Kingston DataTraveler Vault Privacy and EDGE diskGO Secure Pro Secure USB Thumb Drives Review
by Ganesh T S on August 25, 2017 8:30 AM EST- Posted in
- Storage
- Kingston
- USB 3.0
- Flash Drive
- AES
- Edge Memory
Thumb drives are the most commonly used flash-based storage devices, thanks to their compact form factor and affordability. In our series of direct-attached storage reviews, we have taken a look at number of devices that offer hardware encryption with no performance impact. They have all been SSDs behind a USB - SATA bridge, with the onus of encryption falling on the SSD controller. Compact thumb drives usually use a native controller (i.e, directly translating the flash interface to USB without an intermediate SATA link). There are exceptions such as the Corsair Voyager GTX and the Mushkin Ventura Ultra, but, most people wouldn't consider them compact. Compact thumb drives with hardware encryption are relatively rare, and command a significant price premium. They are valued by SMBs and enterprises due to the strong focus on data security. In today's review, we take a look at the 64GB variants of two products targeting this market - the Kingston DataTraveler Vault Privacy 3.0 and the EDGE diskGO Secure Pro 3.0.
Introduction and Usage Impressions
The Kingston DataTraveler Vault Privacy (referred to as DTVP30 here onwards) and the EDGE diskGO Secure Pro 3.0 (diskGO for the remainder of the piece) are both compact thumb drives. They come with a USB 3.0 male interface. The main selling point is the 256-bit AES hardware encryption in XTS mode on both units. In terms of size, the DTVP30 comes in at approximately 78mm x 22mm x 12mm. The diskGO is slightly smaller (58mm x 22mm x 10mm). The diskGO comes with a retractable USB connector, while the DTVP30 comes with a removable cap on the connector. There exists the possibility of misplacing the cap, but, it does provide more protection against dust compared to the diskGO. The DTVP30 also comes with a small lanyard.
Instead of disassembling the thumb drive to get the internal details, we took a look at the ChipGenius report for the two drives (reproduced below). Both the DTVP30 and the diskGO use the Phison 2313 controller with the 1.03.10 firmware.
Drive Information | ||
Given that the controller and firmware version are the same in both products, it is not surprising that the user interface is also similar. Upon connecting to a system, both products mount a CDFS read-only volume automatically. This permanent volume contains the necessary program to unlock the thumb drive and use it in the computer. The gallery below shows the process with the DTVP30.
Kingston provides support for using the drive under Windows, Mac, and Linux. In addition to the unlocker programs for various platforms, a manual is also included in the CDFS volume. Plugging in a new drive and starting the unlocker program takes the user through a compulsory password setup process. The user can also enter contact information for easier recovery of a misplaced drive (that other users might not be able to unlock, anyway).
The diskGO UI is very similar, except for the fact that only Windows and Mac are supported currently. The entire locking and unlocking processes are essentially the same between the DTVP30 and the diskGO.
Readers might note that this strategy of mounting a read-only volume to store the programs for securing the contents is similar to that of the Samsung Portable SSD T5. The key here is that both the DTV30 and the diskGO make it mandatory to use encryption., while the feature is optional for SSDs such as the T5 or the WD My Passport SSD.
Testbed Setup and Testing Methodology
Evaluation of DAS units on Windows is done with the testbed outlined in the table below. For devices with USB 3.0 (via an attached Type-A male interface) connections (such as the DTVP30 and the diskGO that we are considering today), we utilize the USB 3.1 Type-C port enabled by the Intel Alpine Ridge controller. It connects to the Z170 PCH via a PCIe 3.0 x4 link. A Type-C male to Type-A female cable is also used to connect the thumb drives to the motherboard's Type-C port.
AnandTech DAS Testbed Configuration | |
Motherboard | GIGABYTE Z170X-UD5 TH ATX |
CPU | Intel Core i5-6600K |
Memory | G.Skill Ripjaws 4 F4-2133C15-8GRR 32 GB ( 4x 8GB) DDR4-2133 @ 15-15-15-35 |
OS Drive | Samsung SM951 MZVPV256 NVMe 256 GB |
SATA Devices | Corsair Neutron XT SSD 480 GB Intel SSD 730 Series 480 GB |
Add-on Card | None |
Chassis | Cooler Master HAF XB EVO |
PSU | Cooler Master V750 750 W |
OS | Windows 10 Pro x64 |
Thanks to Cooler Master, GIGABYTE, G.Skill and Intel for the build components |
The full details of the reasoning behind choosing the above build components can be found here. The list of DAS units used for comparison purposes is provided below.
- Kingston DataTraveler Vault Privacy 3.0 64GB
- EDGE diskGO Secure Pro 3.0 64GB
- Mushkin Atom 64GB
- SanDisk Extreme 64GB
- Strontium Nitro Plus Nano 64GB
Synthetic Benchmarks - ATTO and Crystal DiskMark
The DTVP30 64GB version has claimed read and write speeds of 250 and 85 MBps respectively. On the other hand, the diskGO claims only 120 / 60 MBps for the same. These numbers are backed up by the ATTO benchmarks provided below. Unfortunately, these access traces are not very common in real-life scenarios.
Drive Performance Benchmarks - ATTO | ||
CrystalDiskMark, despite being a canned benchmark, provides a better estimate of the performance range with a selected set of numbers. As evident from the screenshot below, the performance can dip to as low as 4.6 MBps for the DTVP30, and 6 MBps for the diskGO when it comes to random 4K accesses. Since the queue depth has negligible impact on the performance (i.e, numbers for 4K and 4KQ32T1 are similar), we can infer that the thumb drives do not support UASP (USB-attached SCSI protocol).
Drive Performance Benchmarks - CrystalDiskMark | ||
Benchmarks - robocopy and PCMark 8 Storage Bench
Our testing methodology for DAS units also takes into consideration the usual use-case for such devices. The most common usage scenario is transfer of large amounts of photos and videos to and from the unit. The minor usage scenario is importing files directly off the DAS into a multimedia editing program such as Adobe Photoshop. These scenarios also cover typical office usage for transferring a large number of electronic documents and the like.
In order to tackle the first use-case, we created three test folders with the following characteristics:
- Photos: 15.6 GB collection of 4320 photos (RAW as well as JPEGs) in 61 sub-folders
- Videos: 16.1 GB collection of 244 videos (MP4 as well as MOVs) in 6 sub-folders
- BR: 10.7 GB Blu-ray folder structure of the IDT Benchmark Blu-ray (the same that we use in our robocopy tests for NAS systems)
In general, the DTVP30 manages to have a healthy lead over the diskGO, but, the margin is usually narrow for write workloads.
For the second use-case, we take advantage of PC Mark 8's storage bench. The storage workload involves games as well as multimedia editing applications. The command line version allows us to cherry-pick storage traces to run on a target drive. We chose the following traces.
- Adobe Photoshop (Light)
- Adobe Photoshop (Heavy)
- Adobe After Effects
- Adobe Illustrator
Usually, PC Mark 8 reports time to complete the trace, but the detailed log report has the read and write bandwidth figures which we present in our performance graphs. Note that the bandwidth number reported in the results don't involve idle time compression. Results might appear low, but that is part of the workload characteristic. Note that the same testbed is being used for all DAS units. Therefore, comparing the numbers for each trace should be possible across different DAS units.
In these workloads, we find that the diskGO inches ahead with the writes, but, the DTVP30 still retains an advantage for reads.
Performance Consistency
Yet another interesting aspect of these types of units is performance consistency. Aspects that may influence this include thermal throttling and firmware caps on access rates to avoid overheating or other similar scenarios. This aspect is an important one, as the last thing that users want to see when copying over, say, 100 GB of data to the flash drive, is the transfer rate going to USB 2.0 speeds. In order to identify whether the drive under test suffers from this problem, we instrumented our robocopy DAS benchmark suite to record the flash drive's read and write transfer rates while the robocopy process took place in the background. For supported drives, we also recorded the internal temperature of the drive during the process. The graphs below show the speeds observed during our real-world DAS suite processing. The first three sets of writes and reads correspond to the photos suite. A small gap (for the transfer of the videos suite from the primary drive to the RAM drive) is followed by three sets for the next data set. Another small RAM-drive transfer gap is followed by three sets for the Blu-ray folder.
An important point to note here is that each of the first three blue and green areas correspond to 15.6 GB of writes and reads respectively. Throttling, if any, is apparent within the processing of the photos suite itself.
Performance Consistency and Thermal Characteristics | ||
We note that both the DTVP30 and diskGO start to throttle in a similar manner after the same amount of data has been written. Given the same controller and firmware, it is hardly surprising. The throttling is not entirely a show-stopping issue because we find that it gets triggered after more than 50GB of read and write traffic within a short time interval. This is definitely not the intended use-case for the secure USB drives such as the DTVP30 and the diskGO. In any case, both drives manage to recover performance fairly quickly.
Miscellaneous Aspects and Concluding Remarks
The DTVP30 and the diskGO are both bus-powered devices, and it is given that the peak power consumption can't go beyond 5W. It is still relevant to take a fine-grained look at the power consumption profile. Using the Plugable USBC-TKEY, the bus power consumption for both drives was tracked while the CrystalDiskMark workloads were processed. The workloads were set up with an interval time of 30s.
Drive Power Consumption - CrystalDiskMark Workloads | ||
The DTVP30 has a peak power consumption of 2.19W, and idles at around 0.52W. The corresponding numbers for the diskGO are 1.31W and 0.54W.
Support for TRIM is an oft-requested feature in flash drives. It is important to maintain long-term performance consistency. Neither Kingston nor EDGE claim support for TRIM for the drives being reviewed today. CyberShadow's trimcheck is a quick tool to get the status of TRIM support. However, it presents a couple of challenges: it sometimes returns INDETERMINATE after processing, and, in case TRIM comes back as NOT WORKING or not kicked in yet, it is not clear whether the blame lies with the OS / file system or the storage controller / bridge chip or the SSD itself. In order to get a clear idea, our TRIM check routine adopts the following strategy:
- Format the SSD in NTFS
- Load the trimcheck program into it and execute
- Use the PowerShell command Optimize-Volume -DriveLetter Z -ReTrim -Verbose (assuming that the drive connected to the storage bridge is mounted with the drive letter Z)
- Re-execute trimcheck to determine status report
Conclusions can be made based on the results from the last two steps. As expected, these thumb drives do not support TRIM.
TRIM Support | ||
Features such as TRIM and UASP often require driver support. For the use-cases targeted by the DTVP30 and the diskGO, it is preferable to avoid relying on the OS driver behavior (as users might not have administrator privileges to load them also).
Moving on to the pricing aspect, we find that the 64GB diskGO retails for around $70, while the 64GB DTVP30 comes in at a hefty $190 (approximately). These prices make it significantly expensive on a cents/GB metric compared to thumb drives without encryption capabilities.
Readers might be wondering why the DTVP30 commands almost a 3x price premium over the diskGO at the same capacity while using the same controller and firmware. Obviously, a 2x improvement in read performance (real-world improvements are not that much better) can't be the only reason. A little bit of digging into the nature of the secure thumb drives market reveal that businesses and agencies looking into such products come with a host of requirements such as TAA compliance (i.e, an aspect that decides whether a given product is suitable for U.S. government use) and even FIPS-197 certification.
The diskGO and DTVP30 are both TAA-compliant. Only the latter has FIPS-197 certification. In our communication with Kingston and EDGE Memory, it emerged that FIPS certification is a very costly endeavor. Avoiding it helps the diskGO target a lower price point. The DTVP30 also employs a dual-channel configuration with MLC flash and comes with wider OS support. The lower performance of the diskGO is due to its single-channel configuration. That said, the diskGO also uses MLC flash (15nm or A19nm). Due to these reasons, the Kingston DataTraveler Vault Privacy 3.0 emerges as a more widely-applicable contender for use-cases that require secure USB drives. Casual users and businesses that don't need FIPS-197 certification / top-class performance will be quite happy with the value proposition of the EDGE diskGO Secure Pro thumb drive.
19 Comments
View All Comments
HStewart - Friday, August 25, 2017 - link
I have one of those Kingston drives and the reason I purchase it - I want the most secure drive I can purchase for book I am working. Normally I don't care about USB drives extra features - but in this specific case - I did. I don't need much storage - so my drive is cheaper than this one.JanW1 - Friday, August 25, 2017 - link
So - since security is the main feature of these - are they secure?Any idea about actual or potential vulnerabilities? Potential information leaks in the software provided?
Bullwinkle J Moose - Friday, August 25, 2017 - link
The highest performing and most secure drive for the lowest price would be the 256GB Corsair GTX for about $140Kingston 64GB for $190 seems like a really bad deal to me (just my opinion)
I believe the Kingston may still be using a master key in hardware and your "password" is only verified to access the master key, meaning that your drive can be decrypted by Kingston regardless of your password
An earlier version could be decrypted by simply updating the firmware due to the fact that a the master key was in hardware and could not be changed
This was covered primarily by Myself, then Schneier and others
https://www.schneier.com/blog/archives/2010/01/fip...
http://www.pcworld.com/article/185872/usb_drives_h...
However, a Corsair GTX will outperform the Kingston and can boot to a Truecrypt Partition using Windows to Go
Truecrypt works with Windows 7, 8.1 and Windows 10 if you have installed to an MBR partition
No master key in hardware to worry about either
Did you notice the following comment in the article? >
"The user can also enter contact information for easier recovery of a misplaced drive (that other users "MIGHT NOT" be able to unlock, anyway)"
Might Not?
How very reassuring!
Where can I read that user agreement?
I'd love to see the liability disclaimers
----------------------------------------------
the controller and firmware version are the same in both products in this article
for more info on XTS mode, read the Wiki article>
https://en.wikipedia.org/wiki/Disk_encryption_theo...
"XTS mode is susceptible to data manipulation and tampering, and applications must employ measures to detect modifications of data if manipulation and tampering is a concern"
For more info.....
Google is your friend!
Oglark - Saturday, August 26, 2017 - link
Apart from performance, how is this better than forcing Bitlocker encryption for all connected media?Wwhat - Tuesday, September 12, 2017 - link
Bitlocker is a windows one-system-only thing though, not sure that is any good for a portable device you might need to read on Linux or Apple's OS.Also bitlocker is not available on all versions of windows.
Also, who the hell would trust MS either to not give data to the authorities nor do their own abuse? They even use their unreliability in ads..
andychow - Saturday, August 26, 2017 - link
The kingston drive is the only one I know that comes with linux support out-of-the-box. It's command-line only, but it works.Any proof that these have actual hardware encryption? I see no proof of this, and the Physon chip certainly does not provide it by default. I haven't seen hardware encrypted NAND since... the Vertex 4, tbh.
Bullwinkle J Moose - Saturday, August 26, 2017 - link
Oglark: Apart from performance, how is this better than forcing Bitlocker encryption for all connected media?-------------------------------------------------------------------------------------------------------------------------------------
Bitlocker?
The one with a 32 digit recovery key associated with each encrypted volume?
The one that's closed source?
Well......
That depends
Does a Bitlocker drive contain the same hidden GUID that Windows creates during a normal format command with Spyware Platform 10? (I never checked)
If so, the exact computer that created the Bitlocker drive might be identified
But then again, the 32 digit recovery key associated with every Bitlocker drive might do the same thing
In either case, you and your computer "might" be identified when using a Bitlocker drive, even if the encrypted volume contains no personally identifiable data of you or your computer
So, I don't see any benefit of using one backdoor encryption scheme over the other
Lets ask the experts!
Bullwinkle J Moose - Saturday, August 26, 2017 - link
"32 digit recovery key associated with every Bitlocker drive" ???????????----------------------------------------------------------------------------------------------------
Sorry, I mispoke!
Microsoft calls it a 32 digit KEY IDENTIFIER! (Not a recovery key)
It does not directly recover your data, but may in fact identify the correct key for .....
Pick an Agency, Any Agency!
Oglark - Sunday, August 27, 2017 - link
I have looked at the recovery key identification and there dows not seem to be an obvious comoiter identification. I suppose it could be a simple transform like SN + timestamp. I thought it was so you could identify which volume was encrypted.Bullwinkle J Moose - Sunday, August 27, 2017 - link
Oglark: " I thought it was so you could identify which volume was encrypted. "------------------------------------------------------------------------------------------------------
....and I thought it was to identify which computer encrypted the volume and to which decryption key is required to decrypt said volume
Lucky for us, we have EXPERTS here who can provide PROOF as to what is actually occuring
AHEM...........
I say, AHEM......
Hello
HELLO.....
Is this thing on?