When I travel, my sensitive files are encrypted inside a TrueCrypt container. TrueCrypt is widely respected, widely used (at least by techies), free, open source, and available for Windows, Mac, and Linux. But it does take a little work to use it. For non-techies, the process of creating secure containers, then mounting them and dismounting them may be too much.
To make encryption as simple as possible for non-techies, some companies employ full disk encryption (FDE). Typically this only requires entering a password at system startup, thereafter, it requires no extra work on the part of the computer user. With full disk encryption, every byte on the hard drive is encrypted.
This sounds great, at first. However, I don't think the internal hard drive of a computer should be fully encrypted, for many reasons. I discussed some of the reasons back in June when I blogged about the ThinkPad USB Secure Hard Drive from Lenovo. For example, nothing beats physical security, thus it's better to encrypt an external hard drive because it's smaller than any laptop and thus can go with you more places than a computer can.
There are many secure external hard drives, but very few take the approach of the ThinkPad USB Secure Hard Drive. I have not used one, but am enthusiastic about its approach to FDE. Specifically, that the security exists totally in the device.
The vast majority of secure external hard drives depend on software running in the computer. Not this one. It has buttons on the top that are used to enter a password. The device itself stores and validates the password. Only after entering a valid password does the computer become aware of the existence of the drive.
The computer is blissfully ignorant of the hardware-based Full Disk Encryption being employed. This makes the drive truly portable, it can be used on Windows, Mac, and Linux. That Lenovo put the word "ThinkPad" in the product name strikes me as a big marketing mistake. The only ThinkPad-y thing about it is the way it looks.
As I mentioned in my earlier blog, I don't own a ThinkPad USB Secure Hard Drive. Recently, I went to buy one and found it hard to come by online, at least quickly. This led me look for other secure external hard drives and I found a twin. The Aegis Padlock from Apricorn (shown below) is an almost exact copy of the Lenovo drive.
The Lenovo drive was released around November of 2008 and offers 128-bit encryption. The Apricorn drive was released in August 2009 and offers either 128- or 256-bit encryption (you pay more for the higher level of encryption). The buttons on the Lenovo drive are labeled only with numbers, thus all passwords are really pass numbers. The buttons on the Apricorn drive are labeled with both numbers and letters.
Both drives include a built-in USB cable (a nice feature that prevents you from losing or forgetting the cable) and a backup two-headed cable. While most USB ports should be able to power an external 2.5-inch hard drive, some cannot. The two-headed cable lets you plug the drive into two USB ports concurrently, drawing power from each and insuring the drive will work.
The big difference though seems to be price, the Apricorn drives are cheaper, starting at under $100. I bought an Apricorn Aegis Padlock, model A25-PL128-xxx.
When you connect the drive to a USB port nothing is supposed to happen, as far as the computer is concerned. On a Windows XP machine this was not the case, the Operating System was aware of the drive and auto-installed a driver for it. However, the drive was not assigned a drive letter (which is, after all, the whole point) and did not appear on the list of installed drives in Disk Management.
Initially, the light on the drive glows red. Give it a valid password, it turns green and the computer can see the files on the drive. At this point the Aegis Padlock has done its job. Like all full disk encryption, and like my favorite encryption product TrueCrypt, it only protects data at rest.
Once the drive is unlocked, it's wide open. That is, it functions like any other external hard drive. Although it supports multiple passwords, data is not segregated on the drive.
You don't have to lock the drive, it's automatically locked when removed from the computer. This is one advantage of encrypting an external drive rather than an internal one. If you need to step away from your computer for a minute, just pull out the drive, no need to shut down or hibernate the computer itself. And, if you really care about security, take the drive with you.
Like any external hard drive, you should logically disconnect (a.k.a. eject, safely remove) the drive from Windows before physically disconnecting it.
The advertised 250GB drive contained one small file and 232GB of free space. The file was the October 2009 edition of the User Guide--and it was broken.
On a Windows 7 machine, the Foxit PDF reader version 184.108.40.2065 complained that the User Guide was "damaged." On a Windows XP machine, Foxit again couldn't read it. Neither could the Adobe Reader version 8.1.7, which also complained that the file was "damaged." Fortunately, Apricorn makes the User Guide available online. Still, as first impressions go, this leaves room for improvement.
The claim made by both companies that the drive can be used with Windows, Mac OS, and Linux is true, but not the whole truth.
Both drives come NTFS-formatted, which means that Macs can read files but not update them. In the old days, Linux support for NTFS was limited, but all or most current distros should support read/write access to NTFS partitions. None of the documentation from Apricorn addresses specific Linux distributions.
The instructions for the Aegis Padlock clearly state the NTFS limitations on Macs and walk you through the process of formatting the drive as FAT32 - on a Mac. FAT32 can be thought of as a universal translator; it's the only file system fully supported by Windows, Mac OS, and Linux. I needed the drive to be fully functional on a Mac, but, I don't own a Mac. Formatting the drive as FAT32 from Windows turned into an adventure.
Windows 7 did not offer FAT32 as a format option when I right clicked on the drive letter. I tried the Format command but that failed too. Same thing on Windows XP. Although Windows XP and 7 can happily read/update files on large FAT32 partitions, neither OS will format a FAT32 partition larger than 32 gigabytes. Thanks for nothing, Microsoft.
An Internet search led me to Ridgecrop Consultants Ltd and their fat32format utility. It was initially a command line tool, but there is a newer GUI version of fat32format which I used. It worked like a charm.
The lone disadvantage of FAT32 is that no single file can be over 4 gigabytes. That seems like a small price to pay to get a truly portable drive.
The product description says that the Aegis Padlock supports up to 10 passwords, but I found the topic covering this in the User Guide to be confusing. The manual focuses on creating two passwords, one for a regular user and one for an administrator. Fortunately, that was sufficient for my needs.
As a password-focused device, the Aegis Padlock needs to protect against password guessing. According to the User Guide (I didn't test this) the device slows down guessing two ways.
After six invalid passwords are entered, the keypad stops responding and the device needs to be unplugged from the computer and re-inserted. After 50 invalid passwords are entered, the device locks up. At this point unplugging it and re-plugging it does not reset the counter, however, the device can be re-enabled to process passwords again using instructions in the User Guide.
After 100 invalid passwords, that's it. The Aegis Padlock will never again offer up its data. You don't have to throw the thing away, but you do have totally reset it. This wipes out all the data and all the old passwords. It even wipes out the file system and the partitions.
Apricorn makes the User Guide available online. If you need a secure portable device, reviewing the 19-page manual should give you a great feel for the product. You can see the Aegis Padlock in action in this video by Andrew Moore-Crispin. CNET also has a short video on the ThinkPad USB Secure Hard Drive.
On the hardware side, SIW reported that the internal hard drive was a Western Digital WD2500BEVT-22ZCT0 rotating at 5400 RPM with an 8MB cache.
Finally, there were a couple things about the drive I didn't understand.
It should work with any computer, yet the box lists Windows 7, XP, and Vista, but not Windows 2000 or any earlier versions of Windows. The earlier versions of Windows don't support NTFS, but Windows 2000 certainly does. On the Mac side, the documentation says the drive works with OS X 10.2 or later. Is that when NTFS support was added to OS X? I'm not a Mac person and I'm not sure when OS X starting supporting FAT32.
Perhaps the thing that concerns me the most is the price of the Aegis Padlock, which is in the vicinity of a third less than an equivalent drive from Lenovo. You buy a device like this for the security; price, speed, and capacity are secondary concerns. I have to wonder what, if any, corners were cut to enable Apricorn to sell the product for so much less than Lenovo. Especially considering they appear so similar.
Michael Horowitz is a regular columnist for eSecurityPlanet.com. Read more of his columns here.