USB Armory Drive - Portable Mass Storage Encryption

USB Armory Drive

Portable Mass Storage Encryption

Rocco Gagliardi
by Rocco Gagliardi
on May 05, 2022
time to read: 6 minutes

Keypoints

How to Encrypt a Portable Mass Storage

  • An easy and secure tansport method of data is hard to find
  • Armory Drive is a solution based on open hardware and software
  • Any number of microSD cards can be encrypted
  • The solution is based on two factors, the USB HW and the iOS app

How can we transport data on portable devices securely? Maintaining the security chain, using encrypted mass memories, remains a problem that is not easy to solve, as the encryption of the devices is normally linked to the operating system used. Finding software that works smoothly on different platforms is difficult.

The best solution remains to have a device that uses on-board encryption systems, like the iStorage datAshur. But, in addition to having a relatively high cost and relatively small memory, the main problem of encrypted USB keys is the way in which the authentication is performed. Several solutions have been implemented, from the numeric keypad on the key, to biometric authentication, but they remain complicated and expensive.

The solution proposed by Inverse-Path (now F-Secure) is based on the multipurpose HW platform (SoC) named USB Armory, a hardware platform for developing and running different types of applications. In essence, they developed a system to encrypt storage devices (microSD), the card size is up to you.

The security features supported by the NXP i.MX6UL processor chip, the heart of the USB Armory MKII, and the open board design, offer developers and users a fully customizable reliable USB device for security applications like Hardware Security Module (HSM), Encrypted file storage with malware scanning, Router for end-to-end VPN tunnelling or Tor, Password manager, Electronic wallet.

Having a good knowledge of Go, any application can be developed and run on the system thanks to TamaGo, a framework that enables compilation and execution of unencumbered Go applications on bare metal ARM System-on-Chip (SoC) components.

Encrypted storage

F-Secure Armory Drive provides an encrypted drive solution that allows one-touch unlocking of an encrypted microSD via the paired F-Secure Armory Drive iOS app. The memory can be expanded at will, as external; cryptographic operations are performed by the OS and the memory is used to store the encrypted data. The authentication and the relative access to the data takes place through communication via Bluetooth between the Armory Drive running on the USB Armory MKII and a dedicated Armory Drive application for Smartphone.

Armory Drive unlocked

How It Works

To use the drive, following steps are needed:

Additional steps are necessary to protect the crypto material used to encrypt the data and stored on the device. This could be retrieved using an ad-hoc crafted application, so it is necessary to make impossible for the USB Armory to load other generic software different from the trusted one, in our case the software provided by F-Secure. This is possible only leveraging the SoC secure boot configuration that fuses a hash of four concatenated CA public keys in the USB armory SoC fuse box, so that only signed bootloader can ever be executed, and by installing a truested (signed) bootloader, in our case the armory-boot. Without this step, part of the cryptographic keys used for data and communication encryption would remain exposed and accessible through non-certified software.

The conseguence is that, after this operation, the USB Armory will only accept software signed by specific CA (F-Secure or company CA), so it will be unusable for generic software. But it is a small price to pay for portable secure storage.

Since the data and communication encryption keys are derived from USB Armory and the iOS app, access to only one device still protects the data. The safety solutions adopted are more than satisfactory for the intended use. Without repeating what is better described elsewhere, I recommend reading the following documents for more details:

Summary

High usable, powerful, and with a relatively low cost, Armory Drive makes it possible to secure mass memories of various sizes, regardless of the operating system used (I manage data on Windows, Linux, macOS and iPadOS).

Although mostly lacking in physical defense mechanisms, as opposed to a FIPS140-2L3 certified iStorage datAshur, Armory Drive has become my go-to when it comes to transportable mass storage security. The solution is well documented, elegant and easy to use and I can only recommend it to anyone who needs to transport data securely.

About the Author

Rocco Gagliardi

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in network routing, firewalling and log management.

Links

You want to test the strength of your enterprise regarding malware attacks?

Our experts will get in contact with you!

×
Seccomp-bpf

Seccomp-bpf

Rocco Gagliardi

Sandboxing Containers

Sandboxing Containers

Rocco Gagliardi

SQLite forensic's notes

SQLite forensic's notes

Rocco Gagliardi

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here