The SecureDrive BT is an external hardware-encrypted storage device that relies on the wireless authentication technology instead of the physical embedded keypad and which makes it the first of its kind (along with the SecureUSB BT flash drive that was also unveiled at the beginning of this year at CES) and which poses the question if this is the future of the secure external drives and if the physical keypads should be considered obsolete.
While the regular users (myself included) rarely bother with keeping all their data secure, the companies don’t have that luxury and, besides hiring entire departments to make sure everything is safe and sound, in order to avoid any kind of corporate espionage, they also have to use secure external drives to carry sensitive data around.
That’s where SecureDrive comes into play offering various types of hardware-encrypted storage devices (HDD, SSD and flash drives) that use the best security technologies available to make sure that they’re rendered impenetrable.
Note: The SecureDrive BT is available as HDDs (with the available capacity from 1TB to 5TB) or as SSDs (with the capacity spanning from 250GB to 8TB) – I have the 1TB SSD variant available for testing.
Software vs Hardware Encryption and the Bluetooth Authentication
Once again, we have to answer the question whether the software encryption is better than the hardware encryption or the other way around and, to make things more interesting, SecureDrive has added a new element to the equation: the Bluetooth authentication. The software encryption is a very common way to quickly secure your data using various solutions such as BitLocker or VeraCrypt and the way the encryption works is that it uses the computer’s OS resources to encrypt the data on your drive, allowing you to unlock it by using a unique key. The advantages of such approach is that it’s cheap or free, the software can easily be upgraded and, in case you forget the password (for the decryption process), you can still recover your data.
There are also some serious disadvantages to the software encryption: since it has to use the OS’s resources, the encryption process will be slower and it will most likely slow down your entire computer until it’s done encrypting the data; furthermore, it’s not entirely safe because it can be vulnerable to brute force attacks and the computer’s OS itself can be the weakest link considering that most of us don’t keep it secure and even those that do can be a target because of vulnerable hardware pieces (as can be seen with the recent CPU exploits). This is virtually impossible using a hardware encryption solution because it relies on a built-in separate microprocessor to do the encryption and decryption of the data (it’s cut off from the Internet) and which can’t be accessed by physical means – it also means that it won’t use your computer’s resources, therefore leaving your working station performance unaffected.
But, as I saw with the iStorage diskAshur 2 and it’s also valid for the SecureDrive BT, the hardware encrypted storage devices are significantly more expensive due to all the technologies implemented to ensure that the data is protected to any attack. Additionally, despite being the superior solution in terms of security, you also won’t be able to update the firmware (although the security protocols will most likely remain invulnerable for a long time, there may come a time when you will have to upgrade your portable storage device and once again, this is going to be costly) and, in case you forget the password, usually, there is no way to recover the data (this is both a minus and a plus).
Typically, the external hardware-encrypted storage devices have that characteristic keypad embedded into the case which is the only way for the user to unlock the stored data and, while some may say that the keys will wear off, when I tested the iStorage diskAshur 2, the keys were covered by epoxy, so this is simply not the case (unless you go for the cheap solutions, but that’s another story). So, why did SecureData decide to migrate from this surefire solution and, instead to adopt a keypad-less approach? Well, besides moving the technological development forward, it was a necessary move to allow the use of the DataLock application (developed by ClevX) which, besides allowing multiple ways of authentication (including FaceID, TouchID, Fingerprint reader or face Recognition), it also supports geo-fencing.
This means that you can set a specific perimeter where the drive can be unlocked – this way, the SecureDrive BT can be set to be only unlocked in your company or at home (if you want to protect specific data – useful for storing cryptocoins). The problem with the Bluetooth authentication is that it is vulnerable to the relay attack which, in essence, is similar to the Man-in-the-Middle attack, but instead of changing the data between the claimant (the device that undergoes the authentication) and the verifier (the device that verifies the identity of the claimant), the relay attack pushes authentic data between the two involved devices, therefore impersonating both ends.
While the relay attack could technically be possible to run on the SecureDrive connection to the mobile device, the third party would have to be close to the drive (the geo-fencing feature could help a lot with this issue) and there is no actual data being transmitted, but just the encryption key, so, anything that can be stolen does not contain sensitive information and has a layer of encryption on top of it.
Usually, the portable hardware encrypted storage devices are larger than the regular drives because they have to carry additional internal hardware besides the HDD or SSD itself. The SecureDrive BT is equipped with a Samsung 860 EVO SSD (which I tested not long ago next to its predecessor, the Samsung 850 EVO), as well as an independent processor and a crypto processor, along with other elements that the manufacturer has no disclosed and I can’t really open the case to find out due to the protection against tampering: the internal hardware is covered by epoxy which doesn’t have any impact on the performance of the drive, but it does make it virtually impossible to open the case without damaging the components.
Considering that the SecureDrive BT is an SSD drive, it has decently compact dimensions (it measures 4.92 x 3.03 x 0.23 inches) and it’s also lightweight (it weighs 0.33 lbs), so it is very portable and you can easily slip in your pocket.
The device itself has a metallic body (aluminum) covered by a blue matte finish (does not retain fingerprints), with the left and right areas being made of plastic (covered by a black finish), so it closely resembles the Samsung T5 external drive.
On the top side (where the logo is printed), the SecureDrive has embedded a narrow transparent piece of plastic to allow the three LEDs to shine through: on the left, there’s the Locked LED (a red lock icon – solid red indicates that the drive is powered but not Bluetooth connected; it will initiate flashing red when the drive is connected to a Bluetooth-compatible mobile device), the Data Transfer LED (a blue line) and the Unlocked LED (a green unlocked lock).
On the bottom area, the SecureDrive BT has four small feet which don’t really help much in keeping the device into place (they’re not silicone-coated), but, even if the drive does fall off the desk, I wouldn’t worry too much, because there is 0 chance that the internal components would disconnect and, since it is an SSD, it’s by nature resistant to shocks (there are no moving parts, unlike on the platter-based HDD).
The iStorage diskAshur 2 is IP56 rated, so it is immune to dust ingress and it does fine against water splashes, but SecureDrive doesn’t have an IP rating, so I wouldn’t expose it to the elements. Furthermore, while running the storage performance tests, the drive got slightly warm all around the case, but it didn’t overheat even after repeated read/write tests were performed. Next to the LED indicators, there is a USB 3.0 Micro-B port (you can use the cable provided in the case or simply use any microUSB cable that you have available since it will be compatible) along with the Device ID printed (you will need it to pair the device to the app).
Note: Make sure to remove the cover from the top part of the box to expose the added USB 3.0 Micro-B cable.
The usual drill with this type of devices is to take the drive out of the box, to connect it to a power source (a computer) and to insert the default PIN code to access the contents of the device for the first time. And this is pretty much the case with the SecureDrive BT, only instead of immediately inserting the PIN code, you will have to first download and run the DataLock application (available for both Android and iOS).
After installing the application, it will automatically detect the SecureDrive (don’t forget to enable the Bluetooth on your mobile device) and, next, it will ask for you to write the Device ID code (located near the USB port) and that’s about it, from here on, click on the SecureDrive and insert the default PIN to access the empty drive.
Note: The app will work with most smartphones and iPhones, but it’s also compatible with the Apple Watch and iPads.
The immediate thing that you need to do is to change the default password and to do so, you need to go to the Drive Settings (simply tap on the drive name) where you’ll be able to see lots of options, the first allowing you to change the name and the second is called Change Password (tap on it and insert a new passkey which can be between 7 and 15 digits, can have special characters and you can’t enter only consecutive letters or numbers). As you can see, the process is a lot more intuitive than on the traditional hardware-encrypted drives with keypads.
Underneath the option to change the password, you can also enable the 2-Factor Authentication which requires you to enter your phone number (every time you want to access your drive, a code will be sent to your phone, therefore adding more security to your authentication process) and there’s also the Password Recovery (in case you forget your password, this feature allows you to add a phone number to which you will receive a code allowing you to recover the password and not lose all your data).
Additionally, you can also enable the Remember Password option (if you don’t want to enter it every time you have to access your drive), the Biometric Unlock (use your fingerprint to unlock your drive) and you can set the Inactivity AutoLock (if no data is being transmitted over a set period of time, the drive will automatically lock itself). Underneath, you can enable the Step-away AutoLock (the drive will auto-lock the moment your mobile device is out of the Bluetooth connection range – after I disabled the Bluetooth on my smartphone, the SecureDrive BT immediately locked itself), make the drive Read Only, Reset the Drive or perform the Remote Wipe (just like the Reset function which deletes all the data and the encryption, the Remote Wipe has the role of deleting all the data from your drive in case it is stolen or lost – for this feature to work, you need to enable it prior to losing the drive).
The traditional portable hardware-encrypted storage device would maintain a hierarchy type of users, so the admin could add or delete users and, in case one employee (user) would forget the password, the admin could still access the data. This function is missing from the SecureDrive BT‘s DataLock application, but it can be found on the advanced DataLock BT Remote Management software (available for an yearly subscription) which will support an admin account and multiple users, and it adds the possibility of assigning (by the admin) specific drives to the users (including viewing the Access Log), changing the user’s password and remotely erasing data from the drive.
But that’s not all, because the admin can also set an Allowed Time for when the users can unlock the drives, as well as set an Allowed Location: using Geo-fencing, you can set a specific area on the map where the driver can be unlocked (based on the GPS coordinates of the mobile phone).
Note: It is important to understand that using the DataLock BT Remote Management, the admin doesn’t have to be in the proximity of the SecureDrive BT, but it can make the necessary changes from anywhere in the world where there’s access to the Internet.
Protection and Performance
The SecureDrive BT is FIPS 140-2 L3 validated (similarly to the iStorage Pro series) which means that the drive is protected against physical attempts at gaining access to the cryptographic module (the tamper proof enclosure and the epoxy coating), so it’s not possible to detach the internal components off the drive (not in a way that will allow you to access the data). Furthermore, the SecureDrive BT is compliant with GDPR and HIPPA, and it does offer Military Grade AES256 bit XTS encryption which is a rather fancy term, but it means that the encryption algorithm is suitable for protecting top secret information and other type of sensitive data, as recommended by the NSA.
The drive has also implemented protection against the BadUSB exploit – the drive will not be accessible until the correct PIN is inserted and it also is protected against the Brute Force attack, so, similarly to other secure storage devices, in case you enter an incorrect password ten times in a row, all the passwords are automatically deleted and you will have to format the drive in order to use it again (unless you have added the device to the Remote Management console, there is no way to retrieve the authentication key since SecureData says that there are no backdoors implemented).
Some other means of protection are the proximity lock, which means that the drive locks itself if the Bluetooth device is out of range, it will also lock itself if the computer goes to sleep (you can also set it to auto-lock after a certain period of inactivity, so, even if you left your desk, other people won’t be able to access the content of the drive). Additionally the SecureDrive BT has the remote wipe function (as discussed in the Application section) and I found it interesting that the manufacturer has also added the USB antivirus (by ESET) which does have only a 1-year license and it can automatically detect any malicious data and deny its access to the SecureDrive BT (it’s a very nice security addition).
To test the storage performance of the SecureDrive BT SSD (1TB), I connected it to my Lenovo laptop (using the cable provided in the package) and I ran the ATTO and the CrystalDiskMark 6 synthetic benchmarks. I also will compare the results to what I got a few months ago when I tested the Samsung 860 EVO SATA III SSD. The ATTO benchmark has revealed a significant difference between the SecureDrive BT and the Samsung 860 EVO when writing and reading smaller files (between 512 B to 32 KB) and a difference of about 100 MBps remains even when writing and reading larger files between 64KB and 64MB (about 30 % difference in performance). The CrystalDiskMark 6 has revealed a similar performance, with the difference being about 100MBps for both the sequential reading and the sequential writing tests.
Lastly, I decided to do a simple read/write test using a 2.5GB folder and I measured an average of 272 MBps while reading the folder and an average of 268 MBps while writing the folder. When compared to the ‘pure’ Samsung 860 EVO drive, there is a significant performance difference, but, considering that there should be some expected overhead due to the encryption process, this performance actually makes sense (don’t get me wrong, the SSD remains very fast for most uses).
The SecureDrive BT is a one of a kind external hardware-encrypted storage device (for now) because of its Bluetooth authentication approach and, if you carry sensitive data with you (the usual case with corporate workers), then you need to consider using this type of drive because of their impenetrable nature. When compared to the traditional hardware-encrypted drive equipped with a keypad, the SecureDrive BT is slimmer, therefore more portable, it does allow the possibility of password recovery (along with a multitude of authentication options), but you do need to rely on a mobile device every time you wish to unlock the drive and, if you want any advanced features (such as admin privileges, which is a standard on its competitors or the impressive geo-fence feature, unique to this device), you do need to purchase a separate subscription.
Check the product here:
- Hardware encryption
- FIPS 140-2 L3 validated and Military Grade AES256 bit XTS encryption
- Premium build quality (the case is also portable)
- Bluetooth authentication
- Geo-fencing + other advanced options
- No USB type-C port
- A bit expensive