The Kingston Data Traveler series drives have hardware crypto, but they're unlocked using a small program stored on separate cleartext partition. They're not cheap however. so after I lost mine I switched to truecrypt/veracrypt.
About $1 US per GB at Amazon for the Kingston DataTraveler Locker + G3--do-able for me, since I typically pay close to the same price for the rubberized non-encrypted Corsair drives.
Given your sole purpose, however, have you totally ruled out automating the backup routine and baking-in file-level crypto?
I have a comprehensive network data backup system that automatically copies data from my SAN to a 4 TB USB drive every night, and the drive is taken offsite each day.
Not all of the data that needs to be backed up is stored on the network/SAN though. Also, I'm a fan of redundant backup.
The reason I'm asking is primarily because one of our big customers--tens of thousands of dollars in annual billing--has recently introduced a requirement for us to carry "cyber insurance". I will avoid the entire rant about the fact that this is a scam, since, like many other IT trends that are also essentially scams, this one seems to be unavoidably growing in popularity.
The insurance provider wants an assurance that all USB thumb drives are encrypted. (It also wants all laptop hard drives to be encrypted, and it wants my 4 TB offsite backup drives encrypted.)
So I am evaluating my options, one of which is to avoid much of the problem by discontinuing use of thumb drives--at an increase in inconvenience.
I am opposed to essentially turning all of our computers into dumb terminals and keeping all the data on the network. What's the point of having computers at all then? Plus, I don't like single points of failure. Without thumb drives I would have to force people to make even greater use of network shares than they do now. And there would be even more people sitting here twiddling their thumbs in the event of a network outage.
The laptop thing is especially troubling to me. I can encrypt the data drive on a laptop and require users to enter a password to access it, but since the user can then set the drive to be automatically decrypted without entering the password, and they are likely to do so to avoid the annoyance of having to enter two passwords to access the computer, the whole thing is mostly pointless.
As for encryption software that requires the user to be logged in as administrator--has it occurred to anyone that it is more dangerous for the typical computer user to be running an administrator account on a Windows machine than it is for them to have their data on an unencrypted USB stick? Too many programmers, IMO, overestimate the ability of their customers to use computers safely or to cope with complex interfaces. (Well, that's not the right way to put it; it's more like most programmers can't change their personal mindsets to encompass the limited abilities of the vast majority of the people who have to use the software that they create. Making things simpler and safer is too annoying for power-users and CLI-lovers to contemplate.)
The removable backup drives are using a Linux file system, and my consultant tells me that there's probably an option to have just these backup drives encrypted without also encrypting the data on the SAN. Since there's limited access to these drives (just me and my assistant), that's an option I can live with.
Thanks for everyone's help!
Ken
Another option, as opposed to doing nothing is to hide the files you want to protect. If someone can't see them in a regular DIR etc then they probably won't have the skipps to unhide them.
Right click on folder, select properties then hidden.
Dave
-----Original Message----- From: ProFox [mailto:profox-bounces@leafe.com] On Behalf Of Ken Dibble Sent: 07 February 2017 16:35 To: profox@leafe.com Subject: Re: [NF] Drop-Dead Simple USB Drive Encryption
The Kingston Data Traveler series drives have hardware crypto, but they're unlocked using a small program stored on separate cleartext partition. They're not cheap however. so after I lost mine I switched to truecrypt/veracrypt.
About $1 US per GB at Amazon for the Kingston DataTraveler Locker + G3--do-able for me, since I typically pay close to the same price for the rubberized non-encrypted Corsair drives.
Given your sole purpose, however, have you totally ruled out automating the backup routine and baking-in file-level crypto?
I have a comprehensive network data backup system that automatically copies data from my SAN to a 4 TB USB drive every night, and the drive is taken offsite each day.
Not all of the data that needs to be backed up is stored on the network/SAN though. Also, I'm a fan of redundant backup.
The reason I'm asking is primarily because one of our big customers--tens of thousands of dollars in annual billing--has recently introduced a requirement for us to carry "cyber insurance". I will avoid the entire rant about the fact that this is a scam, since, like many other IT trends that are also essentially scams, this one seems to be unavoidably growing in popularity.
The insurance provider wants an assurance that all USB thumb drives are encrypted. (It also wants all laptop hard drives to be encrypted, and it wants my 4 TB offsite backup drives encrypted.)
So I am evaluating my options, one of which is to avoid much of the problem by discontinuing use of thumb drives--at an increase in inconvenience.
I am opposed to essentially turning all of our computers into dumb terminals and keeping all the data on the network. What's the point of having computers at all then? Plus, I don't like single points of failure. Without thumb drives I would have to force people to make even greater use of network shares than they do now. And there would be even more people sitting here twiddling their thumbs in the event of a network outage.
The laptop thing is especially troubling to me. I can encrypt the data drive on a laptop and require users to enter a password to access it, but since the user can then set the drive to be automatically decrypted without entering the password, and they are likely to do so to avoid the annoyance of having to enter two passwords to access the computer, the whole thing is mostly pointless.
As for encryption software that requires the user to be logged in as administrator--has it occurred to anyone that it is more dangerous for the typical computer user to be running an administrator account on a Windows machine than it is for them to have their data on an unencrypted USB stick? Too many programmers, IMO, overestimate the ability of their customers to use computers safely or to cope with complex interfaces. (Well, that's not the right way to put it; it's more like most programmers can't change their personal mindsets to encompass the limited abilities of the vast majority of the people who have to use the software that they create. Making things simpler and safer is too annoying for power-users and CLI-lovers to contemplate.)
The removable backup drives are using a Linux file system, and my consultant tells me that there's probably an option to have just these backup drives encrypted without also encrypting the data on the SAN. Since there's limited access to these drives (just me and my assistant), that's an option I can live with.
Thanks for everyone's help!
Ken
[excessive quoting removed by server]
On Tue, Feb 7, 2017 at 9:34 AM, Ken Dibble krdibble@stny.rr.com wrote:
The Kingston Data Traveler series drives have hardware crypto, but they're unlocked using a small program stored on separate cleartext partition. They're not cheap however. so after I lost mine I switched to truecrypt/veracrypt.
About $1 US per GB at Amazon for the Kingston DataTraveler Locker + G3--do-able for me, since I typically pay close to the same price for the rubberized non-encrypted Corsair drives.
Given your sole purpose, however, have you totally ruled out automating the backup routine and baking-in file-level crypto?
[...]
The insurance provider wants an assurance that all USB thumb drives are encrypted. (It also wants all laptop hard drives to be encrypted, and it wants my 4 TB offsite backup drives encrypted.)
Well, that settles that, doesn't it! That laptop encryption requirement probably boosts the bitlocker alternative.
It should be noted that truecrypt/veracrypt only requires admin for one-time installation of the driver software and creation of new partitions. An unprivileged user can do all of the routine day-to-day stuff.
-
Dave Crozier -
Dave Thayer -
Ken Dibble