If you look through any computer magazine, typically you’ll find a half dozen or so advertisements for “encrypted” hard drives . . . typically Flash drives or portable 2.5″ hard drives that promise they’ve got some sort of hardware-based encryption baked in. What could be better than that for hiding your data from prying eyes?
Well, as Tom Olzak points out over at Tech Republic, too often these hard drives don’t really offer much in the way of encryption at all and, more importantly, reviews of such drives don’t tend to get into the nuts and bolts of just how the hard drive is being encrypted and just how likely it is for someone in possession of the drive to successfully attack the encryption scheme.
Olzak is specifically writing about the Aluratek Tornado Plus Drive which is a portable 2.5″ hard drive that advertises itself as having hardware encryption. The Tornado Plus’s hook is that it also has a portable RFID key fob — simply pass the key near the drive and the key fob passes along the key to the hard drive and your data is unencrypted.
Olazak read about the drive and decided to call Aluratek for more information on the encryption scheme,
My first discussion was with a sales guy. I asked about the encryption method. He didn’t know. I asked about how the key was protected. Again, no idea. I began to suspect that this was not the person I needed to speak with, and I asked for a “technical” person. After a short wait, another sales guy got on the phone. He knew a little more. For example, the encryption method is to XOR the key with the data. Those of you in the security profession know my reaction to this news. For those of you still coming up to speed, XORing a key with data to encrypt sensitive information is bad. Very bad.
Although disappointed, I had enough interest left to ask about key management. The new sales guy had no idea. I was transferred to an “engineer.” I should have known after having to explain to the engineer (we’ll call him Anthony) why I thought key protection is important that I was still not speaking with someone with a good grasp of disk encryption. However, he didn’t believe the key was encrypted on the RFID chip nor that the transmission of the key to the drive was protected. In other words, anyone with the key fob could access the encryption key. Also, the right equipment in the right place could intercept the key as it’s transmitted to the drive.
Moreover, as Olzak notes, just by making that call he’s done far more than many of the computer journalists or bloggers who have written “glowing reports” about the release of the Tornado Plus.