iStorage diskAshur PRO 2: is this the most secure portable hard drive ever made?
I’ve had my hands on the iStorage diskAshur PRO 2 – what is being described as the ‘most secure hard drive ever made’ for more than a week now. As the first journalist to get hold of one of the iStorage diskAshur PRO 2 drives from iStorage, I have been able to put it to the test in time for the press embargo being lifted today. This is, then, my first look at the ultra-secure, USB 3.1, PIN authenticated, hardware encrypted, brute force hack protected, tamper evident and self-destructing drive.
I am, I will readily admit, something of a fan of iStorage secure drives. File me under paranoid perhaps, but as someone who has worked in and around the IT security industry for the last 25 years I kind of like my data to be as secure as possible. Yet data in transit, that is any data that resides on a portable drive of any description, is always going to be at a higher risk of exposure than I’d like.
This is why I’ve always recommended that such data should be encrypted, but that much is a given right? Well, yes, but then there’s how you encrypt it? Software encryption comes with caveats, so I prefer to ensure my portable data is on a hardware encrypted device. That’s why I run with, well walk quickly at my age at best, datashure Pro USB 3.0 hardware encrypted thumb drive. Gotta love the hardware encryption, gotta love the on-drive keypad for PIN entry etc etc.
This is all well and good, but what if you need something more, something bigger? Most portable hard drives (as opposed to flash drives) do not come with the same kind of protection. The diskAshur range has always been an exception to the rule, and indeed that’s probably why I have an original diskAshur PRO device in my kitbag. Well, had, to be precise. It has now been replaced, well and truly, by the mark 2 upgrade. Whereas the original was just secure, the new model is batshit crazy secure. And then some.
Let’s start with the simple things first: it’s hardware encrypted (using real-time military grade AES 256-bit XTS full-disk hardware encryption validated to FIPS PUB 197) so that means no software to worry about or drivers to set up. This also means that the diskAshur PRO 2 is both platform and device agnostic, so will be as happy plugged into a Windows machine as it will a Mac, Linux, Chrome or Android one. Not forgetting thin clients, zero clients, any clients that have a USB port in fact.
Seeing as I’ve already mentioned the FIPS PUB 197 validated encryption algorithm, let’s continue down that road for a bit. This drive also has, and I hope you have a few minutes to spare, a Common Criteria EAL4+ ready on-board secure microprocessor, and FIPS 140-2 Level 3, NCSC CPA (foundation level), NLNCSA certifications are all pending. It is also, of course, fully IP 56 certified for water and dust protection as you should expect. iStorage assures me that the diskAshur PRO 2 is also fully GDPR compliant, which could be something of a selling point as organisations start to absorb the legal and financial implications of storing data on an external drive that isn’t.
All of that acronym chucking is impressive, but not as impressive as when you start to dissect what it all means. Things like the PINs and encryption keys always being encrypted at rest for example, and those PINs need to be a minimum of seven digits in length (max is 15). Talking of the PIN, you can use a shift key to up the ante as shift 1 is recognised as a separate value to 1 on its own. You cannot use all sequential numbers for the PINs (there are admin and user PIN options) nor all repeating numbers. I would, naturally, suggest changing the default admin PIN from the factory though: 11223344 wouldn’t be my choice. The PIN entry pad is epoxy coated and wear resistant, as well as being a much better tactile experience than the original diskAshur PRO entry pad.
The drive itself will lock, and all the data become inaccessible, when ejected from a host device. Or you can just hit the lock button on the keypad for an even swifter on the spot privacy assurance. There’s a default ‘unattended auto-lock’ mechanism that can be configured to automatically lock the device between 5 and 99 minutes (or switched off) if it is unlocked and not being used.
Then there’s the brute force protection. Enter an incorrect PIN 15 times, in three five-attempt clusters, and the drive will delete all admin and user PINs along with the encryption key and all data. After 5 attempts the drive lights up all three red, green and blue LEDs; and freezes. It then needs to be unplugged an reconnected to the host to get five more goes. After that, it has to be unplugged and the shift key depressed while plugging it back in one last time. A code then needs to be entered, before the final five attempts. The administrator can also set a ‘self-destruct’ PIN which will do the same job. That self-destruct PIN becoming the new user PIN and the drive requiring to be partitioned and formatted before it can be used again.
iStorage seems to be running with a marketing slogan of ‘without the PIN there’s no way in’ which ordinarily I might poo-poo (there’s always a way in) but on this occasion it would be interesting to hear of another way. Quite apart from all the above, the Enhanced Dual Generating Encryption (EDGE) tech kicks in with that Common Criteria EAL4+ ready secure microprocessor. This comes with built-in physical protection mechanisms to defend against external tampering and can, apparently, withstand ‘laser attacks’ and fault injection methods. Any attempt to break into the device (the internal components are encased in a layer of epoxy resin so tough that breaking it without breaking the components is a very hard ask) kicks off that deadlock frozen state mentioned above in the brute force protection overview. This pretty much renders those attacks useless. Needless to say, but I will say it anyway, all the authentication parameters are encrypted and physically protected by the microprocessors’ memory encryption (scrambler) and access control schemes.
Security is, as you can tell from this first look, pretty damn impressive. But what about the drive itself, after all if it’s as slow as a pig in flippers wading through porridge nobody will care that the data is protected as productivity will take too much of a hit. Truth be told, and I’m really no expert when it comes to hardware benchmarking so cut me some slack, I found the diskAshur PRO 2 to be little different in performance terms to any other USB 3.1 external drive I have to hand. iStorage claims data transfer speeds of up to 148MBps read and 140MBps write for the diskAshur PRO 2. I have attached screenshots of some quick and dirty testing done here using CrystalDiskMark 5 software, showing the sequential read/write timings etc.
At just 124mm x 84mm x 20mm and weighing in at 225g, size and weight are not deal-breakers. The protective carry-case doesn’t add much to either, either. What else can I add? Well it comes with a 2 year warranty, and in three storage capacities: 500GB, 1TB and 2TB. In the UK these have a SRP of £209, £269 and £329 respectively. For EU and US pricing please refer to the iStorage website, which will be announcing distributors and resellers for these markets soon. Not the cheapest external drives, especially considering that they pack a 2.5″ ‘spinning rust’ WD Black hard drive inside. These are a decent enough drive, well-regarded and with good durability, rotating at 7200rpm and having a SATA 600 transfer mode. They are not SSDs though, and if bought standalone you could pick a 500GB one up for around the £50 mark easily enough without external drive casing. And without all the security features, which is after all what you are paying for here. [UPDATE: Yes, already. ITST has been informed by iStorage that the SSD versions of the diskAshur PRO 2 are already available, although they will come at something of a premium price of course. A 512GB SSD version will cost a heady £429, or £589 for the 1TB. The SSD range starts at £189 but for that you only get 128GB of storage.]
Is being ultra-secure worth the premium? That depends upon your industry, your organisation and your data. If you have a regulatory need to ensure portable data is secure, and with the EU GDPR stuff coming into play next year that need will be a pressing one for many, I would say so. If you are just playing with privacy, then you are probably better off going down the software encryption route.
Is diskAshur PRO 2 the most secure hard drive ever made? That’s actually a hard one to answer. It could well be, most likely it is the most secure ‘commercially available’ hard drive ever made. Or even the most secure portable hard drive ever made perhaps. I don’t have access to what goes on behind the closed doors of government, the NSA or other spook places of work, so cannot talk to what secure devices have been built there over the years. What I can talk to is the fact that I don’t know of any other portable hard drive that comes quite this secure, right out of the box and without requiring an arm, a leg and a mortgage to purchase it.