I've got a free sample of the Ironkey, it is quite nice.
Nice tactile feel, solid metal case. The chap I spoke to made some bold claims about it working after being submerged for 24 hours, once dried off but as the internals are epoxy coated, no big suprise.
Apparently, youtube has a video of one being run over by a bobcat and working afterwards.
It is supported under XP, Vista and MacOS, so saddos like me that stick to Linux and Win2k are out of luck. I have tested in on the wife's laptop and it does what it says on the tin.
There is, apparently, a management verison coming out. This should give to sysadmin the opportunity to set the number of times a password can be attempted before the key is fried. I asked if frying could be avoided completely but the salesman didn't seem to know.
I also visited Sandisk with the same requirements. The sandisk stick seems to be reasonably good, too.
While it is in no way ruggedised like the ironkey it has the benefit (?) of not frying itself. Again, there are two versions, the managed and the unamanaged. Both can be set to block access after 'n' attempts, the managed one will be subsequently recoverable, the unmanaged one will need to be reformatted but is not bricked.
The Sandisk is supported under Win2k, XP and Vista.
The Ironkey and the Sandisk both claim FIPS 140-2. Unfortunately, neither are going through the process of CAPS approval (UK Govt.) For the Sandisk, there is a different version for the FIPS which has an epoxy coating over the crypto chip to prevent analysis attacks.
Both are big (physically) compared to their unencrypted counterparts, about the size of a standard disposable lighter.
The only other difference is that the Ironkey is 128 bit AES and the Sandisk is 256 bit AES.
One thing that bothers me about both devices is that you are stuck with using the key material that the crypto chip holds. I would like to see a device that allows the crypto manager to reprogram the key with a key that they have generated. The reason for this is twofold. If, as with the Ironkey, the key is fried, the data can still be retrieved. Second, and this is the paranoid in me, if the crypto is added by the manufacturer, would they not keep a record of the key, therefore enabling them to retrieve data should the key find it's way back to them?
[Edited for poor typing]
Last edited by Bogwitch
on Fri Apr 25, 2008 7:10 am, edited 1 time in total.
CISSP, C|EH, C|HFI