IronKey compares its Secure Flash Drive to an iPod, saying it's a hardware, software and online service all rolled into one product. I don't know about the iPod comparison, but from a security standpoint, this flash drive is impressive. The IronKey Cryptochip uses government-approved AES CBC-mode 128-bit encryption at the firmware level -- meaning you can't open the case, remove the chip and access the data.
We tested the 4GB model. The drive comes in a sleek, stainless-steel, waterproof case that feels sturdy and quite heavy compared to other USB drives I've used. Security-wise, what I liked right off the bat about this drive is that the case cannot be pried open because there are simply no seams. I like the size of this drive as well. I'm not a big fan of mini-USB flash drives for the simple fact that they're too easily lost (I know this from experience). This drive is the size of a thin pack of gum -- perfect.
The first thing the IronKey drive asked me after I plugged it into my laptop's USB port was to set up my username and password and configure a secure Web browser, which takes about two minutes. (There is little about setting up this device that is fast, including read/writes, but keep in mind that you're sacrificing speed for security.) To use the IronKey flash drive, you need to activate an online account. This is a necessary step to enable certain services -- such as online password backup, device and software updates -- and to access IronKey's encrypted Web-surfing service, which uses Mozilla's Firefox.
Besides creating an online username and password, you'll be asked to supply answers to three supplemental authentication questions that will verify your identity in case you ever lose your username or password. Failing to answer the questions accurately will lock you out of your account permanently.
After filling out your supplemental authentication questionnaire, IronKey then asks you to choose a photo from a group of antiphishing/antipharming protection images so that every time you log into your online account, the images appear and you can be assured it's IronKey and not a counterfeit site. But you're not done yet. Now you must also create a security phrase consisting of letters and numbers, which will also be used to authenticate your identity when you log into the site. Finally (and believe me, I was happy to know this was the last step), the company e-mails you an activation code that you must enter in a window to complete your online setup. The company does allow you to change personal security information at anytime by accessing account settings.
After the initial setup, each time you plug in your IronKey drive, a menu will appear offering you the option to back up and encrypt files, manage your passwords and online account, change settings or access a FAQ page. One feature that I like about this menu is an option to leave the USB drive in the port, but also to relock the device so that if you walk away from your computer, no one walking by will have access to the device and the data stored on it.
Casual and brute force attacks
If someone does happen to gain access to your flash drive and they fail to type in the correct password more than 10 times, IronKey will self-destruct, permanently locking out users and wiping out all the data on the drive.
According to IronKey CEO Dave Jevens, the drive's self-destruct feature first locks out the IronKey Cryptochip, preventing any further access. This is done with a nonvolatile counter stored in a hardened, tamper-proof chip. IronKey uses a separate cryptographic processor with its own internal password-guessing counter. This counter is not stored in the flash memory, so it is not vulnerable to memory rewind attacks, meaning the drive will be able to tell if a program is being used to guess your password (see white paper and data sheet on the IronKey drive).
After locking out access, the firmware then destroys the encryption keys. Next, the device deletes all the encrypted data stored in the flash memory by using a low-level, high-speed overwriting deletion method. This deletion removes data stored in wear-leveling areas and bad blocks of the NAND flash, resulting in the most complete erase possible.
From a speed standpoint, IronKey is above average for the drives we tested, but it's not eye-popping. According to the company, its 4GB model is faster than the 1GB, but it still only has an 18MB/sec. write and 25MB/sec. read rate. It took me 4:15 to back up 251 files in 29 folders that contained mostly photos and a half-dozen videos representing 1GB of data.
Small file data transfer is much slower. Computerworld also transferred 13,500 files representing 1GB to the IronKey 4GB drive and found it took 46:08 minutes.
I also ran HD Tach, which showed a 31MB/sec. burst speed and an average read rate of 29.6MB/sec. and has a 6-millisecond random access rate. CPU utilization rate was higher than any other drive we tested at 22%.
Local and remote backup
Iron Key automatically backs up your online passwords as you use them and offers secure data backup both locally and remotely, so that if you lose the physical drive, you can buy another drive and download your data via the online backup service.
A 4GB IronKey Secure Flash Drive lists for $149, well above other drive prices. We didn't find anything much less expensive online. Prices on Pricegrabber.com ranged from $71.50 for the 1GB model to $149 for the 4GB drive. The prices reflect the use of longer-lasting single-level cell (SLC) NAND memory, as opposed to multilevel cell (MLC) memory of other drives we tested. Although MLC memory increases data density by storing 2 bits per memory cell versus one in SLC, it also decreases the life expectancy of the device. SLC memory lasts about 100,000 write cycles and MLC memory lasts about 10,000 writes. You're also paying to alleviate your paranoia about losing data. This is without a doubt the most secure USB flash drive I've ever tested.