How to encrypt / protect contents of Pen Flash Drive

[vulcanman]

I have a Pen drive (flash storage) that I use between my home and work PCs.

It contains very sensitive information. I need to be able to share it between the two PCs.

Right now I have it formatted as NTFS ... but ideally I would like it either encrypted or password protected. If I can securely access the files from any PC ... that would be great too.

Zipping the files with password is not an option ... because working with and creating individual files through applications is troublesome.

Any suggestions ?

Max

 

[vulcanman]

Bump!

 

[zephyrprime]

Just open up the properties of the drive under my computer and click on the security tab. Then just set its access priveleges like any other drive. (I can't really explain all that to you here. Try searching the web.) This doesn't set a password but it sets access rights for individual users. This also doesn't encrypt the drive.

Or you could get a Lexar Jumpdrive Secure. Or maybe the Lexar jumpdrive trio used with a Secure Digital card.

 

[DrVos]

You can use a program like Bestcrypt to create an encrypted storage container on the pen drive. With the program installed on your work and home PC's, you can mount the storage container as a mapped drive. I like the program because it acts almost totally transparently once you enter your password.

 

[StraightPipe]

I saw a flash drive reviewed at geek.com last week that had a thumbprint detector that locked or unlocked the drive. it had a thumb screen right on the front for scaning.

see if I cant find you a linky
Edit: no link, cant find, it was cool, but a bit out of my price range

 

[dszd0g]

Please give us more information about the environment. Are you the only one who needs access to the data? If you die and no one knows your key/password, do they still need access to the data that is encrypted or will other copies of the data still be available inside the company. When the data is unencrypted on your computer at home, do you need to be sure that data is only unencrypted while you are working with it and that no data stays unencrypted in memory and on disk (including old swap files).

How sensitive are we talking? If you are being allowed to take the data home we can't be talking too sensitive, but give some idea.

Zipping files with a password is pretty weak with most software. I am not sure whether it is good form to post example programs for cracking encrypted zip files here, but a quick google search will turn them up.

Some popular programs are:

GNU Privacy Guard downloadable here. The Windows version is command line only.

Pretty Good Privacy has a Personal Desktop product.

Avoid anything that isn't AES (Rjindael), 3DES (Triple-DES), some people like Blowfish and Twofish (the newer *fish and one of the AES finalists). IDEA is also somewhat popular, but more restricted in use (owned by Ascom I believe).

Not only important is the cryptographic algorithm used, but what it is used in. Avoid any program that uses ECB (Electronic Code Book) as it is insecure and a lot of "snake-oil" commercial products use it. Other modes include CBC (Cipher Block Chaining), PCBC (Propagating Cipher Block Chaining), CFB (Cipher Feedback Mode), and more. Each have advantages and disadvantages. Some make tampering or introducing errors into the data more difficult. Others make it so that if there is an error it affects as little data as possible. Depending on what is important to you should determine which one to use.

I believe both GNUPG and PGP use CFB mode.

If one is worried about where the data is coming from or it being tampered with make sure the program uses a MAC (Message Authentication Code).

 

[vulcanman]

Thanks for all the replies. I will be having other copies of the data.

In the pen drive I have my personal financial information.

It also contains utility programs (I am a network consultant) ... that I can launch directly without needing any installation. This is a godsend when my clients call me out of the blue.

An ideal utility that would solve my problem ? Something that would encrypt the files and store the key in the pen drive itself. The decrypting utility would also be in the same pen drive. i.e its an all inclusive solution that does not require any software installation on the PCs that wish to access the data.

Thanks.

 

[dszd0g]

Originally posted by: vulcanman
In the pen drive I have my personal financial information.

I assume this is what you are trying to protect?

It also contains utility programs (I am a network consultant) ... that I can launch directly without needing any installation. This is a godsend when my clients call me out of the blue.

I assume these are free or commercially available utilities that you don't need to protect?

An ideal utility that would solve my problem ? Something that would encrypt the files and store the key in the pen drive itself. The decrypting utility would also be in the same pen drive. i.e its an all inclusive solution that does not require any software installation on the PCs that wish to access the data.

Both gnupg and PGP base their security on keeping the private key private. One can use a passphrase to protect the private key, but this is generally easier to attack than the private key itself. However, for personal financial information I am pretty sure that this should be sufficient protection. PGP requires being installed on the machine. gnupg can be installed on the pen drive and run from the command line. The private/public keys could be stored on the drive too, but as I've said this defeats a lot of the security of it and puts all the security in the passphrase. Unless you choose a really short passphrase or expect a major government to attempt to break it (since you have the data elsewhere they would most likely go after it there) this should provide plenty of protection.

However, there are some easy attacks against this. It sounds like you will be using untrusted computers. Let's say Mallory (classic name in cryptography for the attacker) wants access to your data. He can gain access to one of the computers you will be accessing the data from. He knows that you keep the data encrypted. He accesses the computer before you and installs a program that any time a USB storage device is activated it copies all the data into a directory on the local machine and then activates a keyboard sniffer. After you are gone he gets the encrypted data off the computer along with the keyboard sniffer log. It is a simple matter to write a script to go through the keyboard sniffer logs and look for the passphrase. It looks for "gpg" or "gpg --decrypt" and tries the strings shortly afterwards, maybe no script is necessary but one could brute force which string it is if it is not obvious.

It is impossible to securely access data on an insecure computer.

It all depends on how paranoid you are.

 

[vulcanman]

Thanks, dszd0g ! I will try gnupg.

 

[thorin]

If you're already using NTFS why not switch to EFS (Encrypted File System) ??

Or why not see if Disk On Key has released their Encryption software/driver for other USB keys or just DL it and see if it works?

Thorin

 

[dszd0g]

Originally posted by: thorin
If you're already using NTFS why not switch to EFS (Encrypted File System) ??

I don't know too much about Windows EFS. But I know that the Windows 2000 EFS has been broken. Do a search on google for "Windows 2000 EFS broken" and you will turn up some info. Or you can look on BUGTRAQ for "EFS Win 2000 flaw" and I believe there was also a discussion about it not too long ago on sci.crypt.

Last I checked Windows XP EFS has not been broken, but I wouldn't personally trust Microsoft for anything to do with security. Especially not when there are so many encryption tools available written by cryptography experts and publicly cryptoanalyzed by other experts. Unless you work at the NSA and have access to its resources, one is generally best sticking with well analyzed algorithms.

From what I've heard Windows XP EFS actually switched to AES, but I wouldn't past Microsoft putting some security hole in the implementation. They can't seem to leave standards alone.