Data safety is of paramount importance for many enterprise use-cases, and in certain scenarios, for home consumers too. Portable storage devices have typically offered data protection in the form of hardware encryption activated by one of multiple methods. Commonly used protection mechanisms include hardware keypads on the drive, a software application running on the host system with password protection prior to the mounting of the data volume, and biometric protection with, say, a fingerprint reader integrated in the device. Earlier this year, Samsung had launched the Portable SSD T7 Touch with such an integrated fingerprint sensor.
Smartphones have become an indispensable part of everyday life, and serve as a digital identity of sorts for the owner. The biometric authentication that allows access to the phone has been taken advantage of as an added security measure in various other scenarios (two-factor authentication). Applications that authenticate based solely on the ability to unlock the phone exist too. Some portable storage device vendors have adopted this ‘app scheme’ as an alternative to the ‘intrusive’ measures outlined in the previous paragraph for unlocking encrypted drives. Examples include the SecureDrive BT series of hardware-encrypted external portable HDDs and SSDs using the DataLock BT app and iStorage’s upcoming datAshur BT series of USB flash drives. Today, Western Digital is introducing their own version of BLE-based authentication and unlocking of a portable storage device under the ArmorLock moniker. The first product based on this technology is also being launched today – the G-Technology ArmorLock-encrypted NVMe SSD.
The ArmorLock Security Platform
Traditional protection methods for encrypted portable drives have tended to be intrusive and slows down the process of using the drive on different systems. The ArmorLock security platform is intended to enable simple and seamless usage of encrypted drives using mobile / desktop apps (unfortunately available only for iOS and macOS at launch). An ArmorLock-encrypted drive carries a BLE radio that communicates with the Bluetooth radio on the mobile / desktop system on which the app runs. The app-based unlock scheme enables password-less unlocking using key exchange. WD claims that the secure pairing is seamless (a comparison was made with the Apple AirPods pairing scheme).
Prior to usage, each drive is authorized on a system where the retrieval key is generated first and backed up (for use in the case where all authorized mobile devices become unavailable, but access to the data is still needed). After this, multiple mobile phones can be authorized for the same drive, with only a public key from the mobile app needing to be fed into the administrator console. Multiple drives can also be authorized and managed from this administrator console, enabling remote usage after the authorized drive gets shipped over. The drives can also self-format and be subject to secure erasure through the mobile app. If enabled, the phone’s location information can also be used by the app to show where the drive was used last.
It must be noted that the ArmorLock security platform does NOT need cloud connectivity. In fact, the mobile phone or system used for unlocking can be air-gapped during the unlock process for the portable drive.
ArmorLock-encrypted NVMe SSD
Moving on to the hardware itself, the G-Technology ArmorLock-encrypted NVMe SSD is a rugged drive with a IP67 rating. 2TB is currently the only available capacity point. It also includes what appears to be a robust thermal design allowing the drive to sustain 1000 MBps read and write speeds for long durations (that is typically encountered in studios and other content creation scenarios that form G-Technology’s target market). 256-bit AES-XTS hardware encryption is used to protect the data. The internal drive is a WD Black SN750 NVMe SSD with tweaked firmware.
Western Digital supplied us with a review unit of the ArmorLock-encrypted NVMe SSD and advance access to the apps. However, the ongoing lockdown coupled with the absence of any Apple device in my testing location means that we have to wait for the release of an Android and/or Windows desktop application for a hands-on review.
Western Digital’s vertical integration – right from manufacturing the flash, the SSD, and the in-house development of the protocol, firmware, and associated apps – means that the premium product can be priced very competitively. At $600 for the 2TB NVMe SSD behind a USB 3.2 Gen 2 bridge, it is hundreds of dollars cheaper than the equivalent drive from the competition and offers features that the competition charges a subscription for. The open-sourcing of the protocol and the ability to provide app and firmware updates in the field ensure that the drive is protected against any weaknesses that might arise in the key-exchange process.
Western Digital is targeting the G-Technology ArmorLock-encrypted NVMe SSD towards content creators, studios, and business professionals, as well as IT managers in the finance, legal, healthcare, and government industries. Some of these segments need FIPS certification, which adds significantly to the cost of the device. Western Digital did indicate that they are open to creating a FIPS-certified version if the market demand exists. At the current price ($600), we are sure most of the target market will be quite happy with the offered feature set.