I have been using an Ironkey for a little over a year now. I have been very happy with it so far.
I was recently given a Knox-IT to try out. After using both of them for a while now, I wanted to write down some thoughts I have on both of them.
When you think of secure encrypted flash drives, you think of Ironkey. Ironkey is the current industry leader. They are FIPS 140-2 Level 3 compliant, and are well known for pioneering the whole “after X failed password attempts the device will self-destruct.”
When I first received my Ironkey, the first thing I noticed about it was it’s overall design–The packaging (no photos sorry!) made it seem like I was unwrapping prized jewelry. The smooth, finished feel to the flash drive itself, and the (surprisely) heavy weight gave me the impression that this was a quality product.
When you plug the Ironkey in the first time, a proprietary autorun application launches and runs you through a wizard that sets up the Ironkey. Easy to use, no qualms here. A nice touch is that I can specify contact information that will display on every autorun, in case the Ironkey is lost.
Normal use is pretty straightforward–Plug in the flash drive, type in your password in the autorun app, and you get access to your sensitive data.
I have kept it in my pocket for the last year, and the only wear and tear that I see is some nicks here and there.
Knox-IT / Lok-IT
(Knox-IT is the name of the previous version of the Lok-IT)
My first impression with the Knox-IT was quite the opposite of Ironkey. The packaging was the cheap plastic that is really hard to open. The grey lightweight (plastic) material that makes up the Knox-IT screams Chinese knockoff all over it. Fortunately, it gets better from here.
The key differential between the Ironkey & Knox-IT is that Knox-IT uses 5 hardware buttons for your passcode, instead of a autorun app (software solution) from Ironkey. So you put in your passcode, the green light illuminates, and you plugin the flash drive and you use it like any other flash drive. It will automatically lock/encrypt the flash drive when you disconnect it.
Using the included docs, it was a very simple process to setup the passcode. Testing it out, I didn’t run into any issues unlocking and locking it back again.
According to their website, a FIPS 140-2 Level 3 compliant Lock-IT is slated to be released Q2 2011.
I really like the build quality of Ironkey better than Knox-IT, but I really like the concept of KnoxIT–Using hardware buttons to unlock the flash drive means that the Knox-IT is completely invulnerable to one of Ironkey’s primary weaknesses: Keystroke Logging. Yes, Ironkey does have an on-screen keyboard that can be used to mitigate this threat, but it is clumsy to use, and do you really know anybody that is actually using the on-screen keyboard? I don’t.
The only other issue that I would point out about Knox-IT is that with only 5 hardware buttons, the attack space for guessing the passcode is quite small, but the mitigating control for that is that you only have 10 tries to unlock it before it self-destructs. As a side note, the new version of Knox-IT (Lok-IT) now has a full complement of 10 hardware buttons–This fact plus the 10 tries & self destruct mechanism effectively disables a passcode guessing attack.
One final note that I have to mention. As I was researching for this post, when I went to Knox-IT’s website, I got soft-blocked by my organization’s content filter, because the site was categorize as “Malicious.” I thought that the content filter must have miscategorized the website, and so I continued anyway.
Here is the result.
Pretty ironic, huh?
5 thoughts on “Ironkey vs. Knox-IT/LOK-IT – A Subjective Comparison”
Josh, you definitely need to do a follow-up post after looking at the new Lock-IT. The new device is much more rugged and “professional” in its appearance and offers 10 passcode buttons.
However, having now used both, here are some additional benefits to Lock-IT.
1) If you enter 10 wrong attempts on IronKey, you now own an $70, shiny, paper weight. Lock-IT comes equipped with 6 encryption keys. 10 wrong attempts simply wipes the current encryption key. What this means is that, although you have still lost any data that was on there, you can start over and still use the device! VERY NICE! (That from someone who accidentally forgot a password on an IronKey).
2) We had a couple of IronKeys where, when the user yanked the IK out of the USB port without first “locking” the device, it hosed up the IK — no longer useable.
3) When you plug an IK into your machine, it is assigned a drive letter. Once you enter the passcode and “unlock” the device, a second drive letter is assigned that maps to the “secure” part of the device. Lock-IT won’t even register on your machine unless its unlocked and when it does, it simply maps as one drive letter. Not a big deal unless, like us, you have an app that requires a static mapping. Trying to walk users through setting up specific drive mappings is a pain … especially if you have to do it to two drive letters instead of one.
Just some additional thoughts that moved me from IK to Lock-IT.
P.S. On item 2, I meant to add that with Lock-IT, yanking the device out of the USB port is the intended design for locking the device. So, the user doesn’t have to conciously remember to do some “shutdown” procedure on the device to avoid losing data.
I can’t honestly say that IK requires the “shutdown”, but having lost 2 IK to the user yanking them out without locking, I’d say it’s a safer bet.
I have just bought the new Lok-it 10 PIN device in the uk from http://www.lok-it.co.uk (think it is on Amazon (UK) as well. It is made of aluminium (not plastic) and is very robust.
I Agree with all the positive comments about Lok-it above and yes you should review the latest version.
What was not mentioned is that this device can be used on any device that has a USB port (because Lok-it is unlocked before you put the device into your chosen machine). This cannot be said about other secure USB’s as they all need to be put into a PC and a password input via keyboard and screen .
So can be used on PC’s / MACs (obviously) and scanners, printers, TVs and DVRs etc.. I read somewhere that the Lok-it will also work with the new breed of Smartphones.
My advice – if you need a secure drive there is only one choice – LOK-IT
All the best from the UK.
Hi there, just wanted to let all UK users of Secure Flash drives know that LOK-IT is now available in the UK.
The product is now a 10 Key device in Black, with a hardened aluminium shell and epoxy filed. The LOK-IT Secure Flash drive is also FIPS 140-2 Level 3 Certified (the highest level a flash drive can be).
If you want to have a look at the site visit – http://www.lok-it.co.uk – also we are running a Monthly FREE Prize draw to win one of these little beauties.
All the best
This article is a year old now- guess the discussion is cold. For lurkers/visitors though, I guess it might be worth chipping in with a few positive aspects of Ironkeys to counterbalance the abundance of pro-LokIT opinions.
For context, what I write comes from a fairly security-layman perspective, basic technology competence (Science educated, experience with millitary systems, amateur programmer) but nothing fantastic.
Long time user of Ironkeys and have briefly experimented with a LokIT (admittedly for *very* short time).
A few thoughts:
(i) I run portable apps off my Ironkey (secure apps) which involves intensive writes/reads. “S” model Ironkeys (‘D’ models don’t) use SLC flash memory- which has greatly higher longevity/durability (often quoted 10 times the number of read/writes and superior long term data retention especially in harsh conditions) compared to the MLC flash memory used in the vast majority of common USB flash devices. Practically, MLC flash devices are not approved for mission critical applications, whilst SLC is. SLC is much more expensive and at consumer pricing confines SLC devices to lower capacities, so I’m almost certain that LOK-IT uses MLC memory. That might be an issue for users given that applications run off a drive can be a vital backbone of security when using the drive on less than trustworthy computers.
(ii) On account of specific built in software, Ironkeys do have more specific system/OS requirements than LokIT, but this also seems to trade off with more built in hardware/software integrated functionality (to the best of my knowledge- I might be wrong). Ironkeys for instance can be logged in using a “read only mode” to prevent and writing of malware to the drive. Not for everyone, but there are also built in secure backup features that seem to be well reviewed as robust in terms of security.
(iii) The general durability of Ironkey seems to live reasonably up to advertising claims. I’ve used several in a millitary environment with heavy ‘dust/bumps/bangs/liquids/heat’ with no issue. With my limited experience I can’t comment on Lok-IT’s newest iteration in long term usage and review data seems inconclusive on fail rates. An Ironkey at least seems to guarantee a pedigree of durability. Whilst a “play it safe” approach can definately be unfair to emerging companies, if you have only so much to spend- it’s fair to say that as of writing: Paying for an Ironkey gets you a product with a generally positive customer tested track record.
I don’t want to sound like an Ironkey fangirl here !. It doesn’t live up to it’s claims of being “the world most secure flash drive”. No single product takes that mantle. As far as I gather, LokIT is a great new product with definate advantages over Ironkey where security where susceptability to software keyloggers/screen-capture is paramount. Above all, it’s a great thing that consumers have choice and that there is competition in the market.
It is in this spirit to note that there seems to be in the LokIT vs Ironkey debate: A degree of “underdog syndrome” surrounding the mainstream success of Ironkey products. Script-kiddie “H4ck3rs” sneer baselessly at anything mainstream on (antisocial) principle and competing companies are obviously not exactly unwilling to capitalize upon misconceptions this sentiment spreads. By choosing LokIT over an Ironkey- customers may well be turned away from a legimately strong product that may be better for their usage needs than LokIT is.
Worth a thought.