Software or hardware encrypted hard drives?

Religious use of encryption is the key to keeping your data secure whether it is at rest or in motion

1189 0
1189 0

Update May 30, 2014

Please see my post here for the latest on the TrueCrypt debacle.

Update May 28, 2014

The Truecrypt website is in a state of flux. We do NOT recommend using Truecrypt at this time. Please check back often until we have more clarity on the Truecrypt situation.

Original Post

Religious use of encryption is the key to keeping your data secure whether it is at rest or in motion. One of the biggest risks facing consumers and small businesses is the loss or theft of a computer or hard drive containing confidential or proprietary information. This risk is particularly acute for those responsible for data covered under HIPPA and other such legislation. Most health workers are critically aware of their responsibilities to protect PHI (patient health information), but many may not know that the law provides safe harbor to a “covered entity” only if all PHI is encrypted using a FIPS 140.2 validated algorithm. I put the word validated in bold to emphasize and differentiate it from the similar sounding but fundamentally different term called FIPS 140.2 compliant algorithm. Many encryption programs and systems use algorithms that would be considered compliant with the FIPS 140.2 standard, but only those devices and systems which have been tested and validated by NIST can claim full protection under the HIPPA related laws. It costs a company a considerable amount of time and money to get a product validated so such devices and systems naturally command a premium in the marketplace. If you are in a regulated industry however you have little choice but to pony up for the government sanctioned encryption.

With the recent revelations of Snowden, some of you (myself included) may have doubts as to whether government validated encryption is actually the same thing as “the best available encryption”. Snowden documents revealed that the NSA has made attempts to influence NIST and it’s choice of algorithms and encryption standards. As a result, the FIPS validated “stamp of approval”no longer carries much weight for those paranoid about NSA snooping. Now, I will freely admit that this website was never intended to help protect anyone from the likes of NSA and other state sponsored spy agencies. Their resources so vast and expertise so deep that there is almost nothing you can do to keep your information safe from them. However, it a reasonable goal to at least make life very difficult for just about every other adversary (e.g. hacker and thief) you might face. In that light, FIPS 140.2 validated encryption is still probably the best you can reasonably do at this point in time. There is also nothing but a small speed penalty to stop the really paranoid from adding a second layer of open source encryption on top of a FIPS 140.2 validated storage device. Such a strategy might even work against state sponsored spies, but we’ll never know for sure! Remember though, any encryption strategy still hinges on your scrupulous use of long and complicated passwords. You must also keep in mind that even the best disk encryption passwords are of no defense to on-line attacks once the machine is powered up and the files opened!

The purpose of this article however is not to dive into details of various encryption standards or teach you how to hide from NSA. My message is simply that you should be striving to encrypt all your data all the time. How you do that is up to you, and your budget – in both time and money. For most people that use Windows, a free software based encryption tool like Truecrypt is sufficient. Unfortunately, Truecrypt is not playing well with Windows 8 yet. If you so you’ve got a Pro version of Windows 8 you’re probably better off using Microsoft Bit Locker instead Truecrypt.  Apple fans using reasonably recent versions of Mac OS can easily protect themselves by enabling FileVault on their computer; though I’m still not so sure I like that part about uploading the keys to Apple? Linux geeks have excellent native software encryption tools and it’s just a matter of taking the time to setup and use them. In short, software based disk encryption is a great option for the majority of people since it’s easy to use and low cost.

There are times however when software encryption isn’t enough or the best solution. For example, maybe you use Windows at work, but occasionally do some work on corporate proprietary data at home on your iMac or Linux box. Here you might consider a hardware encryption solution so you don’t have to worry about software incompatibilities.  There are also cases, when, for reasons beyond your control, it is difficult or impossible to use software encryption in a particular situation. I ran into such a case a while back when I discovered that Microsoft Windows Small Business Server 2011 backup does NOT provide a means of encrypting backups, and it was impossible to use software encryption tools like Truecrypt to resolve the problem. Here again, it was a hardware encryption solution that saved the day!

I can’t profess to have used a lot of hardware encrypted devices, but I can say that I’ve had good success with the ones I’ve used for myself, and some of my clients. For my money, some the easiest to use hardware encrypted devices are from Apricorn. They have a selection of hardware encrypted external USB hard drives, hardware encrypted SSDs, and hardware encrypted flash drives to meet a wide range of needs. I have owned and used one of their FIPS 140.2 validated flash drives for quite a while now and I like it. It’s rugged, and the tiny keypad makes it easy to unlock and use the device on any computer without concerns about software compatibility. If you are in the health field and need a flash drive, these are the ones you want! One of my associates also swears by the Ironkey flash drives. I’ve not tried them myself, but they definitely deserve a look!

A Possible Solution to the The Evil Maid Problem?

This is an aside on the Apricon Aegis Flash drive. When I first learned of these devices I had hoped that they might offer a nifty solution to what is known as the “evil maid” problem. If you are not familiar with the issue, the evil maid problem goes something like this. If you use software based encryption on your computer, you are always left with a small disk slice that is unencrypted. This slice usually only has a small boot loader that gets you to the part where you enter the password for the disk and unlock the disk to start the operating system. If you are away from your computer for an extended period, it is conceivable that someone (i.e. an evil maid) might be put malware on this boot loader and capture your password with out your knowledge the next time you started your machine. The evil maid could return later and have full access to your files. In theory, it is possible to put the boot loader on a USB flash drive and take it with you when you leave. This makes it impossible for the evil maid to load any software since remaining disk slices are all encrypted. The trouble is that you usually don’t want the hassle of taking a bundle of USB flash drives with you whenever your machines unattended. You also could lose them and then be unable to access your machine.

Enter the Apricon with their Aegis hardware encrypted USB flash drive. Eureka!  Put the boot loader section on one of these and they you’re all set. The evil maid is foiled by the hardware encryption and you’re safe to leave the key locked in a drawer while you go to the beach. Unfortunately, it didn’t work out as I had hoped! It turns seems the Apricon flash drive is super sensitive to any changes in voltage level on the USB bus, and automatically locks the device during any hardware disturbance such as power up or a reboot cycle. The end result is that no matter how hard I tried, I could not boot a computer with the Apricorn hardware encrypted flash drive. While this is unfortunate for my plans against the evil maid, it is also probably essential in the design of the device to make sure that it can’t be hacked!

Other Apricon encrypted devices

I have also used the 1 TB and 4 TB versions of the Apricorn Aegis Padlock series of hardware encrypted USB 3.0 hard drives. Again, they have been 100% reliable for me over the course of more than 2 years when used 24/7 for encrypted external backup solutions on one my clients server machines. I note that the basic Padlock series of drives have Military Grade FIPS PUB 197 Validated Encryption Algorithms. This is a very good standard, but if you are under HIPPA, you will want to choose their Padlock Fortress models to get the required FIPS 140.2 validated encryption. If you’re a regular corporate or home user, the cheaper FIPS PUB 197 validated drives are plenty good enough though! In fact, and I probably shouldn’t say this, an Apricorn representative once told me that there is almost no difference in the hardware used in the regular Padlock and the Fortress drives. He went on to say that it cost the company a lot of money and a year of engineering time to push the Fortress drives through the FIPS 140-2 validation. As a result, they must differentiate and charge more for the Fortress models.

Well, that’s enough for now. Again, you’ve got hardware and software encryption options that work, just pick and use them!

In this article

Join the Conversation