Is a soft-encrypted USB w/ Linux/BSD possible to make ?
 

Like a cheaper software IronKey / Defender from iMation:
http://www.imation.com/en-US/Mob...
^ See link, check IronKey / Defender.
or LOK-IT
http://www.lok-it.net/

The IronKey doesn't have USB3.0 with much disappointment, and neither does LOK-IT or any other hardware-encrypted USB I've come across.

What security issues is addressed by using a hardware-encryption instead of just software-encrypting the USB?

Is it even possible to boot from a software-encrypted USB?

How will it compare to a hardware-encrypted USB (If it's possible)?

This is a very extensive topic. Hardware encryption is supposed to provide some protection against "cold boot attacks" (use a search engine if needed). However, some software solutions reduce the impact of such attacks anyway...

I guess the most important advantage of Hardware encryption over software encryption is efficiency. As cryptography is done in the hardware's chipset, and not in the CPU, it does not waste your resources.

Security? I have seen some high-degree hardware encryption solutions bring dangerous encryption flaws which needed a full device replacement. With software encryption, if a flaw is discovered you can just upgrade the software. This does not mean hardware based cryptography is insecure, I only say it is not as convenient as it seems.

And it is too expensive. Most users are far better served by a low cost software based system. Unless you are a big company or something like that, dm-crypt, loop-aes or a replacement are more convenient.

If you keep an small partition in the clear as booting platform, and encrypt the rest of the info in other partition, you can go that way. A cheap, fast and dirty option is to install a Knoppix CD in your USB, boot it and let Knoppix automatically create an encrypted filesystem. The encrypted filesystem acts as a "container" which you can mount either from any Linux or booting the Knoppix through the USB.

And the ironkey has suffered a major hole in it.


It is getting to be a trivial matter to create any live usb. The same ways you secure a normal hard drive install are the tools that you use.

There are some elements to a mechanical or hardware type encryption that have some sales pitch.

In a real world only the most advanced computers could hack into a 256 bit encryption. Some of the tools they use are not brute force but some educated guesses. This is where some features of hardware make it difficult to get those cheats.

What hole is this?

Thanks so far everyone; BlackRider, jefro, NyteOwl !

BlackRider: How do you create a software-encrypted USB then ? I've not done a live USB before .. I would like to move OpenBSD to a USB-system. Some installers can install directly to USB- others need a bit of tweaking (ex w/ fstab) and such.

I would like to do this the most secure way possible.

FOR BEGGINERS:

First: choose a Live distribution or operating system. I find Knoppix and Porteus to be good options.

Second: Read the distribution documentation. Each distribution has it's own way of doing things. Install it to the USB by the methods the documentation provide, it is not that mysterious... if you are having trouble, you can order a Knoppix USB drive from a store.

Third: Set up the encrypted filesystem. Every distribution has it's own way.

IN KNOPPIX, THE METHOD IS:

Get a Knoppix CD/DVD and boot it in a computer.

Plug an USB device and search for the Live USB creator tool. Launch it as root and follow the instructions until the installation is over. It can take a lot of time, so don't despair.

Shut everything down. Boot the Live USB. It will ask you if you want to create a file for persistent data: say you do. Then it will ask you if you want to set up AES encryption. Say YES and you are done.

The encrypted filesystem will be loaded every time you boot the USB. You can access the encrypted data from outside also, as the encrypted filesystem is really an ext2 inside of a regular cryptoloop (in /KNOPPIX/knoppix-data.aes).

And you are done. More complex approaches (for better results) are possible, involving Knoppix remastering and such. Cryptoloop is not a perfect solution and it's not considered really great, because it can suffer filesystem errors or be attacked by watermarking. However, if you use a really good password, it should prevent your attackers from retrieving your data easily. I wouldn't bet for a short password in cryptoloop against a Craig super computer, keep that in mind.

Having a Live OpenBSD is just a matter of performing a regular install on a USB, just don't think their encryption schemes are mature. They work but are still a task in progress.

You're welcome, though I've not helped much other than ask about the hole in the Ik mentioned above that to my knowledge doesn't exist.

I've not tried doing this with OpenBSD but it isn't hard to do with Linux. The above is a good place to get started.

There is a bootable equivalent of the Ironkey called the Ironclad made in partnership with Lockheed-Martin but sadly it's only available to corporate and government customers.

The biggest advantage to hardware encryption is speed and (depending on design) the security of the encryption keys. For most folks wanting to secure some personal info from non-pro or non-data thieves, a software solution is usually sufficient and more flexible, as well as less expensive.