Most importantly, for many users — private, corporate or governmental — flash drives present security risks. Data can easily be read from stolen USB keys because most are unprotected. A study — no longer new but still completely relevant — looking into security aspects of USB drives (see here) showed that data loss due to missing, misplaced or lost USB keys is staggering, and that stolen USB keys are a primary source of data breaches. The study also found that most organizations:

• do not provide approved, high quality USB keys,

• do not have policies on acceptable use of USB keys,

• do not mandate and manage the use of secure USB keys,

• do not encrypt sensitive data on USB keys,

• do not scan USB drives for virus or malware infections, and

• do not actively enforce acceptable USB key use policies.

Despite all that, USB drives are hugely popular and that won't change anytime soon. Some of the technical issues have been resolved over the years, capacity of USB drives has gone up dramatically, costs have come down, and many users have learned to live with the possibility of loss as an acceptable risk.

Simple pin or password access can be remarkably effective, as evidenced by their almost universal use on debit cards, mobile devices, and online accounts. While it is quite possible to crack a four or even six number pin, modern authentication systems will lock up after so and so many attempts. And more complex passwords consisting of upper and lower case letters, numbers, and special characters are almost impossible to beat.

Add to that increasingly powerful hardware-based encryption methods where data is scrambled so thoroughly that it becomes impossible to read without descrambling keys and methods, and you have pretty bulletproof security.

• Level 1 only requires the presence of a cryptographic module.

• Level 2 requires the addition of tamper-evidence like a coating, seal or lock. It also requires "role-based" user authentication (i.e. having admin access or something similar) and a trusted operating system.

  

• Level 3 requires "identity-based" user authentication (i.e. a personal code or password), a response to unauthorized access attempts, such as warnings and irretrievable erasing of all data.

• There's also a Level 4 that adds physical security and environmental sensing that would not be practical for a USB key.

Why do I mention all of this highly technical stuff? Because both the Kingston Vault Privacy 50 USB key and the Vault Privacy 80 external SSD shown in the pictures on top of this article provide 256-bit AES hardware-based encryption in XTS mode, and adhere to FIPS 140-2 Level 3 validation.

To access your data, the drive must be plugged into a computer's USB port (both USB Type A and Type C cables come with the drive) and you need to supply the password. When you lock, power off or disconnect the drive, data is stored encrypted and protected. The VP80ES is OS independent and works with Windows, Linux, macOS, Chrome OS, or any other system that supports USB storage devices.

On first use, plug the VP80ES into a computer. It will perform a self test, then makes you create a password with numbers (6-64 numbers) or letters (supports passphrases up to 64 characters (letters, numbers, spaces)) at least six characters long, then makes you confirm it. The VP80ES screen then shows that the Vault is unlocked and connected, and is FIPS 197 and AES 256-bit XTS compliant. On the computer, the VP80ES shows up as a mounted device. On our test Apple iMac27 it showed up as "Kingston" and ExFAT formatted, with all 960GB of its spec capacity available. There are two files preloaded, a 32-page PDF user manual and the 6-page licence agreement. The data partition can be reformatted with other file system types.

The VP80ES touch screen is resistive, so you can use it with a finger or almost any stylus. If you lock the device and want to unlock it, the input keys of the password entry screen are randomized on each use. That's so that potential fingerprint smudges on the screen won't give the password away, or that an onlooker might memorize your password pattern.

Kingston, of course, recommends a strong, non-obvious password. To guard against guessing of likely/possible passwords, the VP80ES has a settable counter for the number of invalid passwords in a row. If the set number of guesses is exceeded, the drive will wipe itself clean. The VP80ES also allows two passwords, an administrator and a user password. Administrator, which you are upon initial use and setting of a password, has access at all times, User access can be limited in various ways. If both passwords are lost, there's no way the data can be accessed.

As is recommended practice for any USB key or external drive, follow proper disconnect/eject practices. On Windows that means use eject on the taskbar popup, on macOS click the eject button.

The VP80ES has a fairly extensive administrator menu onboard with 13 function areas on three menus. The first page lets you change your current admin password, set up a users, enable or disable global read-only, and set password rules and password length. On the second page you can set the maximum number of password retries, set the keyboard so that number and letter rows appear in random positions, set auto-lock time, set brightness, and set language (English, French, German, and Spanish). On the third page you can crypto-erase the whole drive, including keys and data. Here you can also calibrate the touch screen and toggle touch sounds on and off. Users can also access the menu, but only have a very limited number of options.

All of this works well. One minor issue is that the touchscreen is recessed fairly deeply into its bezel, so that your finger may bump into the bezel and select the wrong option or keypad key.

As for data transfer performance, Kingston claims up to 250MB/s for both read and write data transfers. Why "up to"? Because data transfer speed depends on the OS, the host computer, as well as the type of data and a variety of other variables.

• In our testing, a 2.5GB folder with 400 files in it copied from an Intel iMac27 running MacOS Monterey to the VP80ES in 25 seconds or 100MB/s and was read back from the VP80ES to the Mac in 172 seconds for 14.5MB/s.

• A 2.5GB application copied from the Mac to the VP50 in 70 seconds for 36MB/s, and was read back in 44 seconds for 57MB/s.

• And a 2.5GB MP4 video file copied in just 15 seconds from the Mac to the VP50 for a write speed of about 170 MB/s, and was read back from the VP80ES to the Mac in seven seconds for a read speed of 357MB/s.

The Kingston IronKey Vault Privacy 50 USB key

Plug the VP50 into a PC or Mac and it initially shows up as "IRONKEY." Depending on platform and settings, you may see a number of files (including a 34-page PDF user manual) needed for running the supplied IronKey software on Windows or MacOS. In essence, the VP50 provides advanced password security via admin/user access, multi-password option, complex passwords, passphrases and brute force attack protection.

The VP50 initially comes with the standard FAT32 file system that works on both Windows and macOS. If needed for your application, you may reformat the data partition with NTFS or exFAT (copy data elsewhere before you do). The VP50 can be upgraded with new software versions that Kingston makes periodically available.

USB keys being small mobile storage devices that may get lost, strong password protection is the best defense against data falling into the wrong hands. Here's what Kingston offers on the VP50:

• Multi-password — You can set three passwords on a VP50. Admin, User and one-time recovery password. Admin gives full access and also access to administrative functions including setting the one-time recovery password for the user. User has limited access (set by Admin) and can use the one-time recovery password.

• Password Modes: — There is a complex password mode with 6-16 characters including at least one of upper and lower case characters, numbers, and special characters. There is also a Passphrase mode with 10-64 characters that has no specific rules. Passphrases can provide very strong protection and can be easy to remember.

For initial setup, insert the VP50 into a Windows or MacOS computer USB port. On Windows, the OS will detect the VP50 and automatically install the device driver software. You then run the IronKey.exe file. On a Mac, the MacOS will detect it and mount it on the desktop. You then double-click the IronKey app. On either platform you'll then be asked for language preference (10 are available), you must accept the licence agreement, and then set the password or passphrase. This is also where you can enable having both admin and user access. If both are enabled, you set the user password next. Here there is an option for forcing the user to reset the password on the next login. Next you enter name, company and details. Done.

Next time you use the VP50, the drive will mount as IRONKEY, you open that, run the IronKey app, and you will be prompted for the user password, or you can log in as admin. On the login screen you can also make the VP50 read-only, so that an untrusted computer cannot write files to the VP50. Once the password is accepted, you see the VP50 mounted as "KINGSTON" (you can rename it).

If you really don't trust a computer there's an icon to bring up a virtual keyboard. That's to guard against keyloggers that might snatch your password if you use the physical keyboard.

Now what about that brute-force attack protection? If admin and user passwords are enabled, after ten incorrect user password attempts, the password is locked out. A legitimate user could then use the one-time recovery password or ask the admin to log in and reset the user password. After ten incorrect admin password attempts, the entire drive will be crypto-erased. If there is only a user password, the drive will be crypto-erased after ten failed password attempts.

While one is logged into the VP50, the Mac or Windows computer will show an IronKey icon that brings up a menu from which you can select VP50 settings, browsing, formatting, support, about, and shut the drive down.

As for data transfer performance, for the Vault Privacy 50 series Kingston claims up to 250MB/s read and up to 180MB/S write speeds. Here again, it's "up to" because data transfer speed depends on the OS, the host computer, as well as the type of data and other variables.

• In our testing, a 2.5GB folder with 400 files in it copied from an Intel iMac running MacOS Monterey to the VP50 in 167 seconds, or 15MB/s write speed. Reading it back from the VP50 to the iMac took 50 seconds, for a read speed of 50MB/s.

• A 2.5GB application copied in 70 seconds from the iMac to the VP50 for 36MB/s write speed, and read back from the VP50 to the iMac in 19 seconds for a read speed of 132MB/S.

• A 1.44GB MP4 video file copied in 15 seconds from the iMac to the VP50 for about 100MB/s write speed and was read back from the VP50 to the iMac in just 5.6 seconds, for a read speed of 446MB/s.

Kingston IronKey Vault Privacy — for when security matters

The Vault Privacy 80 External SSD uses both a different storage technology and a different form factor. It's the size of an external disk drive and comes with up to 2TB of storage. But unlike standard external drives, the VP80ES comes with its own LCD touch display and its own OS-independent software.

Properly used, both of these IronKey Vault Privacy products provide almost infinitely more security than run-of-the-mill unprotected USB keys and external drives. You may still lose or misplace them and they may still get stolen. But it's very unlikely that anyone will be able to get at the data.

Only data security experts fully understand advanced details of cryptography and how it all works. Kingston employs these complex security technologies to make USB keys and external drives as secure and private as they can. That is not only beneficial for individual users, but is also required by many governments and private industries.

USB flash drives and external SSD drives providing this level of security and privacy are more expensive than ordinary USB keys and drives. But considering what could happen if data gets into the wrong hands, they are a bargain. -- Conrad H. Blickenstorfer, Ph.D., Editor-in-Chief, August 2022