How can we transport data on portable devices securely? Maintaining the security chain, using encrypted mass memories, remains a problem that is not easy to solve, as the encryption of the devices is normally linked to the operating system used. Finding software that works smoothly on different platforms is difficult.

The best solution remains to have a device that uses on-board encryption systems, like the iStorage datAshur. But, in addition to having a relatively high cost and relatively small memory, the main problem of encrypted USB keys is the way in which the authentication is performed. Several solutions have been implemented, from the numeric keypad on the key, to biometric authentication, but they remain complicated and expensive.

The solution proposed by Inverse-Path (now F-Secure) is based on the multipurpose HW platform (SoC) named USB Armory, a hardware platform for developing and running different types of applications. In essence, they developed a system to encrypt storage devices (microSD), the card size is up to you.

The security features supported by the NXP i.MX6UL processor chip, the heart of the USB Armory MKII, and the open board design, offer developers and users a fully customizable reliable USB device for security applications like Hardware Security Module (HSM), Encrypted file storage with malware scanning, Router for end-to-end VPN tunnelling or Tor, Password manager, Electronic wallet.

Having a good knowledge of Go, any application can be developed and run on the system thanks to TamaGo, a framework that enables compilation and execution of unencumbered Go applications on bare metal ARM System-on-Chip (SoC) components.

Encrypted storage

F-Secure Armory Drive provides an encrypted drive solution that allows one-touch unlocking of an encrypted microSD via the paired F-Secure Armory Drive iOS app. The memory can be expanded at will, as external; cryptographic operations are performed by the OS and the memory is used to store the encrypted data. The authentication and the relative access to the data takes place through communication via Bluetooth between the Armory Drive running on the USB Armory MKII and a dedicated Armory Drive application for Smartphone.

How It Works

To use the drive, following steps are needed:

• Install firmware on the USB Armory MKII
• Install the Armory Drive iOS app
• Pair the USB Armory and the iOS app: This step generates and stores keys on the iOS app
• The encryption keys (for microSD and BLE communication) are derived from the iOS app key and the USB Armory unique Hardware key
• Format the microSD card: Full Disk Encryption is used to encrypt the microSD using the derived key, that is function of iOS app and USB Armory

Additional steps are necessary to protect the crypto material used to encrypt the data and stored on the device. This could be retrieved using an ad-hoc crafted application, so it is necessary to make impossible for the USB Armory to load other generic software different from the trusted one, in our case the software provided by F-Secure. This is possible only leveraging the SoC secure boot configuration that fuses a hash of four concatenated CA public keys in the USB armory SoC fuse box, so that only signed bootloader can ever be executed, and by installing a truested (signed) bootloader, in our case the armory-boot. Without this step, part of the cryptographic keys used for data and communication encryption would remain exposed and accessible through non-certified software.

The conseguence is that, after this operation, the USB Armory will only accept software signed by specific CA (F-Secure or company CA), so it will be unusable for generic software. But it is a small price to pay for portable secure storage.

Since the data and communication encryption keys are derived from USB Armory and the iOS app, access to only one device still protects the data. The safety solutions adopted are more than satisfactory for the intended use. Without repeating what is better described elsewhere, I recommend reading the following documents for more details:

• Armory Drive specifications for security details
• compete tutorial explaing howto setup the drive
• FAQ to understand what if

Summary

High usable, powerful, and with a relatively low cost, Armory Drive makes it possible to secure mass memories of various sizes, regardless of the operating system used (I manage data on Windows, Linux, macOS and iPadOS).

Although mostly lacking in physical defense mechanisms, as opposed to a FIPS140-2L3 certified iStorage datAshur, Armory Drive has become my go-to when it comes to transportable mass storage security. The solution is well documented, elegant and easy to use and I can only recommend it to anyone who needs to transport data securely.

About the Author

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.

Links

• https://apps.apple.com/rw/app/f-secure-armory-drive/id1571708524
• https://github.com/usbarmory/armory-boot
• https://github.com/usbarmory/armory-drive
• https://github.com/usbarmory/armory-drive/wiki/Frequently-Asked-Questions-%28FAQ%29
• https://github.com/usbarmory/armory-drive/wiki/Specifications
• https://github.com/usbarmory/armory-drive/wiki/Tutorial
• https://github.com/usbarmory/tamago
• https://inversepath.com/usbarmory
• https://inversepath.com/usbarmory.html