CIO

Review: Self-Encrypting External Hard Disk Drives

When evaluating secure, external, portable, hard-drives for yourself, the fundamental question is do you want a hardware- or a software-based device?

Introduction

With data becoming more valuable, the need for security also gets greater.  Today’s technology and working behaviours both facilitate data being easily transported. Information is far less static due to home working, multiple office sites, low cost USB storage devices and DVDs.  With all these portable devices and data being moved from place to place we must be mindful of data backup.

When evaluating secure, external, portable, hard-drives for yourself, the fundamental question is do you want a hardware- or a software-based device?  This review looks at six examples and considers how each can be used for data transportation and backup. The products covered range from convenient plug and play devices offering simple and secure transport, to slightly (very slightly) more complex products that include a few more useful features.  As with most IT products, your choice should come down to suitability for purpose. 

Page Break

Data Locker DL3

Overview
Out of the box, Data Locker’s DL3 could be easily mistaken for a media player, its screen covers most of the front face.  It’s fairly light weight but the solid build gives it a feeling of quality and the brushed metal face-plates add a stylish look.  The unit also ships with a rubber casing leaving only the front screen exposed.

Features
Set up includes pages of options.  The first of these is choosing your language—you have four, English, Spanish, German and French.  

As with other drives in this review, the features seem to be fairly standardized across products. 
The Datalocker DL3 offers a virtual CD feature, allowing you to mount your own ISO image to the drive.  This could be great for demonstration purposes if you wish to use a different computer but your own software, you basically have your own portable virtual machine.

Password length can be set anywhere between 6 and 31 characters.  The option to randomise the keypad display is also offered.  We think that this is a particularly good feature to have on a product with a glass screen. Finger marks can make it really easier to guess the locations and numbers keyed for the password.

Page 2 offers another 4 setting options, key tone is standard, but this is followed by the less familiar Zeroize Drive feature.  Zerozine allows you to quickly wipe and reset the drive for redeployment (just make sure you’ve got your documents backed up before selecting it).

The DL3 also offers 2-factor RFID authentication, an option not available on the units reviewed here. The extra security this provides could be really beneficial for securing data.

Usability
We found this product simple to use, all of the instructions were clear and logically ordered.  Once your password is accepted the device appears in your machine’s device listings and is ready to be used as a straight forward fixed drive.  The randomised keypad is really good idea, it brings that extra level of security, but it also requires a bit of extra thinking to key in your number.

Whilst the device is really likeable, there are a couple of things that would be good to improve. Most notably, the responsiveness of the keypad was fractionally slow.  Users today are getting accustomed to touch screen phones with sophisticated response times, sometimes during testing, after pressing the screen, nothing happened.  We had to be very precise with keypad selections to ensure they registered. 

The other feature for improvement is the default password.  When entering the default password for the first time it warns you that changing the password is mandatory, but the onus stays on the user to do so.  We actually left the default password in place while trying out the drive and each time we logged in it reminded us to change it but didn’t force us to. It would have been better practice to be redirected to the change-password screen right after the first log in.  You are only forced to change the password if you enter the setup mode, it won’t let you leave the menu without changing the default password (but if you just pull the cable out you can still log in again using the original default password).

Encryption
The Datalocker DL3 uses a dedicated 256 bit AES XTS Mode Crypto Engine.  All encryption is carried out on the device itself so there is no need to install software—a good design.

Recovery
To test the recovery and password rejection, all settings were left as default.  An incorrect password was repeatedly entered and after the fifth attempt, the device was powered off.  The USB cable had to be unplugged and reconnected to return power back to the unit. After a further two incorrect passwords were entered, the device registered that a hack had been detected and indicated that all data was to be erased.  Pressing the screen area instead of the OK button circumvented this.  The ninth incorrect password attempt warned of self-destruction and the tenth initiated the destruction.  After the destruction the drive returned to its original, out-of-the-box condition, and the whole process was able to start again.  There was no sign of any previous documents on the drive.

Verdict
A very good product for securely transporting data from site to site and it includes some good features. A few tweaks would make it a great product.

 

Page Break

iStorage disk Genie

Overview
The iStorage disk Genie feels like a really good product.  It’s sturdy, it has a hard, black, rubber case and big, easy to press, manual buttons.  The buttons are the only interface for this device, there is no screen to issue instructions or to indicate status, but when successfully connected to a computer, a single LED turns from red to green.

Features
The iStorage disk Genie adheres to its clean design by keeping the interface simple too.  It allows you to change or add passwords for up to ten different users.  And while you may not have functions displayed on a screen, features can be controlled from the administrator mode which is easy to enter, simply hold down the two set buttons.  The multiple users feature is intriguing; we thought it could be really useful to be able to set different user accounts for a device in a general office-type use scenario.  We set up 2 distinct user accounts in addition to the administrator account.  After logging in as each user a folder was created for each user containing a simple text document to see what was accessible when logged in as another user. it was slightly disappointing to discover that  all documents could be read and accessed regardless of login.  We had hoped to only see files for the logged in user. Unfortunately, under this arrangement you may as well just give all users the default password to save the administration burden.  On the positive side, however, each user would be able to simply use their own password instead of having to learn a new one.

The password length can be anything between six and 16 characters, the only time the device will intervene is if the password does not fit this criteria. 

Usability
The disk Genie is very easy to use, simplicity is a feature of its appeal.  There is less to go wrong and it feels as though the designers have genuinely thought through what is really needed to securely transport data and how setup pain can be minimised for the user.

The large buttons give you a solid confirmation of each press and are easy to press.  The built-in USB cable saves having to find one, which is actually a pretty handy feature, we all know how easy it is to lose or forget them.

Encryption
The iStorage disk Genie comes in 128 or 256 bit AES encryption.  We had the 256 bit version under test. 

Recovery
After every six wrong password attempts the drive locks and powers down.  To recover from this you need to unplug the USB cable and reconnect to the computer.  After 50 unsuccessful attempts the keypad will lock completely, unplugging it from the computer is no longer enough.  By following the recovery steps in the accompanying user manual you can gain a further 50 attempts. After this the device forces a reset and the drive is formatted with all data lost.  As with all the other drives, you can now set up the device from factory settings.

Verdict
The iStorage disk Genie is probably our favourite device under test.  It is simple, offering all the protection that you really need, and not a lot of extra peripheral functionality.  Our primary concern with the product is that a total of 100 brute force attempts are possible before forcing a reset.  Despite the number of possible password combinations available this is still a very small opportunity, but it does give an attacker considerably more chances than most.

Page Break

Data Locker Enterprise

Overview
Data Locker offer a second product in this category.  The Enterprise is very similar in appearance, but with enough feature differences to make worth consideration on its own.  The device is available in 500 GB and 1 TB versions.  Its rubber casing lends it a nice sturdy feel, but it doesn’t really cover over the front or the back surfaces, so you automatically wanted to be more careful with it than some of the other drives (which isn’t necessarily a bad thing).  Its large glass screen is clear and easy to read, and for compatibility with older machines this device comes with an external power supply, as well as the more standard dual data and  power USB leads.

Features
One of the main difference between the Enterprise and other products is the way it powers up.  This model includes a distinct ON/OFF slider switch.

Its setup menu is also laid out differently to the DL3.  Page one provides the ability to change the password, regenerate the encryption key or move on to other options.  Page two provides selections to turn on or off the random keypad and self-destruct options.

The password strength can be anything from 6 to 18 characters in length.  There is no setting for the minimum length on the Datalocker Enterprise as there is on the DL3.  An extra password feature included for this device is the ability to set a master password.  Using a tool downloaded from the Datalocker website you can set a master password before giving the device to an employee.  This will give you the ability to recover data if the user forgets their password, and also recover data in their absence—a nice inclusion.

Usability
The Datalocker Enterprise is just like the DL3 and the iStorage disk Genie in terms of usability once authentication has been approved.  You can easily drag and drop files to and from the device just as with any other drive.  While using the device, we didn’t find the keypad as convenient as the Datalocker DL3.  It was less responsive and required more retries of key presses to make them register.  We also found that the randomisation for this keypad only changed the direction of the rows, so 1, 2 and 3 still stayed together but instead ran in a different direction vertically or horizontally. 

Encryption
The Datalocker Enterprise uses 256 bit AES CBC Mode encryption and much like the other devices, all the encryption processes are handled by the device internally with no external software.

Recovery
The default setting on the device is to power down after three incorrect authentication attempts.  Turning the device off and back on again allows you to retry these again, and after 10 failed attempts the device will warn you of a reset.

Verdict
The Datalocker Enterprise (or DL2 as it is also known) is a very capable device that offers everything you need to securely transport data, but it is somewhat over shadowed by its DL3 counterpart.  The keyboard is a little annoying after a while. You’d think that you had pressed the key correctly only to find you had missed typed the password.  Though it would meet anyone’s data transfer needs, we would probably choose the newer version.

Page Break

Eclypt Freedom

Overview
The Eclypt Freedom uses a software-based encryption system of authentication as opposed to the earlier products in this review.  Because it is software-based it has only a plain metal exterior.  At one end of the device are two available USB ports, one mini and one standard.  The mini USB is used for connection while the standard is for a two factor authentication module that wasn’t tested here.

Features
The Eclypt Freedom hides everything away until correct authentication has been supplied.  This is done using an inbuilt application so the device can still be used without additional software, although it does come with extra software that contains a central management system. The Eclypt Freedom comes in 4 flavours, each offering a different level of security from everyday non protected data through to Top Secret data in government terms.  The unit we have on test is the second in the range and offers protection at level IL 2 which is for data that is classified as needing to be protected but not sensitive enough to be restricted.  This is at the same level as the other devices under review.

In terms of listed features the Eclypt Freedom is very simplistic in a similar fashion to the iStorage disk Genie.  Once you have entered your authentication details, you are given a disk area to use like any other disk storage space. 

Usability
The Eclypt Freedom fires up as soon as it’s plugged in.  You are greeted with a number of folders that allow you to choose the operating system in use, each one holds the appropriate login application.  We tested using the Windows platform.  A double click on the application brings up the login screen and once successfully processed, 320GB storage space becomes visible to the user.  Drag and drop file movement is smooth and the encryption process does not cause any delays.  With no external interface, usability is as smooth as your computer runs.  Using this is really as simple as entering your user name and password and away you go.

Encryption
The Viasat Eclypt Freedom uses AES 256-bit encryption for password verification but also offers a USB dongle for a two factor authentication process for added security.  The dongle is an extra cost but dependent on the value of the data you are working with, it may be a viable addition.

Recovery
The way that the software has been designed means that the authentication screen only has the user name field enabled on start up.  Other fields remain inaccessible until a valid username has been entered.  Only then will the password field become active, giving you 15 attempts to enter the correct information. After 15 incorrect password entries the drive suspends all accounts and purges the information stored. Once the drive is unplugged and reinserted you have to format before being able to use it again.

Verdict
If a software encryption drive is what you are looking for then this is a good candidate.  It doesn’t have the capacity of the other drives on test and at 320GB would be considered small by today’s standards.  As with the other drives you are able to move it from machine to machine, encryption is still on board even though it is entirely software based. 

Page Break

CMS ABS Plus FDE

Overview
The CMS products offer a different kind of solutions to the other devices discussed here.  ABS Plus is an Automatic Backup System.  It can be used as a normal external hard disk, but the encrypted area is software controlled instead of hardware.  The main purpose of this drive is to allow the user to make secure backups of a system, but it can also be used to transport secure data in the same manner as other drives, provided that the computers involved have its Bounce Back software installed.  This software allows access to the control panel and the ability to unlock the device.

Features
The CMS ABS Plus has a number of features that are instigated by the Bounce Back software.  Obviously the most refined is for data backup, and this can be set up in a variety of ways.  You can select all or part of your data, you can decide to have it synchronised, versioned or encrypted.  The device also offers a built-in scheduler so that backups can be carried out automatically.  The schedule can be set to periods from every 15 minutes for the extremely critical data, up to 8 hours on a continuous protection cycle, or ad-hoc as you please on the scheduling page. Backups can be quickly restored in a few clicks to their previous location or a location of choice.

To use the device as an encrypted hard disk for transporting files, you must set a password in the software which will automatically lock the device when powering down.

Usability
The CMS ABS Plus is more complicated to use than the other devices in this review, but nor is it that difficult.  To gain access to the data holding portion of the device you must launch the software, select the unlock feature, select the correct device, and then enter your password.  This reveals the device to the user and once the device is unlocked, using it to transfer files is simple, just like using MS Explorer.  Its backup features are really quite straight forward in the way that they are set up,  the on screen instructions are clear and by holding the pointer over any heading pops up an explanation of what that section does.

Encryption
The CMS ABS Plus uses AES 256 bit encryption.

Recovery
The software allows three invalid attempts before requiring you to disconnect the device before trying again.  Even entering the correct password will not allow you to gain access until the device is unplugged.  After  the ninth invalid attempt the software  gave me the option to lock the device, after ignoring this option and entering another invalid password the software confirms the password as invalid and would not allow you to continue.  It required the user to go back to disconnecting every three attempts.  No limit of attempts was indicated which would force a format of the device, allowing brute force attacks to be carried out for an unknown period.

Verdict
If an organisation is prepared to install the Bounce Back software to all necessary consoles, this is a good solution. But this is also the downside of the product. The software must be installed. This can result in obvious problems if you wanted to transfer data to a computer without the software.
As an additional advantage for a primary user it also allows a continuous, up-to-date, backup of their system. 

Page Break

CMS ABS Plus with Dataguard

Overview

Unlike the full disk encryption version, the CMS ABS Plus with Dataguard gives you a 20MB partition with product information as soon as you attach the device. Another big difference is that this drive can be used without any additional software.  It works in a very similar way to the Eclypt Freedom drive in that you have to run an application from the small available partition to access the main area.  When you first run the application you supply and verify a passphrase, and once this is completed the data partition becomes visible, allowing you use the device as a standard drive. 

The drive itself has a rubber casing that offers physical protection, and it also features an inbuilt USB cable, which we like to see.  The USB cable is only about 10 centimetres long, so you may have to use the extension cable provided if your ports are not easily accessible.

Features
The CMS ABS Plus with Dataguard has all the backup features provided by its sister product.  The main benefit of this product compared to its sister is portability.  This drive can be used on various computers without the need for additional software, in our view giving it an edge. It was tested at 500GB which is a good size, although it is also offered in various other capacities.

Usability
As a portable device the CMS ABS Plus with Dataguard is very simple to use.  Plug in, select the device, run the application and enter a single passphrase.  Unlike the Eclypt Freedom, you just have the one application to choose from, regardless of operating system. We found the authentication process very slick, giving access to a 500GB storage area.  File transfer simple drag and drop, like all the other products included here.

Encryption
The CMS ABS Plus with Dataguard uses AES 256 bit encryption.

Recovery
The authentication process allows users five incorrect attempts. After the fifth attempt the application closes.  You can restart the application and try again. It continues to count down the number of attempts remaining, and also warns you that it will close if the final attempt is incorrect.  You do not have to disconnect the device to retry the authentication process, but this is due to the software restart refreshing the process.  Every new attempt appeared to be a fresh start, so we could not determine if there was any retry limit for the device.

Verdict
The CMS ABS Plus with Dataguard is a nice device, its eye catching red exterior is appealing and it was simple to use. 

Page Break


Overall

The products discussed here are really a small cross section of what is available in the encrypted hard disk market. 

Our testing has shown that any of these products are all well thought out, good quality devices which would serve their purpose well. It is nice to be able to review a group of products that all perform well. 
If put on the spot, from the hardware-based range our choice would be the iStorage disk Genie, it just had something about it. This product felt robust and we liked the classic manual buttons—when pressed, you can be sure they register. 

From the software-based products our choice is the CMS ABS Plus with Dataguard.  It has the portability that its sister product doesn’t offer, and it appealed more than the Eclypt Freedom. 
Having said this, all products would work more than adequately in any work environment.

--------------------------------------------------------------------------------------

For more Enex Test Reviews:

USB Secure Flash Drive Product Review

Unified Threat Management Device Roundup

Content Filtering Technologies Overview