datAshur BT Encrypted USB Drive, For Your GDPR, HIPAA and CCPA Needs

Manufacturer: iStorage datAshur BT Encrypted USB Drive, For Your GDPR, HIPAA and CCPA Needs

iStorage sent over a new encrypted USB, with a nice trick to gain access as opposed to the physical keypad common to most of their products.  The datAshur BT USB drive uses Bluetooth and a phone app for access management, either on your own as a personal drive or remotely managed by an admin portal if used as part of a fleet.  It also offers MFA as an option; even without the additional layer of security it is still protected from brute force attacks by a 10 attempt limit before automatically wiping the drive.

In order to access your data you choose the appropriate app from Apple or Android, install it, register the drive and set up your preferred options.  Physically the datAshur BT is a USB 3.2 Gen 1 Type-A drive which can be formatted and encrypted on any modern OS, or connected to a TV or other device with USB input, while the management tools are agnostic to the OS used as they run off your phone.  Data speeds are slowed by the AES-256 XTS encryption but not frustratingly so and there are features which can make it compliant with most official security and privacy protocols.

iStorage also physically protected the drive, making it dust and water resistant when the cap is on.  If you were to pry open the drive you would find every internal component buried under a layer of hard, protective epoxy.  That is not just there as waterproofing, it will also make attempting to remove any components in a working condition an extremely non-trivial task.

 

Product Specifications
  • Model Number: datAshur BT
  • Compatibility:
    • Windows, Mac, Linux, Chrome, etc
    • Any device supporting USB mass storage such as medical devices, TVs and printers
  • Protection – IP57, dust protected, water resistant up to 1m
  • Security Protocol – AES-256 XTS (XEX-based tweaked-codebook mode with ciphertext stealing)
  • BlueTooth – FIPS 140-2 Level 3 compliant design and technology
  • Compliance –  GDPR, HIPAA, SOX, FIPS
  • Authentication and Security:
    • Optional MFA
    • 7-15 character password
    • Biometric unlock – Use your phone’s Facial, Fingerprint or IRIS scanning for unlock
    • Wipes drive upon 10th failed attempt
    • Remote and local reset
    • Easy to find HID for locked down USB infrastructure
    • Physical serial number to keep track of multiple drives
  • datAshur BT Remote Management Console portal for fleet management
    • Portal with traditional Enterprise controls
    • User and device management and pairing
    • Remote password reset
    • Remote wipe
    • Geographical and time of day locking
  • Languages – English, French, Italian, German, Spanish, Portuguese, Polish, Russian, Chinese -Simplified, Chinese-Traditional, Korean, Japanese
Pricing

$126 USD – 32GB

$142 USD – 64GB

$181 USD – 128GB

Manufacturer Description

“The datAshur BT is an ultra-secure, hardware encrypted USB 3.2 (Gen 1) flash drive that is available in capacities from 4GB-128GB1. The datAshur BT offers multi-factor secure wireless user authentication utilising Bluetooth® (BLE) technology, turning your smartphone into a password authentication device for a seamless user experience.

Whether deployed within an organisation and managed remotely or used as a standalone drive, with datAshur BT you can encrypt your valuable and sensitive data to military standards to ensure compliance with stringent regulations and directives, such as GDPR, HIPAA, SOX, and more. There is no longer a need to sacrifice security for greater ease of use.”

datAshur BT – Personal App

If you are going to use this encrypted USB drive for personal use, grab the dataShure app via a QR code on iStorage.  There is a unique eight digit code physically stamped on the USB connection, which you enter to start pairing the drive.  This means you can have several different drives paired to your phone and can easily tell them apart to ensure you are working with the right one.

You can name the drive and set a password for access, as well as visit the options page for much more control over the security of your drive.  If you prefer your phone to remember the password, you can indeed do so as well as set up password recovery to get back into your drive if you happen to forget your password.  This is also where you can enable MFA and provide a number to text a verification code to which needs to be entered before you even see the password screen.

The options screen will also allow you to set inactivity locks as well as automatically locking the datAshur BT if the paired device leaves Bluetooth range.  You can ensure the drive is safe when being plugged into strange devices by setting it to read only, and this is also where you can remotely wipe or reset the drive if you lose it.  Remote wiping is nice.

To start, launch the datAshur app on your phone and enter the eight digit code from your physical drive when prompted.  Then plug in the USB drive and you should quickly see it pair to your phone via Bluetooth, and you can begin the naming and password creation process.  Once you are set up you will see the drive with your chosen name shown in the app and can tap to lock or unlock, and it will appear on your computer as a normal USB drive.  Speeds are decent, if not approaching the theoretical maximum bandwidth; 86 MB/s on a Dell E5470 and 1.07 GB/s on a Gigabyte Aorus Gaming 7 X399 motherboard.  The encryption obviously has an effect but not so much as to make the drives frustrating to use.

datAshur BT Managed App And Admin App

For Enterprise use, you get many more setup options and additional security options which make this drive feasible for use with sensitive data that has to be free range for whatever reason your users manage to come up with that day.  As you should expect, there is a license cost associated with Remote Management for datAshur BT devices and that price plus the cost of the individual devices may sour the deal when it comes to budget time.  However if you do get approval, the interface and features are well designed and implemented. 

You will need two apps, the datAshur BT Admin App for setup and deployment and your users will need the datAshur BT Managed App.  As expected, the managed devices are not compatible with the personal app, even if a user has a personal drive and the app installed on their phone, they still will not be able to use it to access the managed drive.

Setting Up A datAshur BT Managed Drive

In order to provision a drive to add it to your iStorage datAshur BT Remote Management Web Console you will need to manually set it up with the Admin app.  Once installed you login into the phone app whit the credentials you set up on the remote management server, the details of which you would receive in the same email from iStorage which contained your license.  Simply enter in the unique eight digit code and the USB drive will encrypt and appear under the devices list on the server and you will be able to use the web interface to manage it.

You do need to do this for each device, which could get a little repetitive with a large number of devices, or if  you have a group of users that tend to lose or trade the devices with regularity.  It also means your phone has a lot of power over the entire deployment of encrypted USB drives.

Once you have your devices provisioned on the iStorage Web Console remote server you can then create or import your list of users, and assign them specific drives.  This interface also lets you wipe devices, reset passwords and lock them down when and where the devices can be used.   As you assign drives to users they will receive an email with a one time password which they will immediately have to change.  The client app interface is the same as the personal version, with the exception being that you can set certain policies like MFA globally and those options will be inaccessible to the user.

 

The datAshur BT Remote Management Console

The console is similar to many MDMs (multi-device managers) and other remote management interfaces, with Users and Drives managed separately.  In order to assign drives to users they must be provisioned with the admin app on your phone, otherwise they will not appear on the portal at all, but once provisioned you can assign one or more drives to your users.  This is also where you can set limitations on what time of day the drive is accessible as well as enabling geolocation to prevent the drives from being used beyond a certain distance of a specified address.   It did indeed detect where my device was when enabled, and when the device was plugged into a USB port.

The Bluetooth component does require power from a USB port, so wipe or unlock commands will not succeed until the device is connected to a network.  When a drive is lost you have numerous options as an administrator, including disabling the user, disabling the drive and lowering the brute force limitation.  This means that if a stranger was to attempt to access the drive using the datAshur BT Managed App, which is the only way to try to unlock the drive, the app would not let them in, even with the correct password.  As a last resort you can send a remote wipe which will make the drive unreadable, and it will need to be formatted again before it can be used.  This would also initiate when the drive is plugged into a USB port and access is attempted with the Managed App.

The iStorage Web Console portal shows the current status of the device, so a delayed wipe or password reset would show until successfully completed – a necessity to ensure the security loop is closed.  You can also drill down on the activity for each device, to track bad logins, successful unlocks and password resets.  This is also where you can delete a drive so you can reprovision it and move it to a new user. The admin app would offer you the choice to wipe or retain any data on the drive.  Users will receive password resets to their email addresses, as well as alerts about any new devices assigned to them.

End Of File

We have looked at a few iStorage devices over the years such as Jim’s peek at the datAshur Pro Encrypted USB Flash Drive, and they have all made effective use of hardware encryption which means they are both secure and compatible with almost any computer platform out there.  The keypad based solutions they offer are a great solution for occasionally mailing or transferring data securely but they don’t tend to offer back end administration like the datAshur BT does.  iStorage devices do cost a bit more than your average encrypted USB drive, especially with a remote server license and they won’t win any data transfer races but they are very proficient at their intended usage.

If you are not allowed to epoxy all USB ports on your users laptops and desktops and have explored locking down USB devices which are not on a master list of approved Device Instance IDs, Device Serial Numbers or Vendor/Product ID’s you know you have a serious security issue.   Your users ARE plugging in random USB drives and copying files to them.  Yes, they are.  If you can convince those with the money to invest in the complete datAshure package you will have a solution which offers a fair balance of usability and security, though even using the unmanaged version will improve your security immensely.

For both personal and business use, the ability to reset your password to regain access to your files is a big plus; as it still retains the 10 strikes and you’re out protection against brute force attacks.  That doesn’t excuse you from backing up the data elsewhere but it does lower the risk of losing everything if you forget the password.  Tying the encryption to your phone as opposed to a physical keyboard will also make this a more attractive solution to your younger coworkers and family members.  They tend not to lose their phone, as it rarely leaves their hands.

If you value your security enough to pay the price for the datAshur BT then it comes with a hearty recommendation, especially if a local NA provider can be found to reduce the somewhat excessive overseas shipping rates.  If the price is a bit too steep for you, you can always stick with less expensive devices or password protected Zip files.  These are cooler though.

Review Disclosures

This is what we consider the responsible disclosure of our review policies and procedures.

How Product Was Obtained

The product is on loan from iStorage for the purpose of this review.

What Happens To Product After Review

The product remains the property of iStorage but is on extended loan for future testing and product comparisons.

Company Involvement
iStorage had no control over the content of the review and was not consulted prior to publication.

PC Perspective Compensation

Neither PC Perspective nor any of its staff were paid or compensated in any way by iStorage for this review.

Advertising Disclosure
iStorage has not purchased advertising at PC Perspective during the past twelve months.

Affiliate Links

This article contains affiliate links to online retailers. PC Perspective may receive compensation for purchases through those links.

Video News

About The Author

Jeremy Hellstrom

Call it K7M.com, AMDMB.com, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!