Encrypted flash drives: convenience and performance unmatched by the cloud

By Greg S · 5 replies
Jul 10, 2018
Post New Reply
  1. With the introduction of the European Union’s GDPR, international businesses have even more reason to keep tight control over their stored data to avoid hefty fines. Businesses have taken different approaches to maintaining proper security. Some such as IBM have banned USB drives in attempt to avoid the spread of malware. Others have implemented stricter rules for Bring Your Own Device policies.

    Faced with the different alternatives on my day job, I was tasked with testing two of Kingston’s encrypted flash drives to see how well they work on a day to day basis compared to the option of using cloud services exclusively. Using encrypted drives with the capability to be used in a read-only fashion allows for secure file transfer between offline devices and network machines being regularly used.

    Kingston's DataTraveler Vault Privacy 3.0 and IronKey D300 both offer out of the box hardware encryption. The Vault Privacy 3.0 uses 256-bit AES hardware encryption in XTS mode to achieve FIPS 197 certification. The IronKey D300 goes a step further and has physical resistance to data thieves with a zinc casing and has an epoxy fill that shows if any physical tampering attempts were made. Upgrades to physical defenses combined with the same 256-bit AES hardware encryption give the D300 its FIPS 140-2 Level 3 certification.

    Medical, legal, and government agencies’ needs for compliance are all met by both of these drives. For enterprise, there are fully managed versions available with remote wiping capabilities and secondary passwords for administrative use in case someone forgets their password or is terminated and refuses to give up their credentials.

    For the careless and accident prone users, both drives are IPX8 rated for submersion in water up to four feet deep. The Vault Privacy has a slot for a ring strap to be put through and the D300 has an included steel cable with a threaded connector so that there is no chance of it falling off of a key ring or lanyard.

    Upon inserting Kingston's encrypted USB drives, a CDFS partition appears with an unlocking tool. Users are required to enter their password before the main formatted partition of the drive is visible. Windows, Mac, and Linux software support is available. Passwords on the DataTraveler Vault Privacy 3.0 must be between 8 and 16 characters with a combination of alphanumeric and symbolic characters. The IronKey D300 allows the end user a little more freedom of choice.

    Performance

    One of the caveats of an encrypted drive is that all file transfers are impacted by the encryption process. Both the Vault Privacy 3.0 and IronKey D300 are rated at 250 MB/s read and 40 MB/s write for the 32GB model when using USB 3.0.

    In day to day use, I have found that any slow down due to encryption is largely unnoticeable. Without looking at benchmarks, there is not a noticeable difference in regular use. Whether you are working with large quantities of small files or large continuous files, the drives still perform about on par with unsecured USB devices.

    Prolonged reads and writes to the drives went smoothly as well. Large files do cause the drives to warm up a little bit, but certainly not to the point of concern. The metal casing on the D300 helps dissipate what little heat it does produce while the DataTraveler only starts to really throttle after nearly filling the entire drive. In regular use, thermal throttling is unlikely to ever be a problem.

    One thing to note is that both drives are formatted as FAT32 out of the box. While using FAT32 does give widespread compatibility with almost any device, exFAT and NTFS allow for contiguous files larger than 4GB to be transferred. There is no meaningful performance difference when using different file system types.

    All of that aside, here are the raw numbers from CrystalDiskMark. These benchmarks were run on a mid-range laptop so as to showcase what regular users will actually see in the real world. It is certainly possible to get better numbers, but I still exceeded Kingston’s ratings in some of the tests, so it is safe to say that their specs are a fair average of what one can expect. Sequential and Random tests were run using a single queue and thread. In a second round, each drive was benchmarked using 16 queues in sequential tests and 32 queues for random with 8 threads in both sequential and random trials.

    The DataTraveler Vault Privacy 3.0 well exceeds Kingston's specifications when working with smaller files. Only once the 16GB test is run do the speeds begin to really drop off and provide the expected performance metrics.

    As expected, the D300 performs almost exactly the same as the Vault Privacy 3.0. There is absolutely no noticeable difference in real world performance between the two. Copying a combination of media files, documents, and program folders to the drives produced no significant differences.

    Ease of Use

    In any security system, people are often the weakest point. For all removable drives, manufacturers recommend using safely remove hardware option. Kingston’s software has its own safe shutdown option to ensure that the drive’s internal hardware correctly closes out all file streams and closes the USB connection to the host computer.

    How many people will actually bother to safely remove a USB stick each and every single time they need to use one? The answer to that is probably not very many. At least I know I am guilty of almost never using safe removal. Fortunately, both the DataTraveler and D300 do have driver support for quick removal. All data will remain securely encrypted in the event of a premature drive removal. In my experience, both encrypted drives work just fine with quick removal so long as you make sure any file transfers are complete. Kingston still recommends you use their own software safe shutdown option, but I digress.

    Unfortunately, it is not possible to use the D300 and DataTraveler with every device that a standard flash drive can be used with. You must have a device running Windows, Mac OS, or Linux. Plugging either of the drives into a device running Android, iOS, a proprietary OS, or no operating system will not work because the software on the CDFS partition cannot launch and therefore you cannot access or store any data on the drive.

    This issue is recognized and there is actually another product to solve that problem. The DataTraveler 2000 drive has a physical keypad that allows it to be unlocked before plugging it into a device. Projectors, lab equipment, or devices that do not support the D300 and DataTraveler can still make use of the DataTraveler 2000. Although I have not tried that drive personally, it is meant to be as secure as the Vault Privacy 3.0 carrying the same FIPS 197 certification.

    After becoming quite familiar with these two drives, I can safely conclude that the experience is mostly seamless provided you are using regular laptops or desktops. There are some minor hurdles to get over such as remembering to unlock the drive each time you plug it in before you try to save a document to it, but it did not take long to become accustomed to. AutoPlay can be used to automatically launch the unlocking software, but anyone seeking enhanced security should know that AutoPlay being enabled is a horrible idea.

    Comparison to cloud alternatives

    The first issue encountered with cloud-only solutions is trying to transfer files between offline devices and workstations. Standalone machines being used for single tasks such as controlling a piece of equipment cannot be accessed in any way other than direct physical access. Adding internet access puts legacy applications running on out of date operating systems at high risk of being compromised.

    Instead of spending a small fortune trying to retrofit proprietary equipment with newer operating systems that can securely access cloud services, implementing controlled device policies are a much better solution. So long as every device being used on a network is accounted for and properly protected, there is little risk involved. The read-only mode on Kingston’s encrypted drives is a highly underrated feature.

    One aspect where the cloud wins every time is overall scalability. If you need to deal with very large data sets, a removable drive of any kind is not going to be the ideal choice. DataTraveler models only reach 64GB and the IronKey D300 only scales up to 128GB of storage.

    Cloud storage is significantly cheaper on a per-gigabyte basis and can scale infinitely for most businesses. Software encryption can also be performed before uploading files to the cloud making for a seamless experience. Arguably, software encryption may not be technically as secure as hardware approaches. Even though hardware encryption exists for hard drives as well, the data still needs a secure upload method before reaching cloud drives.

    When you want to share files with someone else via the cloud, a link can easily be generated and sent to an email address or phone number so that only that person may access shared data. Sharing data via USB can be more convenient when in close proximity or when internet access is unavailable, but clearly is not as useful when on opposite sides of the world.

    Due to the requirement of internet access for cloud storage, file transfer speeds can only be as good as your internet service provider allows for. Some businesses can afford to install impressively fast connections, but employees outside the office are subject to whatever Wi-Fi or paid LTE with data caps can provide. Going back to performance figures, encrypted flash drives are currently likely to offer better performance than uploading and downloading from cloud hosts.

    When time is a crucial factor, using local means of storage will almost always provide a better experience. Unfortunately though, local hardware can fail and may not be backed up with multiple redundant copies of data. Kingston backs their encrypted drives with 5-year warranties showing that failure is unlikely, but it can and will happen on occasion.

    Closing remarks

    When looking at different methods of increasing security for your network, banning all USB devices can be more of a pain than an actual benefit. In most instances, the knee-jerk reaction to place sweeping bans on removable devices only leads to headaches and wasted time trying to find workarounds of how to move data from point A to point B without inserting removable storage.

    During my time using the DataTraveler Vault Privacy 3.0 and IronKey D300, I have found that it is possible to become accustomed to using a password protected USB drive. It may not be quite as convenient to enter a password every time you insert a removable storage device, but the added security is certainly worth it if you are carrying around sensitive information. Even non-technical users can easily make use of hardware encryption.

    Pricing on the drives is too high for average consumers. Kingston’s encrypted drives are very clearly being marketed to larger businesses and government agencies. It would be nice to see storage capacities go up and pricing come down to more reasonable levels so that they are more accessible to regular consumers.

    All of that said, would I recommend the drives for personal use? Maybe. If cost were truly not a point of consideration, I would have no problem giving the D300 my recommendation for its excellent build quality and respectable performance. It is by far the sturdiest removable drive I have ever used. For businesses that would rather invest in security as opposed to crisis PR teams and lawyers following a data breach, either of these drives can provide a turnkey solution that simply works.

    Permalink to story.

     
    Last edited by a moderator: Jul 10, 2018
  2. Bullwinkle M

    Bullwinkle M TS Rookie

    A 5 year warranty is NOT a backup!
    It may replace your drive but it does nothing to replace your data


    The option to use two or more passwords for the exact same encrypted data means that the hardware key can be used by Kingston and the Government without knowing your password
    All they need is the master password for the specific thumb drive based on its G.U.I.D. / serial number or other identifying mark


    The security of your encrypted data is non existent if you store the encrypted drive for more than a year without plugging it in
    Quality flash drives are very durable and may be wiped hundreds of times but the cold storage data retention times are normally between 6-12 months


    The READ ONLY aspect is also concerning for real security experts like myself.
    An Blu-Ray M-Disk can "potentially" retain your data for up to 1000 years, while this drive might be good at retaining your data for less than 1000 days

    and last but not least.....
    If you use Windows 10 and are online, Microsoft has access to all your encrypted data through their backdoor policy "THAT YOU AGREED TO" in their extortionary Licencing Agreement
     
  3. Uncle Al

    Uncle Al TS Evangelist Posts: 4,005   +2,490

    I like the idea but for my most important data I have a single board PC attached to a separate hard drive which I transfer data to. It is NOT attached to the internet, does not have WiFi or Bluetooth so it is as secure as I can make it. I was going to put it into a 10' deep vault away from the house but I'd rather watch TV than dig another hole so ........
     
  4. Buhaj47

    Buhaj47 TS Rookie

    I'm interested in this, do you have more details?
     
  5. Bullwinkle M

    Bullwinkle M TS Rookie

    Sure,

    I've wiped a cheap Silicon Power thumb drive 350 times with Killdisk in the past 4 years and just finished this durability test in June
    The thumb drive still works fine!

    Durability is not an issue but data retention IS!
    Do a google search on cold storage data retention of flash memory if you need more info

    Read the Licensing Agreement for Windows 10 or watch some youtube videos
    Search : > "barnacules nerdgasm windows 10 spyware" to get an idea of what is going on

    It is worse than the youtube videos show however....
    Edward Snowden said he could watch you as you type so everything you do can be seen in realtime (without a warrant)

    "Host Process for Windows Services " cannot be blocked in your firewall if you still want Internet access

    As long as "Host Process for Windows Services" has access to the Internet, Microsoft can push whatever garbage they want on your box, modify whatever they like or do whatever they want with your data and there is nothing you can do to stop them unless you disconnect

    Bitlocker also has a 32 digit "key identifier" associated with every bitlocker disk so there is no security with that encryption either

    If you can install to an MBR partition, you can use Truecrypt with Windows 8.1 or 10 but you lose all security once you connect to the Internet because of the backdoors

    The rest of my post should be self explanatory
     
    Buhaj47, Godel and jobeard like this.
  6. pssst3

    pssst3 TS Rookie

    Local storage has its place but there are a few misconceptions in this article.

    The first is that this is not a comparison of cloud and offline storage, but using a computer with local storage vs cloud computing. The assumption is that data files must be stored in a local computer, and that processing must be performed locally.

    Neither of these assumptions are true today. Once outside the home, even when businesses maintain their own data centers, only the worst run of them store their primary data files on individual PCs. Corporate data resides on server storage and is backed up within the data center. This is done because businesses put a high value on their corporate data and take the steps needed to properly secure it.

    Individual consumers who have grown up using stand-alone personally-owned computers are generally unaware of data management, and do a spotty job of organizing and protecting the huge volumes of low-value data that they amass. They do not segregate high value data from low, do not make local backups of new data, and rarely check to see if they can restore from the backups that they make. There are exceptions, of course. Those who run small businesses from their homes more more likely to better organize their data amd make more frequent backups.

    But businesses and consumers who use only offline systems with only locally stored data are increasingly rare. That makes and either-or comparison irrelevant.

    That USB flash drives can be made write once and be encrypted does not make them o-me secure storage.\

    Encryption is not the same as security. Encryption provides a degree of privacy. Security encompasses physical safety.

    Physical safety is not just protection from the environment, but protection from loss and damage. Comparing a physically small detachable device managed by an individual to a professionally managed cloud server farm for security from theft or damage, any form of local storage is less secure.

    The convenience of being able to make a fast copy of a largish amount of data to a local storage device is undeniable, but it cannot be equtably compared to cloud storage by simply comparing data transmission speeds. Cloud storage as part of an integrated solution is not typically used for moving large masses of data between physical locations. Modern cloud storage systems replicate changes of data as they occur. This can happen at the file level or the record level.

    When it is necesssary for copies of large cloud-stored files to be made to offline storage for archival purposes, doing so to a consumer's local internet node is admittedly slower than copying a file from a loacl computer storage to a USB stick, but that ignores the basic question of the necessity for doing so.

    As an IT professional whose experience started before the internet, and extended through large data center operation, I've seen everu-yhting from one computer businesses through multi-office systems. I've used local storage, data center storage and cloud storage extensively.

    Of all the methods that I've tried, cloud storage from the larger players provides the best security and the most convenience. USB flash drive storage, because of its size and cost is attractive for transporting small amounts of data, but the ease with which it can be lost, damaged or stolen, makes it the second least physically secure. (Removable SD card storage is the least secure).

    Having spend the past year using 100% cloud storage over the lowest tier cable internet connection, I have found it to be reliable and highly secure. The few times that I have needed to carry a data file with me as detachable storage, it has been things like copies of family emergency medical information in non-encrypted form for use by potential Luddites. The same information is in cloud storge and accessible in an isolated shared folder accesible only with a
     

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...