What you think about this?

One question: what do you people think about this GoldKey?

http://www.thinkgeek.com/gadgets/security/abbb/

 

The official website for this product is here:
http://www.goldkey.name/masterencryption/

 

I have this already using TrueCrypt.

I have a keyfile on my USB stick. And I carry my USB stick around with me. If I don't insert my USB stick that contains the TrueCrypt keyfile, it's impossible to access my encrypted files on my HDD.

So you can get same effect as GoldKey by using TrueCrypt with a keyfile on your USB stick.

And the best part is.. you don't need to pay any money to get this type of security. But with Goldkey it will cost you.

 

It looks more complicated than having a truecrypt exe and container on a usb key. Not sure they really explained the system really well either.

 

Truecrypt doesn't give you everything that GoldKey does out of the box (You can make it do similar things in regards to multiple users, but its a kludge and has it's own security concerns. And you can't do the email thing with truecrypt at all. Well, you could email a truecrypt container, but that's not the same thing, you'd be better off 7-zip ing the files with the AES-256 option and emailing the results)

A few of the advantages of the Goldkey:

1) Multiple people can be authorized to access the same data store without needing to futz with headers or sharing the passphrase as one would have to do with Truecrypt.

2) Multiple data stores (USB Drives, encrypted folders, encrypted containers on the network) can be accessed from one authorized goldkey. If for some reason that key is compromised, the settings on the data store can be configured to deny that key without having to communicate that fact to other keys/users.

3) If one loses their GoldKey, their data is still accessible as long as someone elses key works, or the master that created the personal key is still available.

4) One can email files encrypted with the GoldKey to other Goldkey users and be confident that the email will remain secure, even if it is forwarded on to someone else, or saved to a local drive.

5) It doesn't appear to require admin rights to access the encrypted drive.

However, once you start looking into other security products, the disadvantages become numerous.

1) No integration with a directory services (AD, LDAP, NDS). This makes key management yet another task: User left, now I have to remember to disable their AD account and their GoldKey account. User changed departments: Did I remember to change their Goldkey settings? On the SOHO end, this probably isn't that big of a deal, but on the "Enterprise" end, it is.

2) Speaking of management, this thing requires that someone know what they are doing. In a SOHO environment, this isn't likely. One's much better off getting an Ironkey or a Kingston Secure DataTraveller. The interface is simpler and it isn't as expensive. And if one does know what they are doing, there is always Truecrypt.

3) For what you get, it is insanely expensive. On the SOHO end, you're looking at $787 for a master and 3 user tokens, plus the time it takes to figure out how to deploy this effectively. On the "Enterprise" end, your looking at $15,000 for 100 users. $15,000 buys a lot of Entrust licenses, and Entrust can be configured to encrypt folders so that certain groups have rights. It also has the advantage that you can encrypt files to send to people outside the organization without having to shell out another $120 for a hardware token you're not likely to get back.

4) In and of itself, it is worthless. It doesn't have any storage on it, it is only used as a token. So now one would need to carry this and their USB drive on their keychain. Sure you can encrypt multiple USB drives with it, as well as any other storage, but so what? Software can do the same thing, and can be bundled with the device.

This isn't a disadvantage per se but with the price being paid, including it would definatly be a plus:
5) This thing is so close to being able to be used as a 2nd factor authenticator: It's a thing you have, and you need to know something to use it, but it only works on drives. It would be a much better sell if it could be integrated with VPN solutions, Citrix logins, Pointsec, etc. it might even justify the cost.

So in summary, I think that this is a solution that is looking for a problem. Lower the cost, ease the management and/or add in the ability to be a 2nd factor authenticator and it could be a useful product.

 

I bet the next news from the UK will be:
Government officials car got stolen with a Notebook and a 1,5 TG HDD with sensitive data and the gold key left together with the car keys inside

There is no solution for user stupidity.

 

Thanks to everybody for your opinion.
I do use TrueCrypt, and I am not going to change it any time soon for some expensive solution. Anyways I thoguht it was something good the fact that this Goldkey does hardware encryption (and maybe key management?). Any idea how this hardware encryption might be secure?

 

That's good, because you will get a very secure setup by using TC password and TC keyfile on a USB stick. Both password and keyfile are needed to decrypt the data. One without the other makes it useless. That's what I do.

 

We all like free, but there are security benefits with having a hardware token. I couldn't help but notice that if a hardware token was stolen with a laptop the token would still require a password. From GoldKey's documentation it sounds like their token will even lock up after a number of password failures.

I would love to see TrueCrypt support hardware tokens.

 

So what's the difference from having a Truecrypt keyfile on a USB stick, to Goldkey? I cannot see a difference, as they both fulfill the same objective. However, one is free and the other costs money, so I will stick with TC, as nobody will be able to break my TC container without the password + keyfile which I carry around with me on a USB stick, hence no need to pay money for Goldkey.

 

Well if jandy is right the GoldKey would lock after some failed PW entries, TC cant do that cause its open and its software only, so while in TC you need an > 20 cars long password goldkey may be almost as secure with only a 4 digit pin, cause the password is not the encryption key but only an authentication factor.
Though I would be most likely afraid that someone may cut the device open and somehow get to the internal stored encryption key, since its closed source no one can know how secure its relay is against a good hardware attack.

 

I have one of these and they are really tough. See the epoxy filling and the "demolition videos. I don't think you could get at the chip without making it useless.

You can't copy it -- they have the keys protected in it somehow -- which makes it much more secure than a flash drive with a keyfile. Also, their web site says it generates a new key for every file it encrypts (wow) so that's better too.

I think a lot of big companies are not adopting TC because of the key management issue (what happens when a user forgets their password or walks off with it?) and that is one of the biggest attractions of GK. You register to a Master Key and then if someone looses a key, you can still get in. It also lets you set up groups so you can use it to actually share encrypted files. very cool.

 

Das bisserl feuer das ist doch nix, die sollten nen feten vorschlag hammer oder thermit testen...

Schon mal versuch das epoxy mit aceton, oder ner frese los zu werden?

Schon klar der 16 jährige 0815 hacker wird den chip nicht so leicht anbohren können, aber die firma von neben an die sich auf industrie spionage spezialisiert hat ist da in 0,nix drin.

 

Exactly what i was thinking only you put it into better encrypted lingo then me