this post was submitted on 19 Feb 2024
227 points (97.5% liked)

Privacy

31224 readers
922 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
227
What are your thoughts on USB storage drives that have keypad encryption? (leminal.space)
submitted 7 months ago* (last edited 7 months ago) by [email protected] to c/[email protected]
124 comments fedilink hide all child comments
 

It seems like the benefits are having the device lock/wipe itself after a set amount of attempts in case of a brute force attack and not having to run software to decrypt the drive on the device you plug it into.

I included a picture of the IronKey Keypad 200 but that's just because it's the first result that came up when I was looking for an example. There seem to be a few other manufacturers and models out there and they probably have different features.

I am curious what do you think of them? Do you think they are useful? Do you find it more a novelty?

It was an ExplainingComputers video titled Very Useful Small Computing Things that made me think of them.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 43 points 7 months ago (2 children)

Do encryption in software. History taught us hard lessons about this.

[–] [email protected] 13 points 7 months ago* (last edited 7 months ago) (1 children)

Can you think of some notable examples of hardware based encryption failing?

Besides the actual device dying I mean

[–] [email protected] 8 points 7 months ago* (last edited 7 months ago) (2 children)
[–] [email protected] 7 points 7 months ago

Here is an alternative Piped link(s):

https://m.piped.video/watch?v=beMtNM7nwfQ

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.

[–] [email protected] 1 points 7 months ago (1 children)

There's no password involved in that demo

[–] [email protected] 6 points 7 months ago

That wasn't part of the assignment. ;)

[–] [email protected] 2 points 7 months ago (1 children)

The downside with doing encryption in software is that you can't limit attempts. If you are using a high-entropy key this is fine. But getting users to use high-entropy keys has problems. If there is an HSM integrated into the device you can limit the potential guesses before the key is wiped which is critical without high-entropy keys.

A blog I follow recently had a good post about this: https://words.filippo.io/dispatches/secure-elements/

Of course you are still better off with a high-entropy key and software. But if you trade off too much usability in the name of security you will likely find that your users/employees just work around the security.

[–] [email protected] 1 points 7 months ago (1 children)

Sure you can. Use a memory hard hashing algo

[–] [email protected] 3 points 7 months ago (1 children)

That mitigates the problem but doesn't solve it. If you want unlocking to be <1s and your adversary has 10k times the RAM and can take a month they can make 26 billion guesses. So unless your password is fairly high entropy it is at risk. Especially if they have more resources or more time. PINs are definitely out of the question, and simple passwords too.

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago)

Good passwords are important. Always.