The device used as a basis of this article is the IronKey Personal with 1GB of storage. From the storage perspective this is the basic model, but for this review, storage is not an important factor.
IronKey drives come in three “ﬂavors” – Basic, Personal and Enterprise. Basic, as the lower level offering, is to be used primarily as a secure storage device, while Personal has some advantages. These include Internet protection services, the identity manager and support for the Verisign Identity Protection (VIP) offering. I will talk about all these functions later in the review. Just in case you are curious, the Enterprise version provides the following additional performance: enforceable security policies, remote device termination, RSA SecureID support, as well as automatic antivirus scanning.
When the tagline of the product is “The world’s most secure ﬂash drive”, you are deﬁnitely interested in hearing about the specs. IronKey sports a rather elegant and simple design with a rugged metal casing. The casing is waterproof and tamper resistant. Breaking into the device will only destroy it and you can automatically say goodbye to the data on board.
The Cryptochip operations follow industry’s best practices, therefore the device uses only well-established and thoroughly tested cryptographic algorithms. All the data is encrypted in hardware using AES CBC-mode encryption. Everything stored, executed and saved to the disk is encrypted and, as hardware encryption is in place, everything works extremely fast. The encryption keys used to protect your data are generated in hardware by a FIPS 140-2 compliant True Random Number Generator on the IronKey Cryptochip. If you are a true hardware geek, you will also be interested in the fact that the memory used is the ultra fast dual-channel SLC Flash.
In short, what can I do with IronKey?
This will be a lengthy and detailed review of the device. If you are impatient to see if IronKey is of any use to you, let me tell you that it provides:
- Secure encrypted storage on the go
- Password management and elevated security in the online world
- A secure and anonymous Web browsing experience from any computer.
The secure browsing function alone would be enough for me to get this handy device.
Let’s start: IronKey installation
IronKey’s packaging reminds me of Apple’s concept – a dark box with simple insides that contain a metal cased device. In addition to the device you get a folded instructions booklet and a lanyard. IronKey works on multiple operating systems – Microsoft Windows 2000, XP and Vista; Linux (2.6+) and Mac OS X (10.4+). The Windows usage offers the maximum from IronKey, while on Linux and Macs you will be able just to use it for secure storage. My operating system of choice for this review was Microsoft Windows XP.
The ﬁrst stage of the installation process is done locally on your computer and you will need to initialize the device. The process is fairly straightforward – after entering the nickname for the device, you need to setup a password.
There aren’t any special (positive) enforcement limitations like with some secure ﬂash drives, the password just needs to be at least four characters long and you don’t need to punch in any special characters or uppercase characters. If you are initializing the gadget from a non trusted computer, you can use the virtual keyboard icon located near the password input ﬁeld and you won’t need to worry about keyloggers. I would suggest selecting the “Backup my password online in case I forget it” checkbox, as it can prove to be invaluable when bad karma strikes.
IronKey control panel with two default applications
After punching in the initial data, the setup process will take a few minutes before you are prompted to go online. Activation is completed after successfully creating an online account located on https://my.IronKey.com. By the way, in the installation process you might come across an alert box saying your autorun.ing has been altered and that it is suggested to scan computer and IronKey for viruses. I looked into this in details and it proved to be a false alarm. Now, back to the online part of the activation process.
IronKey online activation stronghold
Activating IronKey’s online account is not mandatory, but it is undoubtedly a good way to go. By creating an account and linking it to your device you can harness the full power of IronKey – backing up your passwords online, requesting the lost device authorization phrase, as well as doing a secure update with newly released software. The company updates the software from time to time. In late April they did a major update and it brought some changes mentioned later in the article. The online step-by-step activation guide is one of the most impressive of its kind. I was positively surprised with the layers of extra security developers were thinking of when creating this web application.
The process starts with a typical input scheme where you setup your username and passwords. Afterwards you need to tie in one of your e-mail addresses and setup a secret question/answer phrase. I always hated applications relying solely on this Q&A scheme to make someone retrieve a lost password. In the era where people are sharing practically everything over social networking proﬁles and when Google is indexing almost everything that appears online – this password retrieving scheme can only create more security problems. Well, IronKey’s developers thought of that and are asking at least three questions.
Some questions are given by default, but you can easily refresh them and get a new set of data. If you are still paranoid, why not use additional questions? You can add as much as you want.
Logging in to the IronKey online account
You thought that was it? Wrong, there is another layer of security just waiting to be introduced. Phishing can be a drag and IronKey is not intended only for those well familiar with the basic security principles. Therefore, before ﬁnalizing your activation you need to setup a secret phrase and a photo image. The secret image will be displayed every time you log in to help assure you that you are at the real my.IronKey.com website.
In order to secure you login into the online account and enter your username, the system automatically fetches your selected image and if it’s the same one you selected, you can enter the password knowing that you are inside the real IronKey web user interface. The chances of someone mimicking the IronKey web site and targeting you might be slim, but it’s better to be safe than sorry.
The Secret Phrase that you need to type in will be presented to you in the subject line of every email you receive from IronKey regarding your account. With this, IronKey just shows that they are really passionate about stringent security methods surrounding their little USB device.
Secure Files – basic usage
The adoption rate of USB ﬂash drives, especially the encrypted ones, is on the rise. They are not so expensive, especially when you compare them with standard drives of the same size. Almost every security ﬂash drive on the market is mainly concentrated on being a secure vault for private data. IronKey is definitely not principally focused on this role, but fully supports it by default. The Control Panel application that gets called off from the device is user friendly. Its ﬁrst management role is “Secure Files”. When selecting this option, the Windows Explorer window will open, and you can drag and drop ﬁles to it. Everything inside the folder is automatically encrypted, and as soon as you plug off the device the data goes with it. The only thing that bothered me a bit is that I couldn’t delete the autorun ﬁle from this location.
When working with sensitive information, especially relying on one device to hold a collection of important data, you always need to think about backup. IronKey’s secure backup option will dump data from your ﬂash drive to an encrypted archive located on a local computer or a network share. It automatically copies all the secure ﬁles as well as private data that is marked as hidden on Windows computers.
Secure documents located on the device
Before testing I thought the software creates some kind of an encrypted archive, but as it turns out it just mirrors the existing folders. It looked like this didn’t work, as the backed up ﬁles had the same extensions and icons, but the mismatched ﬁle sizes and the always handy diff application have clearly shown that the ﬁles are fundamentally different.
From my perspective, I would rather like my data to be in one archive, as in this way accessing the backup folder on a PC would reveal the names and types of my private data. No one could do anything with it, but I am just looking at this from the information disclosure point of view.
Process of backing up to a local disk
Secure online surﬁng and shopping
As I previously noted, this feature of IronKey is the selling point. Let’s identify a couple of common problems. When it comes to important data that we transmit online, we mostly use some kind of Secure Sockets Layer implementation. However, secure transmission is not always available.
The second problem is logging in to different sites or even shopping from computers that aren’t yours. Working from a conference, checking the latest emails from an Internet kiosk on an airport, paying bills from your parents’ computer – am I the only one that always has potential keyloggers in mind? Maybe this will sound like a marketing pitch, but IronKey indeed tackles all of these situation through one ﬁne concept – a customized Mozilla Firefox browser, sitting installed directly on the device and leveraging the powerful Tor network that provides security and anonymity.
They named this security mechanism Smart Surﬁng. It is directly built into the browser and you can switch it on and off with a click.
Smart Surﬁng toggle on/off
If you are not familiar with the concept of Tor, by using this Secure Sessions service your data goes from a secure encrypted tunnel to IronKey’s servers and then it is rerouted to its ﬁnal destination. When packets are coming into their data centers, the actual destination is tested against a local DNS database so pharming and phishing ploys are automatically intercepted. As Tor is using multiple network routing servers, your online surﬁng habits will automatically be made anonymous. Surﬁng this way will be secure but naturally a bit slower because of the multiple routings.
Keyloggers won’t be a threat if you deploy a built-in virtual keyboard which can be opened through a keyhole icon in the top right corner of Mozilla Firefox. Input works as a charm, perfectly ﬁtted when you need to use shared computers.
Newly released Identity Manager application
Identity Manager, a place for secure passwords
The original version of the IronKey I got was created prior the RSA Conference 2009, so besides an older Firefox (2.0*) the only other application was Password Manager. During testing it appeared a bit spartan. With the new update, Password Manager was decommissioned and its functionality evolved into the newly released Identity Manager.
Since the mid 90s I always tried to remember all my passwords. As the Internet evolved, lots of new web services appeared and with increased use, it became practically impossible to track all the password phrases.
Combining this with the mindset change that now all passwords need to contain at least 10 characters of garbled text made me start using password management applications. That was ﬁve years ago, and now I am very satisﬁed with 1Password – a top solution that works solely on Macs and iPhones. Identity Manager is practically the same type of application, it sits in the background and tries to “sniff” web pages for login forms. If the form is not in the database it will ask if you would like to save it. If the form is found in the database, you will have an option to automatically ﬁll username and password for the speciﬁed page. This is a rather straightforward concept that works perfectly on IronKey.
The new Identity Manager looks much better than the now obsolete Password Manager, it has a better GUI and it is much easier to work with. If in any case you wouldn’t like to run it in the background, you can always manually start it via the mentioned keyhole icon in Mozilla Firefox. When your passwords database pumps up, don’t forget to back it up locally or directly to your associated online account.
Automatically scouting the PayPal login page for data
Further beneﬁts of an online account
Here’s some insight on the actual interconnection between IronKey and your my.IronKey.com account. When the device is in place in one of your USB slots and you have successfully authorized to it, you will be able to access your full online account. Only in this situation everything will be available for you to use. In case you want to login online, but you don’t have the device with you, the two-factor authentication cannot be done and you will enter the account in Safe mode.
Safe mode is used mostly in the case you lose your key and while residing in it, you might just work around some activities such as recover your device!s password, report the device as lost and delete your online backups (both the password, as well as data from Identity Manager). By the way, even when logging in to the Safe mode, there is a security twist. Before successfully logging in with just your username and password, an Account Login Code will be sent to your e-mail and you will need to write it in.
If you had the willpower to read this extensive review, or better say a guide on IronKey usage, you won’t be shocked to learn that I really liked the product. It works great and there were no issues during my thorough tests. The functions I described in detail would take care of multiple situations I usually come across and the additional reliability with the paired online account is surely a signiﬁcant plus.