How to keep my private bits private
March 20, 2008 3:45 AM   Subscribe

Read this.
posted by alexei at 4:45 AM on March 20

You might do what we do with the biometric timeclock at my work: Scan two different fingers. (Though just how many USB flash drives support multiple finger profiles, I do not know.)
posted by hjo3 at 4:54 AM on March 20

If you want privacy, products like Truecrypt are probably far more reliable. Still not wholly reliable, however. Depending on your pocket book and paranoia, IronKey's getting excellent reviews, though I'm not sure if there's been a "public" review of it involving trying to get around its security.

Given alexei's response, I would not try the finger-print authentication schemes. Using more traditional or tried and true methods I think may be your best approach.

So, Truecrypt is a roll your own type way of protecting KeePass Portable - just create an encrypted partition on the USB Key and mount it when you need it. You can even set an autorun to automount the Truecrypt partition, but for that you do need Administrator privileges on Windows machines you attach the key to. And you'd need to come up with a good way to backup your data in case of physical loss of the key.

I am not sure of IronKey's requirements, but since some of the encryption is hardware based, the Administrator privs may not be required. IronKey is expensive, but you are also buying a backup/recovery service for your encrypted data, should the key ever be lost or stolen.

There are other options on the market too. I wouldn't waste time with biometrics yet, though. It's really not realiable for consumers at this time, though I think enterprise implementation may be worth the time/money invested. Maybe. But it's worth remembering that, like the fingerprint "protected" usb keys, the strength relies on solid implementation. It may be trivial to do the equivalent of rewiring the key around the biometrics sensor and fooling it into thinking it got a valid result. Easy to bypass in other words.
posted by kalessin at 5:56 AM on March 20

Second vote for Truecrypt on your USB drive. I use it on mine for company confidential information and it works fine.
posted by arcticseal at 6:48 AM on March 20

Biometric locks are garbage. IronKey is far, far, far better and possibly even better than most software solutions (including TrueCrypt). Security Now is a great podcast about security, and it's accessible for the casual user. They discuss TrueCrypt, IronKey, and all those other technologies.
posted by blue_beetle at 7:05 AM on March 20

Thirding Truecrypt. Create a container file on the USB drive, use one of the three-factor encryption schemes, create a hidden volume within the container file, and use a really good alphanumeric-symbol password. The great thing about TC, besides being able to run the Truecrypt program from the USB drive, is that even if you lose the USB drive and somebody were to try to access the container file, there's no way for them to know what's inside by looking at the bits of the container file. One thing that I also do is instead of naming my container file "mystuff.tc" (.tc is the Truecyrpt file extension), I just name the file "a" - nice and generic.
posted by phrayzee at 8:55 AM on March 20

I like TrueCrypt, but also love my Kingston DataTraveler Secure (Privacy Edition) which, like IronKey, uses hardware encryption (AES) and therefore does not need admin rights to run on any PC (unlike TrueCrypt). With these devices, you plug them in the USB port and immediately get a password box. No running of third-party programs, etc. Of course, if you're really paranoid, you could use one of the hardware encrypted thumb drives and TrueCrypt. I agree with the others as far as staying away from the biometric thumb drives.

Kingston DataTraveler Secure

IronKey
posted by Gerard Sorme at 10:00 AM on March 20

Nthing above.

TrueCrypt good; setting it for two-factor authentication is even better. (=You need not only the password, but also a "keyfile" in order to open the encrypted container. That keyfile can live on the stick, or on your PC, on another stick, etc. so that IF the stick is lost or stolen or copied, or if you password is leaked or cracked, the intruder would ALSO need to have the keyfile in addition to your password.) KeePass can also be set up to use keyfiles.

IronKey is also thumbs up; the hardware encryption is good, and built in to the device, hence uncrackable without the device itself. 10 incorrect password attempts causes the device to self-destruct, destroying your data. It has several secure backup options, a built-in sercure FireFox/TOR browser, etc. It looks like they're in the process of making some improvements in the account/managment tools as well, like the ability to self-destruct the device remotely (you lost it, or lent it out but that trust has been broken - you set it to destroy itself the next time it's open on an internet-connected computer). Note: the encryption part works on OSX, but not the extra features like the browser. Everything works in XP/Vista. Dunno about linux. Also, expensive but can be worth it. Also, can make it through the washer and the dryer with no ill effects. :)

Biometrics, expecially fingerprint readers, are way over-rated for two reasons. One is the crackability noted in the first response. The second is that the damn things rarely read well, even if you haven't scarred your fingers. I had one for a while but traded it for an IronKey after it routinely took me 10 or 20 swipes to get in to my device. Your fingerprint changes a little depending on the pressure and angle when you swipe it; so when you use it, you have to swipe your finger exactly the way you swiped it when first set it up. Hassle, and since the security isn't that great, not worth it.
posted by bartleby at 2:27 PM on March 20

Oh, and I forgot: the encryption on the IronKey is automatic and non-voluntary. Some other USB encryption schemes, you can forget to encrypt your stuff before ejecting, and are thus unprotected. IronKey locks automatically, even if you just yank it out instead lof locking/ejecting the USB drive properly. If it's not plugged in and opened, it's locked. Nice to not have to worry about.
posted by bartleby at 3:01 PM on March 20

« Older Help! I had some super glue dr...   |   Help me automagically assemble... Newer »