Keep your important files mobile but safe with these USB thumb drives -- most under $100 -- from Kingston, SanDisk, Lexar, Imation, and more, which offer enhanced protection via encryption, biometrics, and self-destruct mechanisms.

InformationWeek Staff, Contributor

February 26, 2008

19 Min Read

Updated 3/4/08.

Many people have already discovered the convenience of using USB thumb drives to shuttle information between home, office, vacation, and other locations. But with convenience comes risk. What can be done to ensure that enterprise data remains safe even if a drive is lost?




Kingston DataTraveler Elite Privacy

USB-drive vendors offer a wide range of "secure" devices, addressing the demand for a more secure sneakernet. Here are a few things to look for:

  • Authentication: Password, biometric, or both? If password, how long can the password be? How insistent is the software in enforcing strong passwords and rotating passwords? How many unsuccessful attempts can a user make to enter a password before the device erases itself?

  • Encryption: Does the device itself offer encryption, or does the password simply prevent the drive from being mounted through ordinary channels? How strong is the encryption? The current standard is AES 256-bit encryption, although some consumer-oriented devices still offer 128-bit.

  • Road-worthiness: Depending on your security needs, this may be either a feature or a failing. Some secure USB drives require the ability to run applications on the host computer. In locked-down computer labs and Internet cafés, these USB drives that depend on built-in software may not work at all.

We have selected 12 representative USB drives that illustrate the variety of choices in the marketplace. Remember that just because you're carrying a "secure" USB drive doesn't mean that when you plug it into a strange computer (or your own) that you're inoculated against worms, viruses, keystroke logging software, DRAM attacks, and other scary critters from the bestiary of information security. Be careful out there!

1

Kingston DataTraveler Elite Privacy


Storage Capacity: 1 Gbyte, 2 Gbytes, 4 Gbytes, or 8 Gbytes
Casing: Titanium-coated stainless steel, waterproof
Encryption: Hardware-based 256-bit AES encryption
Special features: Encryption co-processor
Speed: 24-Mbps read, 10-Mbps write
Price: $87 / $128 / $191 / $327

The Kingston DataTraveler Elite Privacy (DTEP) comes shipped with 100% encryption across the entire USB drive. Any files stored on the device will be automatically encrypted by the hardware; conversely, files copied onto a host computer will be decrypted.

Because the encryption doesn't require an application on the host PC, DTEP can be used at locations such as an Internet cafés, where there's no expectation of having Windows administrator access.

Upon using DTEP for the first time, the user is asked to create a password containing from six to 16 characters, with a sufficient number of mixed-case and special characters. After 10 incorrect password attempts the drive will no longer function without reformatting. Users can also enter contact information accessible from the logon screen.


2

Kanguru Bio AES


Storage Capacity: 1 Gbyte, 2 Gbytes, 4 Gbytes, or 8 Gbytes
Casing: Standard
Encryption: 256-bit AES encryption
Special features: Fingerprint reader combined with password for two-factor authentication
Speed: 10-Mbps read, 5-Mbps write
Price: $80 / $100 / $130 / $180

The Windows-compatible Kanguru Bio AES includes a fingerprint reader as the second of two layers of authentication.

Upon connecting the device, the Kanguru BioLock application will prompt the user to enter a six-character password and a swiped fingerprint. Up to 10 fingers can be enrolled. While the manual recommends use of mixed-case characters, numbers, and symbols, the software does not enforce these recommendations.

Once connected, BioLock aims to be your replacement for Windows Explorer. While it's possible to drag-and-drop to the Bio AES, users are strongly encouraged to use the BioLock interface to move files, so as to more efficiently perform encrypt/decrypt functions.

3

Transcend JetFlash 220






Transcend JetFlash 220

Storage Capacity: 2 Gbytes, 4 Gbytes, or 8 Gbytes
Casing: Fold-out enclosure
Encryption: 256-bit AES encryption
Special features: Fingerprint reader combined with password for two-factor authentication
Speed: 10-Mbps read, 3-Mbps write
Price: $28 / $40 / $63

Unlike the dual-factor Kanguru Bio AES, the Transcend JetFlash 220 uses fingerprint technology just for the convenience factor. Users also have the option of using a password, even though that defeats the purpose of having a fingerprint as authentication. However, the device does not include protection against multiple password attempts or a requirement for a strong password.

Once authenticated, Transcend provides a "Password Bank Manager" application that maintains your Web site logon details to automatically access your registered accounts. You can also protect individual files on the hard drive of your host computer so that those files can be accessed only by someone authenticated by JetFlash.

So that you don't lose access to this rich store of passwords or protected files if you lose your USB drive, the software allows you to back up your user authentication and fingerprint data onto your hard drive. With the backup file, you can easily re-imprint a JetFlash 220, or if necessary, imprint multiple devices with the same fingerprint/password combination.

Considering what it may protect, make sure you use a strong password if you use one at all.


4

SanDisk Cruzer Enterprise


Storage Capacity: 1 Gbyte, 2 Gbytes, or 4 Gbytes
Casing: Standard, with shirt-pocket clip
Encryption: Hardware-based 256-bit AES encryption
Special features: Software available for enterprise USB drive management
Speed: 24-Mbytes/sec read, 20-Mbytes/sec write
Price: $75 / $125 / $185

The software for SanDisk Cruzer Enterprise closely resembles that of the Kingston DTEP, with the same password parameters (from six to 16 characters with a mix of letters, numbers, and symbols) and general program features. All files transferred to the single partition are automatically encrypted.

Yet SanDisk stands apart with its SanDisk Central Management and Control (CMC) solution for enterprise customers. SanDisk CMC allows central IT organizations to issue SanDisk USB drives containing "device agents" that communicate back to a network server (CMC uses Windows 2003/SQL Server). Administrators can remotely disable lost drives, restrict usage on unauthorized PCs, perform full audits of file transfers and usage, and otherwise extend control over the devices. SanDisk CMC also performs automatic device backup and allows for remote password administration.

Make sure to think through the configuration scenarios. For example, you may like the idea of shutting off a terminated employee's drive remotely, but keep in mind that deploying this optional capability requires users' USB drives to check in upon use to ensure that they're still provisioned. In this scenario, employees would have to give up the ability to use the drive on an airplane, or when the Internet's down at home, or if the lights were out at headquarters. Consequently, most organizations would probably opt to allow offline access (even if it means that a few drives get away), while still taking advantage of central management features (e.g. password resets) during online use.

SanDisk CMC requires Windows 2003 Server and Microsoft SQL Server 2000, and so this solution makes the most sense for IT shops that have the existing infrastructure and bandwidth to support yet another server application in the back office.

5

Lexar SAFE PSD S1100






Lexar SAFE PSD S1100

Storage Capacity: 1 Gbyte or 2 Gbytes
Casing: Standard
Encryption: Hardware-based 256-bit AES encryption
Special features: Passphrase, unique serial number, compliant with central management software
Speed: Not listed
Price: $60 / $95

The Lexar SAFE PSD S1100 was also built for the enterprise setting. But instead of a proprietary central management offering such as SanDisk CMC, Lexar directs its enterprise customers to Sanctuary Device Control, a third-party application that provides whitelist-based access control for external devices. Lexar SAFE PSD S1100 allows the Sanctuary software to set and enforce policies about access, usage and auditing. Indeed, every bit of data written to the USB drive can be "shadowed" in a back-office server for auditing and compliance purposes.

On its own, the Lexar SAFE PSD S1100 also offers some worthwhile capabilities. Instead of a password, the device is secured with a passphrase, which must be at least eight characters and can contain any number of spaces and special characters.

However, the software driver for the device must be installed on each computer for which the drive will be used. This precludes the use of the device out in the wild, where your ability to install software may be curtailed.


g

Lexar JumpDrive Secure II Plus


Storage Capacity: 512 Kbytes, 1 Gbyte, 2 Gbytes, or 4 Gbytes
Casing: Black matte casing
Encryption: Hardware-based 256-bit AES encryption
Special features: Capacity meter, file shredder, cross-platform
Speed: Not listed
Price: $25 / $30 / $75 / $95

Simplicity and standards define the plain USB drive. Because USB is a standard, USB drives work cross-platform, so that you can easily move files from your PC at work to your Mac at home. However, secure USB drives tend to be Windows-only, appealing to the PC-based enterprise market.

The encryption software on the JumpDrive Secure II Plus works cross-platform, on both Windows and on Mac OS X 10.3 and higher. Sure, most Macs these days ship on Intel platforms, but you shouldn't have to jump between operating system hoops when it's not necessary.

However, you may need help from your system administrator to access the secure segment from the office. In a typical enterprise configuration, the encryption software may need to be installed on your PC.

Lexar also includes "file shredder" software to ensure that deleted files stay deleted.

7

EDGE Tech DiskGO Secure Flash Drive Enhanced for ReadyBoost






EDGE Tech DiskGO Secure Flash Drive Enhanced For ReadyBoost

Storage Capacity: 1 Gbyte, 2 Gbytes, or 4 Gbytes
Casing: Swivel chrome housing
Encryption: 192-bit TDES encryption
Special features: Lifetime warranty, Vista-compatible
Speed: Not listed
Price: $30 / $40 / $50

Some people have noticed that Windows Vista requires a sizeable chunk of RAM in order to achieve optimal performance. Through a built-in feature called ReadyBoost, Vista can grab hold of the available flash memory to use for cache operations. In non-technical terms, you plug in your thumb drive, configure ReadyBoost in the "Properties" window, and your Vista PC should run faster.

However, most secure USB drives were initially incompatible with the ReadyBoost feature. EDGE Tech led the way with DiskGO Secure Flash Drive Enhanced for ReadyBoost, a device containing both security and improved Vista functionality.

In addition, DiskGO Secure includes a choice in encryption technologies: 256-bit AES encryption and 448-bit Blowfish encryption, a fast, open source, and export-friendly method.


8

ACP-EP Memory USB 2.0 Privacy Flash Drive


Storage Capacity: 4 Gbytes, 8 Gbytes, 16 Gbytes
Casing: Basic black
Encryption: Software-based 256-bit AES encryption
Special features: Portable vault
Speed: 23-Mbps read, 20-Mbps write
Price: $45 / $83 / $160

The ACP-EP Privacy Flash Drive mounts as a standard USB drive. Files can be protected using the included Portable Vault software. Users can set up a password (recommended length of seven characters) as well as a password hint to access the files.

Portable Vault creates and works with a hidden directory on the root level of your USB drive. Unlike some of the more transparent offerings that will encrypt/decrypt in the background as you use Windows Explorer, with Portable Vault you need the software to explicitly add or remove files to the secure area. This hurdle, in turn, may increase the risk that users will ignore the secure area entirely.

9

Imation Pivot Plus






Imation Pivot Plus

Storage Capacity: 1 Gbyte, 2 Gbytes, 4 Gbytes, 8 Gbytes
Casing: Tamper-resistant swivel design with pivot cap
Encryption: Hardware-based 256-bit AES encryption
Special features: Write-protect switch, master password
Speed: Not listed
Price: $70 / $130 / $160 / $260

With the Imation Pivot Plus, the casing stands out as the notable feature. With a pivot cap and a sturdy key ring connector, the product literature claims that "the drive will perform even when exposed to the harshest elements." They probably don't mean iodine, plutonium, and the like, but Imation did expose the Pivot Plus to rapid changes in extreme cold and heat, plus vibration tests. In any event, the device meets U.S. government computer security standards (FIPS 140-2, if you're keeping track) for being tamper-resistant and tamper-evident.

The drive has a single encrypted partition, requiring a password for access. Passwords must be at least seven characters and the device will format itself after seven failed password attempts. For enterprise settings, an administrator can add a master password across a range of Pivot Plus drives.

10

IronKey Enterprise Special Edition


Storage Capacity: 1 Gbyte, 2 Gbytes, 4 Gbytes
Casing: Durable waterproof (MIL-STD 810F-compliant), tamperproof metal case
Encryption: Hardware-based 256-bit AES encryption
Special features: Self-destruct on tamper, online password storage
Speed: 30-Mbps read, 20-Mbps write
Price: $79 / $109 / $149

The IronKey Enterprise Special Edition was designed for military and enterprise environments. If you tote around a Panasonic Toughbook, this may be the USB drive for you. While the consumer version includes applications to store your Web site passwords and the like, the Enterprise Special Edition sticks to the basics -- authentication and encryption.

With a solid, filled, and waterproof metal casing, it's not only tamper-resistant, but if the on-board "Cryptochip" detects any physical tampering by an adversary, the device will self-destruct, with IronKey's "Flash-Trash" methodology promising an exhaustive erase. Furthermore, the device will wipe clean after 10 incorrect password attempts, and the counter for those attempts is in the hardware -- not the software. This feature defends against a "memory rewind attack," which is among many information security concerns that IronKey addresses in a detailed FAQ.

To counteract the natural tendency to use a Post-It note to store the password for your high-security USB drive, Ironkey also provides a secure password storage service at my.ironkey.com. The drive will also work in conjunction with enterprise device management software.

11

Corsair Flash Padlock






Corsair Flash Padlock

Storage Capacity: 2 Gbytes, 4 Gbytes
Casing: PIN pad built into form factor
Encryption: None
Special features: Requires PIN to mount drive
Speed: Not listed
Price: $30 / $50

Whether encryption takes place through hardware or software, password authentication requires custom code for a particular operating system. This is why almost all of the above solutions provide Windows-only protection.

Corsair Flash Padlock takes another approach. Before it will work at all, you have to authenticate yourself to a separate security processor on the device using a six-button keypad. If you enter the correct PIN, the device will function as a normal, unencrypted USB drive. Because you don't need to borrow the resources of the host computer for authentication or encryption, you can be assured of the ability to plug the Corsair Flash Padlock into any computer, whether Mac, PC, or Linux, at home, at the office, or on the road. After you unplug the drive from the USB port, it re-locks in 15 seconds.

The benefit of device-based authentication is that nobody can steal your device password using keystroke logging software. Plus, because the device presumably turns into a thumb-shaped brick until the PIN has been entered, the question of encryption becomes moot. However, it might still be worthwhile to encrypt individual files or folders on the drive, because you never know.

You can set a PIN up to 10 digits long, and an online registration tool will store your PIN as a backup. The PIN pad and separate security processor are powered by a 3-volt lithium battery.


12

Roll-Your-Own Encryption


Vendor, Device, Storage Capacity, Casing, Speed: You decide
Encryption: Software-based
Special features: Works on any drive

If you tote around a briefcase handcuffed to your wrist, people will think you're carrying large quantities of cash. The same principle applies to people who carry USB drives with fingerprint readers or keypads with "Secure" etched on the casing. It's not exactly subtle, and so if you want to keep secret the very fact that you have sensitive files, the best approach may be to use an ordinary, unencrypted USB drive.

TrueCrypt for Windows, Mac, and Linux allows you to create an encrypted, password-protected "container" for your sensitive documents. The software requires sufficient access on a host computer, which precludes usage at some computer labs and Internet cafés.

TrueCrypt prompts the user to select a strong password with at least 20 mixed-case/mixed-symbol characters, allowing up to 64 characters. Numerous other configuration options cater to your precise level of paranoia. However, these same extensive options mean that TrueCrypt is not the answer for an enterprise roll-out to non-technical users.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights