Filed under: Peripherals, Security
Secure your Mac: SecuriKey USB dongle
As we recently mentioned with regards to the newly available Mac support for the Eikon USB fingerprint scanner, hardware security peripherals on the Mac have been rather thin on the ground. But coming on the heels of the Eikon, GT Security has announced an update to their SecuriKey USB security dongle for Mac which adds encrypted Volume support. Basically the SecuriKey software creates a virtual secure Volume protected by AES 128-bit encryption on which you keep your sensitive data. To access that Volume all you have to do is plug in the USB dongle (which they call a "token"). If you remove the dongle the Mac will reset to the login screen. It's a lot like Knox but locked via a hardware key instead of a password.The SecuriKey Professional Edition is $129.99; there's a software only upgrade for $50 if you should already have one of the dongles.
[via MacNN]
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 1)
John said 9:22AM on 9-27-2007
Anyone else have an issue with the Zune ads sitting in the middle of the unofficial APPLE weblog!???
Reply
Greg G said 9:25AM on 9-27-2007
Yeah... kinda weird.
It's like posting goatse.
Reply
Aron Trimble said 9:53AM on 9-27-2007
This would be useful if:
A. It does not hinder system performance like File Vault is known to do; and
B. There is some sort of backup plan / fail-safe in the event you lose the key in the ocean/laundry/fiery pit of Mordor...
Reply
Mo said 12:32PM on 9-27-2007
So essentially they're, er, storing a keychain containing the DMG password on the USB stick, and have written a driver that suppresses the Finder's unsafe removal moan and instead flips you back to the login screen.
Fine.
But $129!?!
If I'd known people were charging that much for it, I'd sit down and write one that works with any USB stick and sell it for $50. Jesus. (The hardest part there is suppressing that Finder warning—flipping back to the login screen when the stick's unplugged is trivial with a shell script, but somewhat more robust if you go to the trouble of using the notification APIs).
Reply
Tony B. said 12:55PM on 9-27-2007
@1 : No problems here with ads... FireFox with AdBlock plus - I don't need no steeenkin' adverts :-)
Now if only I could get AdBlock for Safari...
Reply
Bennett Griffin said 1:00PM on 9-27-2007
Hi Aron. I've been using our new SecuriKey Encrypted Volume for a while now, and I can tell you I haven't seen any noticeable performance drops on the Macs I've used, even on an older 667 Mhz PowerBook G4.
As far as losing the key, there is a second, backup key right in the box. Also, you can register your key with us and we can build a duplicate if you ever need one.
A friend of mine in marketing has a habit of washing his SecuriKey Token in his jeans. While I wouldn't recommend this, his key has been working ok even after the laundry trips.
Bennett Griffin
GT Security
Reply
Bennett Griffin said 1:21PM on 9-27-2007
Hi Mo. Actually, we have an encryption chip on the USB key. So we're not storing keychain items. The hardware-based encryption is integrated into the unlock of the software-based AES encryption on the Volume. So, you have to have both the right SecuriKey Token and the right password (2 factor authentication) in order to unlock and open the AES Encrypted Volume.
Bennett Griffin
GT Security
Reply
Mo said 1:51PM on 9-27-2007
Hi Bennet,
Good to see you guys are paying attention :)
I'm puzzled, though: how is this any better than just storing an encrypted keychain item on a USB stick and tweaking Finder/monitoring the mounted volumes? Surely I can shift data to and from my CPU for enc/decryption far quicker than I can the USB bus, so I'm guessing that something isn't as it seems if the crypto's done in hardware?
I'm not saying there isn't something about this that makes it worthwhile, I'm just really struggling to see what's here that isn't provided by Mac OS X and a bit of scripting (and given my tutorial for storing Keychains on USB sticks was linked to by TUAW a few days ago, it's fair to say I have a bit of an interest!)
Reply
Mo said 2:43PM on 9-27-2007
I'm forgetting the obvious, actually:
The AES chip on the stick is used to encrypt/decrypt the key used to encrypt/decrypt the disk image; much as a Mac OS X Keychain is encrypted with a user-supplied password, and contains a key used to encrypt/decrypt a normal encrypted disk image.
Assuming I'm right (I might not be, of course!) I'm still not seeing a clear benefit: now, embedding an LCD in the stick and using it to display to a one-time-password based on a timer (much akin to SecurID), and *that* is used to encrypt/decrypt the key that protects the disk image, there's a product I'd pay for.
Reply
Bennett Griffin said 10:54PM on 9-27-2007
Hi Mo. What we are doing is essentially separating and splitting the key from the lock. There is a unique key value in the encryption chip in the SecuriKey Token. This is then combined with the password that you choose when you create the Encrypted Volume. These together are required to unlock the AES encryption key for the data itself.
The net result is that you must have all the pieces of the key to open the lock. You need the correct SecuriKey Token and need to know the correct password in order to unlock the AES Encrypted Volume. This integration of strong, two-factor authentication with AES data encryption provides best-practice level security for your data.
The security is thorough. The simplicity of using SecuriKey is also important. SecuriKey integrates into the Mac OS logon interface and will lock your Mac when you pull the SecuriKey Token from the USB port, too. SecuriKey is designed to provide complete security for your data on your Mac without getting in your way. The way you use it just makes sense - just like using the Mac.
Bennett Griffin
GT Security
Reply
Rotciv said 2:30AM on 9-28-2007
Interesting, so what will happen to stuff that's being worked on such as encoding in compressor or your online status in iChat or an unsaved document when the token (USB key) is removed?
Reply
Bennett Griffin said 1:31PM on 10-01-2007
Hi Rotciv. When you remove the SecuriKey token, we place your Mac in a secure state. Your screen switches to the login window, and you must insert your SecuriKey Token and enter the correct password to continue.
While the Mac is in this secure state, your processes continue to run, documents remain open for edit, etc. When you re-authenticate, your desktop reappears and you can immediately continue with your work.
Bennett Griffin
GT Security
Reply