most secure USB key package

I want to require the presence of a usb dongle for my devices to operate. I have heard of some software solutions like Predator, for windows. I'm really looking for something more secure. I want my machine to be a total brick without the usb stick. I understand such a product may not be available to consumers, but the features I am really looking for are:
- disable power on/boot without usb stick
- log unauthorized access
- power off machine if usb stick is removed
- requires presence of usb AND a password
- require usb to decrypt and use harddrive
I'm really looking for something that is enterprise/government/military class and runs UNDER the operating system, so that the machine is totally bricked without the usb.

 

That's really specialized software, I have no idea. The 'poor man's' way would be to TrueCrypt the whole system, and put half of the pass phrase (32 random, unknowable characters) on a Yubikey in Static Mode for Slot 1. No logging or power off though.

PD

 

Yeah A YubiKey is the answer.

 

The thing with Yubikey and TrueCrypt is you cannot achieve true two factor pre-boot authentication. The end user can still log into the system with or without the Yubikey present.

With regards to pigsteezy's requirements.

In my opinion you will be perfectly fine encrypting your hard drive(s) with an open source solution such as Truecrypt or Window’s native variant. If you still require two-factor you can then implement that at the OS level.

A more extreme suggestion would be creating a Live DVD/Live USB version of your windows system and storing the saved information onto an encrypted hard drive or some other medium you wish to use. That would meet most of your requirements.

Other than those two solutions there really is no safe way to achieve this without going the enterprise route and also upgrading your hardware to support such solutions, which in my opinion are not worth the costs involved.

 

Correct, I believe they call it pseudo-two factor.

You are 100% correct, not disagreeing, but I do see it as one step above straight memorization.

JMHO.

PD

 

I know what you mean, in terms of how the technology works. You are quite right.

While it does not provide a separate / independent validation, effectively leaving anyone in physical possession of the hard drive with only a single hurdle to overcome, it does eliminate some level of exposure (by less sophisticated adversaries) by requiring a second object to complete the log on. Secondly, if the initial user password is strong, the Yubikey addition would make it impenetrable.

The price is reasonable. However, for anonymity, I don't know how one gets around the payment process.

While this is about USB key package...what about usb fingerprint readers for a second factor?

 

If you're talking the inexpensive consumer readers - no. Two words: Silly Putty.

 

Thanks for today's best laugh!

 

Also in Jetico BestCrypt Volume Encryption is TFA feature.
You can move encryption key from encrypted volume into removable drive and vice versa.
Without this key on USB, even if you enter valid password (you can set multiple passwords eg. one for admin, additional for other user) - volume won't be mounted.
Unauthorized access is logged and you will get notification (with no. of attemps) when you log in on encrypted system volume after start BCVE executable file.
Power off machine if usb stick is removed is not supported however Jetico BCVE introduced Alarm Crash Hotkey to prevent Cold Boot Attack so if instead of turning off the computer the user presses Alarm Crash Hotkey, BestCrypt Volume Encryption will not only restart the computer immediately, but will also wipe all encryption keys from memory.
Full help file online documentation is available here:
http://www.jetico.com/bcve_web_help/