Encrypted Drives Keep Your Files Safe

By now, the horror stories about missing external hard drives holding sensitive information have lost their edge. Whenever I hear that another 20,000 customers of some company are at risk of identity theft, I just roll my eyes. Yes, it’s irresponsible for businesses, universities, and government agencies to lose so much. But it’s also understandable: Until recently, encrypting data on a hard drive was a cumbersome process.

Now, external hard drives can take care of the encryption for you. They obviate sophisticated software, and assume the heavy lifting from the PC. Hardware-encrypted drives offer a performance boost over encryption that relies on software running on Windows. Whereas software asks the PC’s CPU to do the number-crunching, encrypted drives use special processors, built into their housing, that scramble data as it’s written to disk. Seagate’s Maxtor BlackArmor puts the chip on the hard drive’s circuitry, in what’s called full-disk encryption. (Full-disk-encryption drives are popular in corporate laptops, but are just now becoming widely available as external units.)

Either way, the drive’s performance is barely affected, such that (lacking benchmark testing) the effect is hardly noticeable in use.

Encryption is also far simpler with these devices: Once you set the drive up and you enter a PIN or password, you can copy data to the drive normally, through Windows Explorer or by saving a file to the disk within an application. Some of the devices I tested permit you to enter the passcode by means of physical buttons or keys located on the exterior of the drive housing, while others require you to enter a password into a small Windows app that launches when you connect the drive. If you plan to use your device on one or more non-Windows operating systems, consider the Data Locker and Lenovo models I tried, which each offer a physical keypad.

As with all encrypted drives, the data on the platters (or, in the case of flash drives, on the memory chip) is unreadable to anyone–short of cryptanalysts who work for certain three-letter government agencies–who lacks the password or the physical key. Even if someone tries removing the platters (or memory chips) from the housing and scanning them with forensic data-recovery tools, the recorded bits will appear to be random garbage data, unlockable only with the right key.

Most encrypted drives use one of several standard, well-known algorithms. The most common is AES (Advanced Encryption Standard), which several branches of the federal government and the military use. FIPS 140 is a very general government encryption standard that ensures that products follow certain security protocols. Level 1, the lowest of four levels, basically means “no glaring errors or omissions were present.” Anything that uses AES-128 or -256 is FIPS 140-2 Level 1 compliant. Less common are drives that use the older DES (Digital Encryption Standard), or its cousin, Triple-DES–both are significantly weaker algorithms, though they’re effective if you’re simply trying to prevent casual snooping.

I evaluated eight models, including hard drives and flash drives. My pick for Best Buy is the Seagate Maxtor BlackArmor. Regardless of which model you choose, if you inadvertently leave the drive holding all the nuclear secrets behind on the train, you can be confident that the schmo who finds it won’t be able to retrieve them. That is, of course, assuming you haven’t attached the password to the drive on a sticky note, or left the decryption key plugged into the back. These devices can eliminate a lot of security worries, but they can’t prevent careless behavior.

Consult our chart of encrypted portable drives for a quick specs comparison, and turn to the next page to read my impressions of all eight drives.

Seagate Maxtor BlackArmor

The Seagate Maxtor BlackArmor ($135 for 320GB) is a marvel of simplicity. It’s the first external model with full-disk encryption–the encryption chip resides on the hard drive’s circuitry. According to Seagate, all of the data is encrypted on the drive, so even if someone removes the drive from the housing and takes away the chip set, the data is inaccessible. When you first attach the BlackArmor to a Windows PC, the drive loads a read-only partition with the setup software. Initializing the drive and setting a password takes only a minute, after which the drive loads the encrypted partition and Windows shows it as a drive letter. Thereafter, every time you plug in the drive, the autorun settings will ask you to enter the password.

The BlackArmor also features a Secure Erase option (which overwrites data areas of the drive with zeroes), as well as a backup utility.

This model is our Best Buy for its value–it offers one of the best cost-per-gigabyte rates we’ve seen–as well as for its simplicity and its full-disk-encryption security.

Apricorn Aegis Bio

The Apricorn Aegis Bio ($300 for 500GB) not only has hardware encryption but also is one of the few drives with a built-in biometric fingerprint reader. The reader lets you bypass creating a password for accessing the drive; instead, you register your fingerprint and then swipe your finger across the reader. Using such a drive is a lot easier, since you have no password to memorize (or forget, which would render the data useless). Apricorn takes the biometric security up a notch, too: The bundled software (licensed from reader-manufacturer Upek) lets you scan your fingerprint to log in to Windows. Another tool automatically enters saved passwords (and other data) into forms when you swipe your finger. All of that added functionality makes the Aegis Bio one of the handiest hardware security tools I’ve encountered.

LaCie d2 Safe

The hefty LaCie d2 Safe ($350 for 1TB) external drive features a fingerprint reader and can connect to your computer over FireWire 400 and 800 in addition to USB 2.0. I found LaCie’s software setup more time-consuming than some others, but it has an obvious benefit: LaCie’s built-in fingerprint software allows you to plug the drive into either a Mac OS system or a Windows box and to work in the encrypted partition. The drive also features the sturdiest housing I’ve seen, plus a Kensington lock port so you can secure it to a desk.

Apricorn Aegis Vault

Take the Aegis Bio and remove its fingerprint reader, and you have the Aegis Vault ($260 for 500GB). The two models are virtually identical, but in this case you must submit a password to unlock the drive. In many respects the Aegis Vault is a decent, slightly pricier duplicate of the BlackArmor and its basic features, but with a built-in USB cable.

Sandisk Cruzer Contour

The Cruzer Contour ($100 for 16GB) isn’t so much a security tool as it is a speedy flash-memory thumb drive with a nifty mechanism to retract the USB connector: The piece recesses inside a sliding cover that you can manipulate with just your thumb. Inside, it’s a high-performance U3 drive with all the benefits: the ability to run programs from the drive itself, a feature that stores your documents on the drive automatically, and the U3 Launchpad, a clone of the Start menu for the drive’s installed applications.

In the Launchpad menu is the check box to “lock” the AES-encrypted user-writable portion of the drive with a password. While the protection isn’t enabled by default, it can put a password between anyone who finds your lost drive and your files. As long as the NSA isn’t after your data, this setup will probably provide enough security for casual use.

Data Locker Pro AES Edition

If you want to use a drive on several computers with different OSs, you need a way to enter a password through something other than Windows software. That’s where the Data Locker Pro AES ($340 for 320GB) and its touch-screen LCD come in: The Data Locker gives you a numeric keypad for entering a six-digit passcode that lets the drive mount in an operating system. You can also use the LCD screen to change the passcode, dismount the drive, toggle the encryption on or off, or wipe the drive clean. One annoyance, however, is the loud beeping that it emits when you press the screen (and you can’t turn the sound off).

The Data Locker’s relatively high price factors in the cost of the additional hardware, but the touch screen is definitely slick, and this drive is worth considering if you need to move sensitive data between machines.

Lenovo ThinkPad USB Secure Hard Drive

In the same vein as the Data Locker, Lenovo’s cryptodrive ($220 for 320GB) takes advantage of a numeric keypad on the drive housing. Interestingly, this drive’s housing more closely resembles a burglar-alarm panel. Pressing and holding numerical combinations allows you to change the password or modify other settings, without having to run software. This model produces no sound when you press a key, which is better than the obnoxiously loud Data Locker–but unlike that competing product, it offers no visual feedback that you have pressed a key, either.

The drive demands a lot of power to do its thing, so the box includes a second cable that you’re supposed to plug into a second, free USB port and then feed into the drive’s power port.

Kingston DataTraveler Vault–Privacy Edition

Kingston’s DataTraveler Vault–Privacy Edition ($173 for 4GB) is a good but pricey option for anyone who needs an encrypted drive small enough to wear around the neck. A blue, metallic tube with a cap on one end, it’s among the bulkier USB models we’ve seen. But what’s inside is what counts: This drive’s embedded encryption engine scrambles data with a 256-bit AES encryption key–a key that’s twice as long as what other products offer. The longer key means thieves must take that much more time to try to crack the encryption.

Like the BlackArmor drive, the DataTraveler opens its utilities in a read-only partition that Windows interprets as a CD-ROM drive. Once you have created your password, the drive mounts the encrypted partition.

Other Ways to Protect Your Data

We’ve referred to devices in this story as encrypted hard drives, but a more appropriate nomenclature might be “encrypted portable storage devices,” because, except for the Seagate Maxtor BlackArmor, the encryption happens on the external housing, not on the drive’s controller board. In most cases the drives inside aren’t any different from the drives in nonencrypted products (and, as a result, are essentially interchangeable). The drive housing holds additional hardware and firmware, as well as processors made to handle crypto operations.

Several manufacturers sell bare housing, into which you can install your own drive. Companies like Addonics Technologies, Enova Technology, and RadTech make “kit” housings for either 2.5-inch or 3.5-inch hard drives. The housings offer 128-bit or 256-bit AES hardware encryption with USB 2.0; some also have FireWire 400 or 800, or eSATA connectivity.

Hitachi has recently joined Seagate in manufacturing hard drives that have both the encryption technology and the encryption key built right into the drive, which helps solve the problem of sensitive data remaining on disposed drives. Without the encryption chip and your password, key, or code, no one can get anything off the drive. To dispose of your drive, you simply delete the key. Once the key is gone, the encrypted data becomes unrecoverable, and you can format the drive normally for reuse.