Why you can trust ZDNET
:ZDNET independently tests and researches products to bring you our best recommendations and advice. When you buy through our links, we may earn a commission.Our process
'ZDNET Recommends': What exactly does it mean?
ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.
When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.
ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.
Crowdfunded in January 2015, it received double its fundraising goal from security professionals and enthusiasts hoping the device would live up to its pre-launch aspirations to be "the Swiss Army Knife of security devices." It released shortly afterward, and was quickly considered the 'real deal' in opposition to the market rush of crowdfunding campaigns for dubious and fraudulent security devices hurrying to cash in on consumer hunger for a security-in-a-box solution.
Inverse Path's Andrea Barisani reached out to me in April, to say that the armory was almost ready for the first release of its INTERLOCK application, the first USB armory app, for file system encryption.
Barisani explained, "The application allows to use the USB armory for storing, encrypting/decrypting files with either OpenPGP or symmetric AES cipher executed directly on the USB device." He added,
Advanced capabilities such as disposable passwords further enhance the use of the USB armory for private and confidential open source encryption in a compact and portable device.
As far as we know this is the first and only device that enables such functionality with 100% open hardware and open source software in such a compact form factor.
Inverse Path then sent me one USB armory, with a pre-imaged microSD card with the INTERLOCK application, for review.
In truth, I wasn't the first in my house to engage with the USB armory. The first one to try out the device was my 5-month-old kitten, who stole the device off my desk in the night and tested it as a cat toy.
I found the armory with little chew marks and scratches from being batted around on hardwood floors. Stealing my armory became a fascination for the kitten, a worry with its exposed board.
Later, I was pleased to discover that despite it not having an enclosure, the device showed no adverse affects of Max's untoward, though no doubt well-intentioned, affections. The enclosures are now available.
My very first impression of the USB armory, after wrangling it for longer than I'll ever admit just to get it open, is that it's not yet ready for "normal" people -- and this is disappointing for consumers who need plug-and-play security solutions (such as those listed here under "example security application ideas").
If and when these things do happen with the USB armory (and for me, this can't happen fast enough), this device will change the security landscape as we know it, forever, and in ways that could rock the current manipulations of corporations and governments alike to their very foundations. And I mean that in the best way possible for the empowered netizen, one who wants to personally protect and control their personal digital privacy and security -- carrying their data and apps around with them on a secure stick.
In its current state, it's pretty dreamy for most hackers and infosec pros (it's especially sexy for pentesters), but right now it's too deep for non-technical people. It's not "Tor in a box" -- though it's set to absolutely be way, way more than that.
Its new INTERLOCK app makes it great for easy file encryption and general encrypted file storage, and I found out that it'll be out of Beta soon.
At Black Hat USA 2015 (August 1-6), Barisani told me that when he gives his talk, "Forging The USB Armory," Inverse Path will publish the first official INTERLOCK release.
Barisani added that their next project set includes, "Textsecure/Signal protocol integration, so that the device can also be used for encrypted communication as well."
USB armory hardware design uses the Freescale i.MX53 processor, supporting secure boot and ARM TrustZone.
The USB armory hardware is supported by standard software environments; it runs vanilla Linux kernels and standard distributions.
Freescale i.MX53 ARM Cortex-A8 800Mhz, 512MB DDR3 RAM
USB host powered (<500 mA) device with compact form factor (65 x 19 x 6 mm)
ARM® TrustZone, secure boot + storage + RAM
microSD card slot5-pin breakout header with GPIOs and UART
customizable LED, including secure mode detection
excellent native support (Android, Debian, Ubuntu, Arch Linux)
USB device emulation (CDC Ethernet, mass storage, HID, etc.)
Open Hardware and Software
As I mentioned, the USB armory is a full computer on a wee tiny USB stick. This means that when you plug the armory into a powered USB port running any operating system, the chip on the armory will boot and run the operating system written to the SD card plugged into the SD card slot.
It provides a separate operating system (and can be a different OS) from the one on your desktop, laptop, or server.
This is useful if you want to segregate duties and provide separate (more secure) environments for development, or in many cases, services of different security levels.
Built-in proxies can be run separate from the main operating system to make sure when connecting to the internet you can limit what information is shared about you (though this requires technical setup at this time).
The USB armory I received had an early version of INTERLOCK on board, an encrypted storage and app system viewed by web browser over an SSL connection with a locally encrypted (SSL) certificate.
This limits many (but not all) types of attacks between the user's computer and the armory.
All you need is a standard browser to use INTERLOCK; users don't have to worry if it's a Mac, Linux or Windows OS -- the USB protocol is standard.
A regular user (one who's not technically competent) can plug the armory into a USB port on their computer, and navigate to this web address: https://10.0.0.1:4430 to the log-in page. After logging in, users see a dashboard reminiscent of Google Drive in its very early days.
On the INTERLOCK page, users can upload files (up to the size max on their SD card), and these files are encrypted upon upload. Users can also zip or unzip files, or encrypt or decrypt files further.
Because of the segregation of hardware and operating system (to a specific degree), many types of attacks to steal crypto keys and sensitive data will not work. An attacker could, if designed right, have a very limited attack surface here.
Keylogging on whatever current keyboard you're plugged into could still happen: Your password can be captured, but the separate (very long) keys stored on the armory won't be copied; an attacker still has to get them from the device, meaning that even with keylogging, Armory communications are still secure.
Inverse Path USB armory: Secure computer on a stick
Although the software is in Beta state, the USB armory is relatively easy to use and shows great promise -- especially when web app development gets going within the armory's already enthusiastic communities.
Because it's a complete operating system under the hood, anyone can write a web-based application and run it directly on the USB armory -- and not connect to the internet, or only do so to gain access to services you use.
For instance, easily within reach would be an out-of-the-box PGP email experience that would allow users to manage encrypted messages over email with simple to follow dialogue boxes (for, say, our wonderfully paranoid friends who don't want to store their encryption keys on a laptop, and keep it on a separate piece of hardware).
For future enterprise users, once the right web apps are written, the USB armory can be a portable thin client environment. So if something happens to an employee's laptop on a trip, they'd just plug the armory stick into a new laptop or kiosk. and they'd have their entire work environment right there, secure and ready to go.
As it's a full computer, users can install a LAMP stack and WordPress on the device, and do all your web testing without ever having to run your server on the internet.
The armory could also double as a cold storage Bitcoin wallet. The possibilities here are really remarkable.