

CertainKey Ecto is a browser-based solution that uses Java to encrypt files. I had trouble getting it to work, and my XP SP2 system didn’t like some of the content on the main page. My laptop tels me that my login is invalid. I’ll have to contact the developer and see what they say. Still, it is platform independant, and if I can test it and determine that it will encrypt a whole directory at once it might be the bomb. For $20.

BestCrypt Looks very similar to TrueCrypt in features, as does DriveCrypt, but both cost in the neighborhood of $60. I think at this point I like free better, but it will depend on how reliable TrueCrypt turns out to be. I have downloaded both, but neither have a really obvious analogue to Traveller Disk Setup, althought I haven’t yet read the docs 😉

So far TrueCrypt provides the best functionality for me – I don’t work on Macs or Linux systems, so interoperability isn’t that critical. The admin access requirement may become a problem when my company moves to XP, but that’s a ways off. I do plan to check out Ecto a bit more, but that I cannot get it to work on one of my machines is troubling. With any of these systems, it’s really critical that they work with computers you haven’t had access to before – that’s half the reason for carrying a flash drive.

One thought on “Protecting USB Flash Drives

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s