Saturday, 12 March 2016

Using E2B with the datAshur Personal encrypted USB flash drive

I have been looking at how to protect a USB Flash drive recently including encrypted USB drives. Some models (the cheapest) just provide a data encryption program to make an encrypted folder on the USB drive.

Others comprise of two 'devices', one is a CD containing the encryption software and the other is the Flash storage volume (similar to U3 USB drives).

Neither of these types are suitable to support USB booting because we need the BIOS to be able to read the unencrypted drive sectors on power up.

Another type of encrypted USB drive is the type that has a PIN keypad. This type encrypts the data as it comes in or out of the USB drive. The data is stored in an encrypted form on the flash memory, but any external device will 'see' the unencrypted data (if the correct PIN is used).

I found several models of encrypted USB Flash drives that require a PIN number to unlock them. There seems to be only four different ones however, as many of them appear to be re-badged\re-branded versions of the same thing:

  • datAshur = Toshiba = Apricorn = Aegis = Kingston (Removable)
  • KingFast USB Secure = Si Force (Removable)
  • Netac U618 - appears as two drives (Removable?)
  • Corsair Padlock - rumoured to lock on OS boot
I really wanted a USB 3.0 model but they seem way overpriced!

I researched these on t'internet, and found some problems were reported by various users (Corsair Padlock had problems booting, Netac 16GB is configured as 4GB protected and 10GB unprotected fixed split + resets on booting apparently).

The Netac may be suitable if you want to keep your E2B files on the 10GB portion and maybe have one or two ISOs on the protected portion. You could enter the PIN, boot from it to E2B and then boot from an ISO on the protected partition using a .mnu menu entry. It is much cheaper too!

I could find no information about booting from the KingFast type, but iStorage specifically mention a '10 second delay' for booting, I decided to go for one of these and picked up a new datAshur Personal 8GB USB 2.0 drive (IS-FL-DAP-DB-8) on eBay for £25 (£30 from eBuyer).

[Edit] iStorage contacted me to say that the '10 second delay' is a mis-print and is actually the 30 second delay that the datAshur waits for after successful PIN entry. If no 'USB access' is seen by the datAshur within 30 seconds, it will lock itself. It is so far unknown what 'access/command/USB protocol' it needs.

Note: The datAshur SSD USB 3.0 version is the Fixed Disk type (not Removable type).
datAshur Personal

This has a detachable (easily misplaced) cap, a very thick key loop (that doesn't fit well on a key ring unless you use a second small ring) and a crummy blue plastic case (does not look like ABS plastic, so probably not very robust though I did not give it a 'destruction' test). No attachment ring or cord was provided which would have been kind of handy considering it's intended use. The keypad buttons felt quite sturdy though.

The drive appeared as a 'Removable' type and was pre-formatted as NTFS.

This device can accept both a User PIN and an Admin PIN (if enabled). The Admin PIN is useful if you enable read-only access - then the User PIN will unlock the drive and give read-only access, but the Admin PIN will allow full read/write access.

First I copied over E2B + a Windows 8 install ISO - this took aaaaaaggggges to copy at the remarkable speed of 2MB/s! I did the washing and made a cup of tea and then came back and ran WinContig. This took even longer to run and seemed to take a long time to finish, even once it had reached the 100% completed mark (not that Windows ISOs need to be contiguous anyway for E2B).

You could die of old age waiting for this to finish!

Time for a coffee!


I unlocked the drive (it is Li battery powered and the PIN can be entered with it unplugged or plugged in to a USB socket) by entering the default PIN of 11223344, then connected it to my little Asus EeePC 904 and it was detected by the BIOS and it booted to E2B.

Note: I found that, like the Lexar S25, it did not work in the two right-hand-side USB sockets (only the left socket on the EeePC worked). The metal around the USB plug on the datAshur was probably not pressing hard enough on the contacts. Most of my other USB drives work OK on these two sockets though. I gently squeezed the metal end of the USB connector on the datAshur to make it fit tighter in the USB socket and that seemed to solve the problem.

Squeeze the connector for a tighter fit!


On booting to the Win8 Install ISO, I saw the rotating circle of dots, then 'Setup is starting' and then the E2B 'LOADISO' blue console window ran and loaded the ISO (hurray!). This was a relief, as it did not seem to reset the USB drive/controller. However, a reboot did reset the USB drive and make it inaccessible and what's more, I had to actually unplug it before it would allow the PIN entry to unlock the drive again.

Next I tried a version of Win8PESE using the .isoPE01 file extension. This was not quite such a good story. It  seemed to reset the datAshur during the 'rotating circle of dots' phase and stopped it from being accessible! I found I could get round this by re-entering the PIN whilst it was still connected, by quickly using the  KEY - 11223344 - KEY sequence. e.g.:

Loading files bar (blue LED flashing) - spinning circle (LED goes out) - enter PIN quickly...

The EeePC also booted directly from my XP vhd file OK (XP.vhdboot) (though it took about 5 minutes to get to the Desktop!).

Can't boot - won't boot!

Booting on my Acer Aspire 7741G was more problematic. The USB ports were not powered when the notebook was off. If I entered the PIN number, then inserted the datAshur and then switched on the notebook, the BIOS did not detect the datAshur and would not provide me with a boot option to boot it! As far as I could tell, the datAshur was not fully enabled because it seemed to 'time-out'. Perhaps it needed an 'access' from the BIOS to become fully enabled and did not see the right command sequence. I even took the internal hard drive out, to try to force it to boot from USB. In the end, I had to admit defeat with the Acer notebook - it just wouldn't 'detect' the datAshur!

Booting Ubuntu and Kali on a PC

Booting to an Ubuntu ISO on my Z87 PC was not a problem however. I haven't yet tried persistence but it should work. 

There was an Amazon reviewer who stated that Kali resets the USB drive, but it will take me an hour to copy it to the datAshur, so I didn't test it!

[Edit] I have now tried Kali Light 32-bit (1GB ISO). It did indeed stop during the early text-mode boot phase and the LEDs on the datAshur all went out (booting from EeePC) - I just re-entered the PIN code and then Kali automatically continued to boot to the Kali desktop.

Summary

So, if you want to use the datAshur as an E2B boot drive, I really cannot recommend it. It may not boot on all systems, it gets disconnected when loading WinPE or rebooting and it is very slow.

I suppose you could use it for a portable WinPE or linux+persistence solution, but it will probably be too slow for WindowsToGo (which would need to be a volume licensed version for portability).

The big problem was that it just would not boot from the Acer 7741G notebook, so as a general purpose E2B boot drive - nul point!

If you know of a better alternative, please let me know.

Usage

I was intending to just use the DataShur drive for personal document storage anyway, as it is really too small and too slow for use as an E2B multiboot USB drive. 

If you want to test it yourself, contact iStorage for a 30-day sale-or-return trial.

As well as important documents, I am going to add a bunch of 'password grabbers' to it. This will allow me to run the utilities on my Windows system and save all my current passwords (using the Nirsoft password utilities). If I keep the drive on my key ring, I will always have my passwords handy, but protected. I will also encrypt the files too (probably using Rohos mini), for extra protection, rather than leave them on the datAshur drive as plain text files. It might also be a good place to keep KeePass/LastPass too.

P.S. Subscribe to this blog for my upcoming review on the datAshur Pro USB 3.0 drive which I hope will be faster and more suited to booting to E2B!