Lock your USB Token

Recently, Lev Bolotin of Clevx gave me a production sample of a USB token with a keypad on it. It's a pretty neat idea for certain uses. My immediate thought went to BitLocker in Windows Vista. You can store the BitLocker key on a USB stick, but you cannot prevent anyone who gets their hands on the USB stick from stealing the key. Nor can you require a PIN and the USB stick to unlock your drive. With Lev's stick, however, you can put a PIN on the USB stick itself. Unless you enter the PIN on the device before sticking it into the computer the stick won't give up the BitLocker key. In other words, you finally get the option for both a USB stick and a PIN to unlock your BitLocker volumes. 

I also like IronKey as a safe and secure USB stick. IronKey also permits multiple volumes, something that Clevx' technology currently does not have. In other words, IronKey lets you have one encrypted volume and one unencrypted one, both on the same stick. However, IronKey requires software installed on your computer to access the encrypted volume. This precludes its use to provide a second factor for BitLocker because the BitLocker key has to be available prior to booting the operating system, and IronKey's software cannot run unless the operating system is running. If you put your BitLocker key on the IronKey it must be on the unencrypted partition.

Clevx's PIN technology is currently available from Corsair in the Flash Padlock product.

More on BitLocker is available in Byron Hynes excellent TechNet Magazine article. I still run BitLocker on all my Vista computers.

Published Tue, Dec 16 2008 1:10 AM by jesper

Comments

# Michel de Rooij said on 16 December, 2008 07:49 AM

Jesper,

Each time you add another article or update, all date/time tags in previous posts change somehow. This is very annoying since I have subscribed to your RSS feed which gets "updated" old items :(

# Alun Jones said on 16 December, 2008 08:36 AM

One minor note - in Vista SP1, you can use the combination of USB stick and PIN, but only if you also use the TPM (Trusted Platform Module) chip to help protect your system.

I've asked several times for USB + PIN on their own, without TPM, but apparently this is "not significantly more secure". Besides, it doesn't help sell TPMs.

# jesper said on 16 December, 2008 09:08 AM

Michel, sorry about that, but I was unaware. I'll look into it.

# Dale said on 16 December, 2008 12:23 PM

Re. RSS feeds updating.  Don't see that behaviour with the atom feed, here.

The Ironkey looks interesting, but is it like every other secure USB stick, which not only "requires software installed on your computer to access the encrypted volume" but requires Admin Rights to install it.  Thus limiting the portability for non-admin users.  If there is a work-around to that admin rights problem, I'd love to hear it.

# Jeff Martin said on 17 December, 2008 10:15 AM

Sony once sold USBs that used a fingerprint to unlock, part of their 'Puppy' series. There was a stand-alone Windows app that one could use to register fingerprints, manage multiple volumes, etc. on the device. But once set up it worked fine with Linux. I don't know what their status is now, last one I had was 5+ years ago with only 256 MB on it.

# Tom Decaluwe said on 22 December, 2008 02:57 AM

Well i was looking at the Knox-it secure sub stick but it seems they only sell to large volume customers. Anyone know where i might by just the odd few unites?

# George Wolf-ESW said on 26 December, 2008 11:23 AM

I read Tom's post of December 22 and wanted to confirm his understanding of the Knox-IT program is correct. Knox-IT, manufactured for ExamSoft Worldwide utilizing ClevX technology, is a custom corporate B to B program enabling large volume users who have a need for secure, portable devices access to them direct from the manufacturer.  That being said, ESW always welcomes the input of professionals regarding their opinion of the features and benefits Knox-IT is designed to provide. Knox-IT does offer a trial program whereby small quantities of the devices are made available for purchase for evaluation by qualified purchasers. Tom if you’d like more information please contact us via the Knox-IT web page.

# Dima said on 11 January, 2009 06:21 AM

Sorry if I'm beating up a dead horse or missed some

spec, but have you tried TrueCrypt? Let's me put two

volumes on a USB stick: one encrypted, the other not.

Then, puts itself on the unencrypted volume, st the

software will run from the stick, on any machine, so

I can mount the encrypted volume.