News this week that certain Kingston secure USB drives suffer from a serious security flaw has prompted me to consider the question: which is the better solution, hardware or software data encryption?
Traditional reasoning has been that hardware encryption is more robust, as it provides a ringed wall against prying eyes for sensitive data, where software-based solutions have the data in plain view - albeit scrambled such that only the right key can reassemble the data.
The Kingston DataTraveler Vault Privacy that I reviewed a few months ago, and which uses 256-bit AES hardware encryption, is said to be not affected by the flaw. But other devices, such as the Kingston DataTraveler BlackBox also use the same 256-bit AES encryption, and have been found to have a backdoor that would allow anyone with a little hexcode know-how to bypass the user's own passcode to gain full access to the device.
Kingston Technology is graciously offering to upgrade the USB key of anyone affected by this revealed design fault. Fair enough - but it poses a few uncomfortable questions.
First, since you bought the key to keep your privatest data private, would you really want to send it to its maker knowing that they - or someone who intercepts the key on its way - could potentially view all your data (bearing in mind that secure deletion of NAND flash memory is not a given)?
Remember that anyone paying £200 for a USB stick must have had a good reason to pay so much for what can be bought unencrypted for less than a tenner. The contents of that key could be far more valuable.
And second, while the 'safe' DataTraveler Vault Privacy is still declared secure today, what's to say that another design fault for this device - or on any competitor's - isn't discovered tomorrow?
Software solutions at least have the advantage of being user upgradeable, with open-source software such as TrueCrypt offering all their source code for peer review and public viewing. That way a skilled user can even inspect the software to ensure no secret backdoors have been included to allow free access by, for example, government agencies.
But in their favour, hardware-locked USB keys are becoming increasingly multi-platform friendly and can be used without admin privileges on the local PC. In short, they're easier to use, and until now, considered at least as secure as most software encryption. For what it's worth, they're often found with FIPS (Federal Information Processing Standard) certification for use by the US government.
Perhaps for the perennially paranoid, a combination of proprietary hardware encryption without and an open-source software-encrypted volume within?