Review: encrypted hard drive, unlocked by fingerprint

I don't know about you, but I'm fed up of reading news about how yet another company has carelessly lost yet another batch of private customer data. Sadly, the story is all too familiar: Typically, an employee takes a copy of the data away on some sort of portable storage, which inexplicably goes missing. I mean, how hard can it be to make sure that the data are encrypted? Actually, pretty hard, as it turns out -- at least for 'regular' users. Software-based whole drive encryption can be a pain to use, if Joe the marketing guy just want to take his stuff home to work on. Odds are that the version of Windows he has at home doesn't include BitLocker, Microsoft's native Windows disk encryption scheme -- if he uses Mac OS at home, fuggetaboudit. And add-on software such as TrueCrypt are just that -- add-ons, which can be too much of a roadblock for 'average' users.

Enter: automatic, hardware encryption, where the cryptography magic and its user authentication are contained within the storage device itself. 

Apricorn Aegis Bio

Apricorn, Inc., based near San Diego, sent me one of its latest biometric devices for review -- the Aegis Bio (in this case, the new 640 GB version). The unit is a laptop-style, 2.5" SATA drive, shock mounted inside a USB enclosure. What makes it unusual is biometric authentication -- a fingerprint scanner is built into the case. Once set up, the user simply plugs in the unit -- just like a regular external USB drive -- and then scans a fingerprint to unlock the data. No extra software needs to be installed on the PC or Mac (I wouldn't be surprised if it worked with one of those funny Linux computers, too -- sorry, @sjvn). A successful fingerprint scan enables the encryption hardware, which implements 128-bit AES. Up to ten fingerprints can be 'enrolled' to control the drive; an administrator can set up an additional escrow password, just in case. Apricorn's range of external drives are unusual for a simple, but effective piece of design thinking: a captive USB cable. This forehead-slappingly brilliant idea means you don't need to mess about with plugging in a separate cable -- there's one already neatly stowed in the side of the case (if that short cable isn't long enough, the unit is also supplied with an extender).

I tested the unit by installing the administrator software and setting up the virgin drive. Unfortunately, this is where I hit my first snag. Both Windows and the Apricorn software simultaneously prompted me to format the drive. Confusing, to say the least.

It's only because I was paying attention that I noticed Apricorn's prompt, just before Windows' dialog box popped up in front of it. As it happens, it's important to format the drive using Apricorn's software, not Windows, so it was pure luck that I decided to cancel the Windows dialog box. It's important to stress that this is only a problem with the administrator software installation -- no software is required for the end-user. Apricorn promised to update its documentation, but what IT admin reads the fine manual?

The software formats the drive as a single FAT partition; it gives you no opportunity to choose the more resilient NTFS. Apricorn says this is deliberate: to prevent users from corrupting the drive by unplugging it before data being written have been committed to the disk. In my experience, this problem is more to do with setting the write-caching policy for the drive than the filesystem type; perhaps Apricorn should revisit this decision. Performance: My usual simple tests of reading and writing a folder of large files and a folder of small files gave good results using 32-bit Windows 7. The unit performed well, sustaining large file writes of around 20 MB/s writes and 30 MB/s reads; as usual with mechanical drives, small files were much slower, at around 100 KB/s writes and 350 KB/s reads.

However, I can't recommend using it with a Mac, as Apricorn warns that "Mac OS sees the Aegis Bio as a USB 1.1 device." Ouch. That's likely to be a painfully slow experience, and pretty much a deal-breaker for most Mac users: caveat emptor. Note also that the initial administrator setup needs to be done in Windows.

Although the supplied USB extension cable included an additional USB plug in case extra power was needed, I was pleased not to need to use it. I tested the unit with several computers of different vintages, and it seemed that its power consumption was low enough not to be fazed by marginal USB hardware -- a common problem with other bus-powered drives. Although end-users don't need any extra software installed, they can optionally set up the drive to also use the fingerprint reader instead of the Windows logon. Additionally, the device can be used as a more general password safe for credentials such as network share passwords and Web page authentication. A neat bonus feature. Apricorn sells this unit in a range of sizes, from 250 GB up to the 640 GB part I tested. I was glad to see that the company doesn't gouge their users on price for the larger drives: MRSPs range from $119 to $159, with street prices significantly less. As a recent sufferer of bad luck with hard drive reliability, I was also glad to see a three year warranty. In summary: recommended for Windows users. Mac users should look elsewhere. Pros:

  • Captive USB cable saves messing about with extra wires
  • Good performance (on Windows)
  • Low power consumption; doesn't need two USB plugs
  • Optionally can be use as password safe for logon and other authentication
  • Three year warranty

Cons:

  • Confused initial setup (for administrator)
  • Poor performance on Mac (USB 1.1)
  • Optional software Windows only
  • Optional authentication doesn't support Chrome; just IE and Firefox

Would you use a hardware encrypted external drive? Leave a comment below...

Richi Jennings, blogger at large
  Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: TLV@richij.com.

You can also read Richi's full profile and disclosure of his industry affiliations.

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies