If you use a portable drive for business, there’s a very strong case for keeping that data secure with a hardware-encrypted drive. And when customer data is at stake, there’s a legal obligation to button it down to keep it confidential in the event of the drive being lost or otherwise compromised. Even home users may prefer to keep their files and data to themselves. Which is why encrypted portable drives like the iStorage diskAshur Pro can be such a great idea, with their built-in keypads that need a numerical PIN to be entered before they give up their secrets. The diskAshur Pro follows a line of similar drives sold in this country by iStorage Limited, which are rebranded and renamed drives designed by and made for Apricorn Inc in the USA. This latest version is called the diskAshur Pro, otherwise known as the Apricorn Aegis Padlock Fortress, and has been given a FIPS 140-2 security rating. It earned the Federal Information Processing Standard certification thanks to the use of a validated cryptographic module; compare this with the older non-Pro version which is listed only as FIPS PUB 197-validated. The latter designation simply means it uses an AES block cipher to encrypt data, and does not require independent verification. See also: 13 best portable hard drives UK.
iStorage diskAshur Pro: Build and design
The diskAshur Pro looks almost identical to the standard non-Pro diskAshur, although there is one extra key on the clicky membrane number pad. This is a Shift key, like that on a qwerty keyboard, which can be optionally used in combination with the usual 0-9 numbers to create a much larger PIN code keyspace. The unit is made from relatively tough black plastic that has been surface treated to give a matt, rubbery finish. The keypad requires some concerted finger pressure to activate each key. Attached to the right side is a tethered USB cable with around 110 mm of available length. If that’s too short there is a USB 3.0 extension cable included, and this double-plugged cable may also prove useful if your computer cannot provide enough power through one USB port to consistently power the drive. In our tests we found that the diskAshur would disconnect from some laptops, including recent models of Apple MacBook when the drive was benchmarked or simply presented with large file copying operations. Unfortunately the double-ended Y-cable was of no use here, since current MacBooks have one USB port positioned on each side of their chassis, too far distant from each other to allow the cable to plug into both simultaneously. Inside the diskAshur Pro is a 2.5-inch SATA disk; in our sample a 1 TB drive from Toshiba. Other capacities available include 500 GB, 1.5 TB and 2 TB. You can also specify the drive with a SSD between 128 and 512 GB capacity.
iStorage diskAshur Pro: Setup and use
When first set up, the diskAshur requires you to create your own PIN code of between seven and 16 numbers. There are some basic rules to prevent lazy users from creating easy-to-guess combinations. Namely, no consecutive number sequences and no PINs with all the same number. Without the Shift key, our back of the napkin calculations suggest there are around 10^16 PIN permutations; by raising the keyspace from 10 to 20 buttons there could be more than 10^20 possible PINs. Or 10,000 times more numbers available. You’re highly unlikely to bruteforce guess the PIN code anyway, since the drive has a variable timing circuit (VTC) that increases time between possible guesses. After 10 wrong attempts you must reset the device with a complicated button-pushing routine before you can start over. And you only get another 10 attempts before the drive will need reformatting, thereby losing all its data.
Security under scrutiny…
Overall security of the drive is a moot point, especially in the light of recent surveillance disclosures by Edward Snowden. While this is potentially Apricorn’s most secure drive yet, bear in mind the FIPS rating is for civilian equipment only, for use when undertaking US government contract work, and is not deemed milspec security. We know that iStorage’s drive was granted FIPS certification in July 2013, and that it uses a FIPS 140-2 Level 2 cryptographic module that has been encased in epoxy to reduce the possibility of physical tampering. The core crypto is AES-XT 256, a symmetric cipher believed to be uncrackable within sensible timespans by current brute-force techniques. However there may be questions over the module’s random-bit generator which seeds the AES master key. It operates using an approved technique detailed in NIST document SP800-90 (Recommendation for Random Number Generation Using Deterministic Random Bit Generators). See also: 13 best portable hard drives UK.
One of the four recommended techniques therein, based on Dual EC DRBG, was introduced by the NSA in a controversial $10 million pay-off made to crypto company RSA Security LLC, and is now publicly recognised as compromised. Apricorn’s design is using an alternate SP800-90 HASH function, signed off by NIST at the same time. The entire standard has now been reopened for peer review. Besides any possible NSA-led weakening of the crypto module through the agency’s BULLRUN and related programmes, there is also the distinct possibility that the cryptographic module includes a hidden back door introduced at the behest of a US intelligence agency. This could take the form of a single master PIN key hard-coded into the module, which can simply open every drive. The original designer would be subject to a national security letter (NSL) that would forbid them from disclosing the US government’s intervention. Finally, it’s known that crypto modules up to Level 2 of FIPS 140-2 are potentially susceptible to side-channel attacks that can retrieve the master key; for example through simple or differential power analysis techniques (SPA and DPA). In conclusion the FIPS 140-2 Level 2 verification adds credibility and suggests the diskAshur Pro will be sufficient to protect your sensitive documents from casual, and even quite dedicated, intruders. But you might not want to rely solely on its hardware security when industrial espionage or whistleblowing is at stake.
iStorage diskAshur Pro: Performance
Despite the added hardware encryption the diskAshur Pro proved to be able to run at the same speed as rival unencrypted drives. Its 1 TB Toshiba disk could read and write sequentially in Windows at around 115 MB/s, while OS X benchmarks suggested read/write speeds of around 103 MB/s. Small 4 kB files suffered the usual slowdown from disk technology, here down to 0.58 and 0.27 MB/s for random reads and writes. The Mac testbed showed typical small-file performance of 16.7 MB/s random reads and 7 MB/s random writes, using an average for data sized from 4 kB to 1024 kB. See our group test: What’s the best SSD?