Kingston IronKey Vault Privacy 50 Series and 80 External SSD
Two new protected, encrypted external data storage options that'll let you sleep easier at night, knowing your data is safe and secure and no one can get to it
(by Conrad. H. Blickenstorfer)
This article is about two new products in Kingston Technology's line of encrypted Vault Privacy USB Flash Drives and External solid state drives. The IronKey Vault Privacy 50 Series provides business-grade security, looks just like a standard USB key, and is currently available with up to 256GB of storage. The IronKey Vault Privacy 80 also offers business-grade security but comes in a larger package with its own 2.75-inch touch screen and storage capacity up to almost two terabyte. The article also touches on the history and use of USB keys, the increasing need for security, applying security technologies and certifications, and, of course, about the two products themselves.
USB keys have very much become part of our lives. We use them for data backup, to make data portable, as a convenient way to share documents and images with friends and colleagues, and just generally as a very handy way to store and transport files. USB keys are not as small and fragile as SD cards (and especially the very small microSD versions) and not as large as external hard drives. They are a perfect in-between.
Almost a quarter of a century ago I was at a mobile computing conference, and the goodie bag included this strange thing about the size of a Swiss Army pocket knife. It had a cap on it and under the cap was a USB connector. I stuck it into my IBM Thinkpad and after a bit of milling, Windows 2000 informed me that I now had an 8MB external disk. I could drag files from it to me Thinkpad, and from the Thinkpad to that external storage volume on what was the first USB key I had ever seen.
I was blown away. The USB interface was still new and its promise largely unfilled. There were a few peripherals here and there that used USB, and that was it. But here was a this small, handy little stick that was like an external hard disk but plugged right into a USB port. This had to be the start of something big. After the session I told the conference organizer that this giveaway was the biggest thing of the entire conference. He just looked at me and clearly didn't get it.
USB flash drives, of course, went on to be a huge business that changed the industry, and how we use computers. Untold millions are sold every year.
USB and SSD Flash drives — irreplaceable technology with some issues
Despite their ubiquitous use, USB flash drives and other external solid state storage are not without problems. As is the case with other types of flash memory storage, the number of write/erase cycles is limited (though that is rarely a problem). Standard USB and external SSD drives generally do not have write protection. USB keys can get bent at the insertion point, which can lead to failure. The traditional USB Type A port is increasingly replaced by the smaller and more versatile USB Type C port. And like small storage cards, USB keys, in particular, are all too easily lost or stolen.
Most importantly, for many users — private, corporate or governmental — flash drives present security risks. Data can easily be read from stolen USB keys because most are unprotected. A study — no longer new but still completely relevant — looking into security aspects of USB drives (see here) showed that data loss due to missing, misplaced or lost USB keys is staggering, and that stolen USB keys are a primary source of data breaches. The study also found that most organizations:
- do not provide approved, high quality USB keys,
- do not have policies on acceptable use of USB keys,
- do not mandate and manage the use of secure USB keys,
- do not encrypt sensitive data on USB keys,
- do not scan USB drives for virus or malware infections, and
- do not actively enforce acceptable USB key use policies.
And this despite the majority of respondents stating that USB key encryption makes sense. And that USB keys improve the efficiency of IT operations.
Despite all that, USB drives are hugely popular and that won't change anytime soon. Some of the technical issues have been resolved over the years, capacity of USB drives has gone up dramatically, costs have come down, and many users have learned to live with the possibility of loss as an acceptable risk.
But what about data security? Misplacing or losing a USB key or external drive, or having one stolen, can have potentially devastating consequences.
Enter secure USB keys and external SSD drives
The obvious answer to USB key and external drive security issues is to concentrate on reasonable, effective solutions. And that means protecting the data residing on those inherently mobile storage devices. This could potentially be done with physical means, like having invulnerable enclosures and/or physical locks.
That's not always practical and almost any physical lock can be broken. So for many mobile storage products the industry decided on access authentication and data encryption instead. Let's consider:
Simple pin or password access can be remarkably effective, as evidenced by their almost universal use on debit cards, mobile devices, and online accounts. While it is quite possible to crack a four or even six number pin, modern authentication systems will lock up after so and so many attempts. And more complex passwords consisting of upper and lower case letters, numbers, and special characters are almost impossible to beat.
Add to that increasingly powerful hardware-based encryption methods where data is scrambled so thoroughly that it becomes impossible to read without descrambling keys and methods, and you have pretty bulletproof security.
All of this has been available for quite some time and the United States government has documented data security procedures and requirements in their Federal Information Processing Standard 140. So let's take a quick look at some of those standards and their terminology.
What's FIPS 140-2? And AES and XTS? And FIPS 197?
FIPS stands for Federal Information Processing Standard. 140-2 refers to publication 140-2 "Security Requirements for Cryptographic Modules" (see here). This is a standard that "specifies the security requirements for a cryptographic module utilized within a security system protecting sensitive information in computer and telecommunication systems." There are four security levels, where:
- Level 1 only requires the presence of a cryptographic module.
- Level 2 requires the addition of tamper-evidence like a coating, seal or lock. It also requires "role-based" user authentication (i.e. having admin access or something similar) and a trusted operating system.
- Level 3 requires "identity-based" user authentication (i.e. a personal code or password), a response to unauthorized access attempts, such as warnings and irretrievable erasing of all data.
- There's also a Level 4 that adds physical security and environmental sensing that would not be practical for a USB key.
There's more. Hardware encryption comes in many varieties. In computer data storage, an encryption system will usually scramble 128-bit or 256-bit blocks of data in one way or another. AES (Advanced Encryption Standard) is an often used algorithm that also comes in several varieties or modes. Here, a mode called XTS ("cypherteXT Stealing") offers several advantages and is considered desirable in storage encryption and security.
Why do I mention all of this highly technical stuff? Because both the Kingston Vault Privacy 50 USB key and the Vault Privacy 80 external SSD shown in the pictures on top of this article provide 256-bit AES hardware-based encryption in XTS mode, and adhere to FIPS 140-2 Level 3 validation.
Where does the also often mentioned FIPS 197 fit in and what is the difference between FIPS 140-2 and FIPS 197? While FIPS 197 certification looks at the hardware encryption algorithms that protect data, FIPS 140-2 does that but also requires detailed analysis and certification of a storage device's physical properties. A storage device that's FIPS 140-2 certified therefore guarantees secure, tamper-proof electronics design as well as secure and tamper-proof data encryption. So in essence FIPS 140-2 is the next, more advanced level of certification past FIPS 197 hardware-only certification.
The Kingston IronKey Vault Privacy 80 External SSD
The Kingston IronKey Vault Privacy 80 External SSD is a FIPS 197-certified, TAA compliant external USB 3.2 Gen 1 standard solid state drive in a metal casing with hardware-based 256-bit AES (Advanced Encryption Standard) XTS mode encryption and decryption. It comes in capacities up to 2 Terabyte.
To access your data, the drive must be plugged into a computer's USB port (both USB Type A and Type C cables come with the drive) and you need to supply the password. When you lock, power off or disconnect the drive, data is stored encrypted and protected. The VP80ES is OS independent and works with Windows, Linux, macOS, Chrome OS, or any other system that supports USB storage devices.
On first use, plug the VP80ES into a computer. It will perform a self test, then makes you create a password with numbers (6-64 numbers) or letters (supports passphrases up to 64 characters (letters, numbers, spaces)) at least six characters long, then makes you confirm it. The VP80ES screen then shows that the Vault is unlocked and connected, and is FIPS 197 and AES 256-bit XTS compliant. On the computer, the VP80ES shows up as a mounted device. On our test Apple iMac27 it showed up as "Kingston" and ExFAT formatted, with all 960GB of its spec capacity available. There are two files preloaded, a 32-page PDF user manual and the 6-page licence agreement. The data partition can be reformatted with other file system types.
The VP80ES touch screen is resistive, so you can use it with a finger or almost any stylus. If you lock the device and want to unlock it, the input keys of the password entry screen are randomized on each use. That's so that potential fingerprint smudges on the screen won't give the password away, or that an onlooker might memorize your password pattern.
Kingston, of course, recommends a strong, non-obvious password. To guard against guessing of likely/possible passwords, the VP80ES has a settable counter for the number of invalid passwords in a row. If the set number of guesses is exceeded, the drive will wipe itself clean. The VP80ES also allows two passwords, an administrator and a user password. Administrator, which you are upon initial use and setting of a password, has access at all times, User access can be limited in various ways. If both passwords are lost, there's no way the data can be accessed.
As is recommended practice for any USB key or external drive, follow proper disconnect/eject practices. On Windows that means use eject on the taskbar popup, on macOS click the eject button.
The VP80ES has a fairly extensive administrator menu onboard with 13 function areas on three menus. The first page lets you change your current admin password, set up a users, enable or disable global read-only, and set password rules and password length. On the second page you can set the maximum number of password retries, set the keyboard so that number and letter rows appear in random positions, set auto-lock time, set brightness, and set language (English, French, German, and Spanish). On the third page you can crypto-erase the whole drive, including keys and data. Here you can also calibrate the touch screen and toggle touch sounds on and off. Users can also access the menu, but only have a very limited number of options.
All of this works well. One minor issue is that the touchscreen is recessed fairly deeply into its bezel, so that your finger may bump into the bezel and select the wrong option or keypad key.
As for data transfer performance, Kingston claims up to 250MB/s for both read and write data transfers. Why "up to"? Because data transfer speed depends on the OS, the host computer, as well as the type of data and a variety of other variables.
- In our testing, a 2.5GB folder with 400 files in it copied from an Intel iMac27 running MacOS Monterey to the VP80ES in 25 seconds or 100MB/s and was read back from the VP80ES to the Mac in 172 seconds for 14.5MB/s.
- A 2.5GB application copied from the Mac to the VP50 in 70 seconds for 36MB/s, and was read back in 44 seconds for 57MB/s.
- And a 2.5GB MP4 video file copied in just 15 seconds from the Mac to the VP50 for a write speed of about 170 MB/s, and was read back from the VP80ES to the Mac in seven seconds for a read speed of 357MB/s.
As of this writing (August 2022), Kingston IronKey Vault Privacy 80 External SSD pricing, on the Kingston website, is $289.99 for a 480GB version, $359.99 for a 960GB, and $509.99 for a 1920GB drive.
The Kingston IronKey Vault Privacy 50 USB key
The Kingston IronKey Vault Privacy 50 USB Flash drive is a FIPS 197-certified, TAA compliant XTS-AES 256-bit hardware-encrypted USB key supporting USB 3.2 Gen 1. Made of elegant anodized aluminum, it looks and feels just like any other standard USB key and comes in capacities up to 256GB. Kingston says it provides "business-grade" security and since, as a physical USB key it is under user control it can provide better security than storing your data on the web or on a Cloud service.
Plug the VP50 into a PC or Mac and it initially shows up as "IRONKEY." Depending on platform and settings, you may see a number of files (including a 34-page PDF user manual) needed for running the supplied IronKey software on Windows or MacOS. In essence, the VP50 provides advanced password security via admin/user access, multi-password option, complex passwords, passphrases and brute force attack protection.
The VP50 initially comes with the standard FAT32 file system that works on both Windows and macOS. If needed for your application, you may reformat the data partition with NTFS or exFAT (copy data elsewhere before you do). The VP50 can be upgraded with new software versions that Kingston makes periodically available.
USB keys being small mobile storage devices that may get lost, strong password protection is the best defense against data falling into the wrong hands. Here's what Kingston offers on the VP50:
- Multi-password — You can set three passwords on a VP50. Admin, User and one-time recovery password. Admin gives full access and also access to administrative functions including setting the one-time recovery password for the user. User has limited access (set by Admin) and can use the one-time recovery password.
- Password Modes: — There is a complex password mode with 6-16 characters including at least one of upper and lower case characters, numbers, and special characters. There is also a Passphrase mode with 10-64 characters that has no specific rules. Passphrases can provide very strong protection and can be easy to remember.
For initial setup, insert the VP50 into a Windows or MacOS computer USB port. On Windows, the OS will detect the VP50 and automatically install the device driver software. You then run the IronKey.exe file. On a Mac, the MacOS will detect it and mount it on the desktop. You then double-click the IronKey app. On either platform you'll then be asked for language preference (10 are available), you must accept the licence agreement, and then set the password or passphrase. This is also where you can enable having both admin and user access. If both are enabled, you set the user password next. Here there is an option for forcing the user to reset the password on the next login. Next you enter name, company and details. Done.
Next time you use the VP50, the drive will mount as IRONKEY, you open that, run the IronKey app, and you will be prompted for the user password, or you can log in as admin. On the login screen you can also make the VP50 read-only, so that an untrusted computer cannot write files to the VP50. Once the password is accepted, you see the VP50 mounted as "KINGSTON" (you can rename it).
If you really don't trust a computer there's an icon to bring up a virtual keyboard. That's to guard against keyloggers that might snatch your password if you use the physical keyboard.
Now what about that brute-force attack protection? If admin and user passwords are enabled, after ten incorrect user password attempts, the password is locked out. A legitimate user could then use the one-time recovery password or ask the admin to log in and reset the user password. After ten incorrect admin password attempts, the entire drive will be crypto-erased. If there is only a user password, the drive will be crypto-erased after ten failed password attempts.
While one is logged into the VP50, the Mac or Windows computer will show an IronKey icon that brings up a menu from which you can select VP50 settings, browsing, formatting, support, about, and shut the drive down.
As for data transfer performance, for the Vault Privacy 50 series Kingston claims up to 250MB/s read and up to 180MB/S write speeds. Here again, it's "up to" because data transfer speed depends on the OS, the host computer, as well as the type of data and other variables.
- In our testing, a 2.5GB folder with 400 files in it copied from an Intel iMac running MacOS Monterey to the VP50 in 167 seconds, or 15MB/s write speed. Reading it back from the VP50 to the iMac took 50 seconds, for a read speed of 50MB/s.
- A 2.5GB application copied in 70 seconds from the iMac to the VP50 for 36MB/s write speed, and read back from the VP50 to the iMac in 19 seconds for a read speed of 132MB/S.
- A 1.44GB MP4 video file copied in 15 seconds from the iMac to the VP50 for about 100MB/s write speed and was read back from the VP50 to the iMac in just 5.6 seconds, for a read speed of 446MB/s.
As of this writing (August 2022), Kingston IronKey Vault Privacy 50 External SSD pricing, on the Kingston website, is $49.99 for a 8GB version, $64.99 for a 16GB, $159.99 for a 128GB, and $219.99 for a 256GB drive.
Kingston IronKey Vault Privacy — for when security matters
Reviewing products like Kingston's various protected USB keys isn't easy. On the surface they are just USB keys; you've seen one you've seen them all. But protected USB keys like the IronKey Vault Privacy 50 Series are different. They are not ordinary USB keys with just storage inside. The build, for one thing, is better than generic USB keys. They are dustproof and waterproof and quite rugged.
The Vault Privacy 80 External SSD uses both a different storage technology and a different form factor. It's the size of an external disk drive and comes with up to 2TB of storage. But unlike standard external drives, the VP80ES comes with its own LCD touch display and its own OS-independent software.
Properly used, both of these IronKey Vault Privacy products provide almost infinitely more security than run-of-the-mill unprotected USB keys and external drives. You may still lose or misplace them and they may still get stolen. But it's very unlikely that anyone will be able to get at the data.
Only data security experts fully understand advanced details of cryptography and how it all works. Kingston employs these complex security technologies to make USB keys and external drives as secure and private as they can. That is not only beneficial for individual users, but is also required by many governments and private industries.
USB flash drives and external SSD drives providing this level of security and privacy are more expensive than ordinary USB keys and drives. But considering what could happen if data gets into the wrong hands, they are a bargain.
-- Conrad H. Blickenstorfer, Ph.D., Editor-in-Chief, August 2022
Kingston IronKey Vault Privacy 50 USB key press release
Kingston IronKey Vault Privacy 50 USB key product page page
Kingston IronKey Vault Privacy 80 External SSD press release
Kingston IronKey Vault Privacy 80 External SSD product page page
Kingston Encrypted Devices page
Kingston security comparison page