Manufacturer
iStorage UK
Product Website
URL Screenshot of https://isto…skashur-pro2/
Price
From £209
Pros
Hardware encryption, brute force protection, self-destruct feature, truly portable, truly secure
Cons
Security doesn't come cheap
Summary
Is this the most secure hard drive ever made? Who can tell? Certainly not me, as I am not privy to the inner workings of government agencies. Is it the most secure hard drive I can buy right now, that I can afford to buy right now? Hell yeah...
Rating
9/10
1

I've had my hands on what is being described as the 'most secure hard drive ever made' for a while now. Such are the advantages of being a well known reporter on all things security I guess, I get to play ahead of the crowd. As the first journalist to get hold of one of the diskAshur Pro 2 drives from iStorage, I have been able to put it to the test in time for the press embargo being lifted today.

I have, of course, long recommended that portable data should be encrypted. It is seriously stupid not to do so, given the risk of loss whether through misplacing a device or it being targeted for theft. For most people, this means using encryption software to protect the data not the drive. Hardware encryption ups the ante just a tad as there's no software to backdoor, no chance of accessing the drive first and so get time to play with the data within.

It should come as no surprise to discover that I have had one of the original diskAshur PRO devices in my kitbag for some time, and a hardware-encrypted flash drive on my fob for good measure. But whereas the original was really secure, the new model is goddamn batshit crazy secure. And then some.

diskashurepro2.jpg

For most readers I will hazard a guess that such a drive would be overkill. Indeed, it's not aimed at most people; this is a drive for those organisations and individuals who are truly serious about data privacy. Especially those who have a regulatory need for such paranoia, but really anyone who wants to be as sure as they can be that their data cannot be hacked.

iStorage has a bit of a marketing slogan going for this drive of 'without the PIN there's no way in' which is asking for trouble you might think. I think it might just have a point. The Enhanced Dual Generating Encryption (EDGE) technology comes complete with a Common Criteria EAL4+ ready secure microprocessor. What does that mean? Basically that you get built-in physical protection mechanisms to defend against external tampering which can, apparently, withstand 'laser attacks' and fault injection methodologies.

Any attempt to break into the device (the internal components are encased in a layer of epoxy resin so tough that breaking it without breaking the components is a very hard ask) kicks off a deadlock frozen state that in turn makes those useless from then on. The drive needs to be disconnected, reconnected and powered-on in different ways before any more brute force attempts can be made. Three groups of five PIN entry attempts are allowed, requiring a specific code to be entered before the final five can be tried. After that the drive will delete all admin and user PINs, delete the encryption key and the data. Gone. Period.

Needless to say, all the authentication parameters are encrypted and physically protected by the microprocessors' memory encryption (scrambler) and access control schemes for good measure.

I like that the PINs and encryption keys are always encrypted at rest. I like that the epoxy coated PIN pad is responsive as well as being durable. I like that PINs must be between 7 and 15 digits, with a shift parameter counting as a distinct value. I like that you cannot use all sequential numbers, nor all repeating numbers, for either admin not user PINs. I like that an admin can setup separate user PINs without compromising the security of the device, or the data upon it.

I like a lot about this thing, truth be told. Stuff like how it locks down automatically when ejected from a host device or when the lock key is hit or after a pre-configured period of inactivity.

I like the real-time military grade AES 256-bit XTS full-disk hardware encryption validated to FIPS PUB 197. That means no software to be concerned with, no drivers to worry about. I like drives that are platform and device agnostic, that I can throw at a Windows machine just as readily as a Mac, Linux or Android one. I like all the reassuring certifications and validations that iStorage has, or is in the process of acquiring, for this thing. I like that it is, I am told, fully GDPR compliant. Readers in the EU will be pleased to hear that one as well, given the legal and financial implications of storing portable data on something that isn't as from spring next year.

I even like the form factor: 124mm x 84mm x 20mm and weighing in at 225g with a light but protective carry-case included. It's a USB 3.1 drive, and the hardware encryption doesn't slow it down any.

So what don't I like? Well, if I'm honest, I would prefer something packing a SSD and not 'spinning rust' as I perhaps unfairly call an old-fashioned hard drive. At least the WD Black 2.5" hard drive within is well-regarded and has a good durability record. Indeed, iStorage are throwing in a two year warranty as standard, which speaks volumes. That said, SSD versions are also available but will come at a higher price premium of course. So a 512GB SSD drive would set you back £429 instead of £209. These 7200rpm SATA 600 drives offer decent value for money, and that's important. Which you might think is odd, as you can buy one standalone for around £50 here in the UK at the lower end (500GB) of the capacity range. What you are paying for here is the assurance of those additional layers of tested security.

disk-specs.jpg

And, finally, what will you need to pay for all this then? In the UK the 500GB version has a recommended price of £209, with 1TB at £269 and 2TB at £329. For EU and US pricing please refer to the iStorage UK website which will be announcing distributors and resellers for these markets in due course.

Does that make this a must have purchase, good value or something to consider? That all depends on just how valuable your data, and privacy, are to you.

Edited by happygeek

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

6
Contributors
10
Replies
48
Views
7 Months
Discussion Span
Last Post by AssertNull
0

Non-security guy here, but putting on my tinfoil hat and thinking about this comment...

Is this the most secure hard drive ever made? Who can tell? Certainly not me, as I am not privy to the inner workings of government agencies. Is it the most secure hard drive I can buy right now, that I can afford to buy right now? Hell yeah...

What if "the government" approached the really smart, really security-conscious developers of this super-secure drive and said, "We want you to develop a high security drive that no one can defeat. Except us. If you won't do it for patriotic reasons, do it because your 18-year-old nephew just caught caught sneaking five kilos of cocaine across the border, which he would have never attempted if you'd let us build The Wall."

I'm sure the government would never ever try to do that cough Apple cough, but again, I'm wearing my tinfoil hat. Or less conspiratorally, let's suppose there is no conspiracy. "The government" has an entire sector devoted to breaking into hard drives and everything else without insider help. Anything billing itself as "The most secure hard drive ever made" gets special attention from this secret unaccountable unit with a practically infinite budget and staffed by people who love the challenge of breaking unbreakable things. Once broken, they circulate news stories saying it's so unbreakable that "the government" tried to break it and failed.

Thus my theory: If you want your drive to remain truly unbreakable, either design it in your garage without telling anyone or don't advertise it as "The most secure hard drive ever made". Sell it for a loss for $19.95 at Best Buy, thus slipping under the radar of this secret unit.

I'm being a smart-aleck here, partially, but I think it's important, when considering security, to understand just who you are attempting to be secure FROM. This is extra-true if you work FOR "the government". They'll issue you a high-security phone all right. One they've already cracked and bugged and are monitoring themselves. A good friend in the know (supposedly) has a theory that Hillary Clinton used an insecure unauthorized personal phone because she was less concerned about being hacked by the Russians than being hacked by her own State Department, which she ran. Not sure I buy that theory, but it made me think.

Hopefully this adds to your thread Happy Geek rather than hijacks it.

0

Just try to travel in the NSA (USA?) with that.

True dat. I used to travel to the US a few times a year on business, but have not been for the last year courtesy of health issues and long distance flights. However, I'm increasingly inclined to decline such trips in future specifically due to these Orwellian measures. I'm rather afraid I might tell the man in the uniform to go do one. Of course, I could set up a set of fake social media accounts purely for the purpose of US travel (and I'm pretty sure that any terrorist/activist would do just that) but seriosuly, can I be bothered? Nope.

As for data I wanted to keep away from prying eyes I would use my flash drive with a hidden encrypted container that doesn't appear unless you enter the correct passcode. Enter the alternative passcode and it just boots up as a normal drive complete with a nice innocent dataset... Sure, someone could try looking at the drive size against available space, but I doubt they would have time to do that for every traveller.

0

I don't know about in jail. I thought they'd just confiscate the equipment.

For US travel, my understanding is that it would most likely lead to confiscation of kit and an unfriendly interview during which you would be denied entry and probably sent back from where you came.

<later> Just seen the additional comment. See, what do I know? That said, I suspect that is an exception rather than a norm,.

Edited by happygeek

0

What if "the government" approached the really smart, really security-conscious developers of this super-secure drive and said, "We want you to develop a high security drive that no one can defeat. Except us."

No doubt that's a sceanrio that could happen. However, when the truth came out (as it almost certainly would) then the drive vendor would be finished for good. Trust really is everything at this end of the market, not just some corporate motto.

0

However, when the truth came out (as it almost certainly would) then the drive vendor would be finished for good. Trust really is everything at this end of the market, not just some corporate motto.

I do believe this. My friends call me naive, but I do believe it. To a point. There ARE lots of consumers with long memories who are willing to reward companies who fight the good fight and punish those who do not. I wish there were more. Unfortunately I'vve lost track of who's broken under pressure or made questionable "deals" with "the government" (and ad sellers), so I can't make an intelligent list on that, but I've been unimpressed in the past with Google in particular (censorship in China, partnership with NSA, default "opt in" without sufficient transparency as far as keeping your data private, not pushing back sufficiently hard regarding the Patriot Act and the Bush Admin's "Turn over all data for everyone so we can find the pedophiles. Trust us. The data will not be used for anything else" stunt). Ditto Facebook's ridiculous privacy policies (yeah, I know, if we read the fine print, we probably agreed to it, but still...). Don't get me started on Microsoft.

They're all doing fine. I do believe that had Apple caved to San Bernardino, it would have been a death sentence. They held the line, but I wish they had held it even more firmly and I wish that all the other tech companies had rallied with a much more vocal "Hell No!" message.

There's a backlash. You have far more non-techie "normal people with nothing to hide" people who are learning about VPN, TOR, and security now and willing to pay extra for it. To that end, I disagree slightly with this statement...

For most readers I will hazard a guess that such a drive would be overkill. Indeed, it's not aimed at most people;

If I was the marketing person for this drive, I would expand my target audience, which is growing rapidly given the lack of trust from the Normal Joe, who is getting sick of everyone out there feeling free to pry into every facet of his life. If I had money to invest, I'd be investing it in companies like this.

The other thing I'd invest in is data mining companies and NON-encrypted drives. THOSE companies will be selling to the people storing every single piece of useless data that goes across the wire, the exact people this drive is guarding your data FROM. So I'd sell to both sides in this war. Actually I probably wouldn't due to moral issues, but from a pure investment strategy, it makes sense.

The trifecta would be an investment in Artificial Intelligence, which goes hand in hand with the data mining and you have the ultimate Psychological Profiler, someone who can take all your store purchases, travel, and communications, and Spock-like predict your future actions.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.