IronKey Workspace W700 FIPS Review: Windows To Go on one tough, secure little key drive

Looking to free yourself or your employees from the painful logistics of traveling with a laptop? Liked the looks of Windows to Go, but wanted the peace of mind that hardware security brings? You need to check out the Imation IronKey W700 Workspace—a hardware-encrypted, FIPS 140-2 level-3 validated, USB 3.0 Windows to Go thumb drive that can be managed remotely. It’s the first of its breed and as secure a compute-on-any-PC solution as you’ll find. It’s also expensive.

If you’re not familiar with Windows To Go, it’s a feature of Windows 8.x Enterprise that allows the operating system to run off of a USB flash drive. This allows you to use your personal Windows work environment on just about any computer, including Macs, Linux PCs, and computers that belong to other people. As long as you know there’s a computer you can use at your destination, you can travel with only what’s in your pocket. Sweet.

IronKey

The brushed metal IronKey W700 Workspace has a nice, solid feel in the hand and the pocket. Indeed, its slightly weighty presence makes it less likely that you’ll inadvertently run it through the wash. Should you do so, the consequences are negligible: The drive is waterproof, in addition to being hardened against physical attack. The drive runs a tad warm, but that’s the norm with secure flash drives sporting extra encryption hardware.

The W700 Workspace comes in three capacities: a $249/32GB version that I tested, as well as 64GB and 128GB flavors that cost $369 and $599, respectively—sans Windows, which you need to provide on your own. That’s pricey, but remember you’re dealing with a level-3 validated drive that’s remotely manageable. It also helps to remember that it’s no more expensive than a new laptop and has fewer associated costs.

While eminently secure, Windows on the W700 takes longer to get up and running than a normal Windows To Go drive, because it requires two boots: one to unlock the operating system partition, and the second to boot into Windows.

There is, however, a 500MB partition that is always visible under Windows Explorer which provides a bit of single-boot storage, contains a utility to unlock the W700’s operating system partition for the next boot, and also provides a utility that will change the BIOS so that it selects the W700 as the next boot media. Alas, the latter utility didn’t work with my Gigabyte GA-Z77n-WiFi’s BIOS. If that proves the case with your PC, you can always invoke the BIOS or a boot menu by pressing function keys immediately after turning on your computer (typically Del, F2, F8, F11, etc.).

Provisioning—installing Windows onto the larger portion of the drive—requires IronKey’s freely downloadable Admin Unlocker utility, or licensing the company’s Workspace provisioning tool. which will install the operating system on up to 14 drives simultaneously. I used the Admin unlocker, which simply renders the Windows portion of the drive visible so you may install the OS. Note there’s no “lock” function within the utility—the OS partition will re-lock itself the minute you remove the drive from the USB port.

IT departments rolling out fleets of W700’s will appreciate its remote manageability. Using the online IronKey Remote management system ($24 per drive, per annum) you can kill the password, wipe the contents, deactivate the drive, change user and admin policies, and log its geographical location (via IP address, not GPS). Obviously, this all relies on the drive’s ability to contact the server.

Curiously, though other IronKey drives may be set to perform one of the above actions if there’s no contact with the server after a set period of time, that isn’t the case with the Workspace series. In the case of theft, a strong password and the FIPS-compliant hardware are your defense. Imation told me if there’s demand, they’ll expose this feature. 

Also available from IronKey are the slightly less expensive, “only”-level-2 validated W500, and the IronKey W300, which lacks hardware encryption altogether but is a significantly cheaper option if you’re content to run Windows using only BitLocker, or no security at all. There are ways to run plain Windows 8 and even Windows 7 from a basic USB stick, thought: See my review of Aomei’s Partition Assistant.

There’s no more secure, or more easily managed solution for running Windows To Go than Imation’s IronKey W700 Workspace. It’s a unique product at the moment, and it’s hard to conceive of any improvement upon it.