With the IronKey Vault Privacy 80, Kingston is addressing the need for data security while on the move. Losing or having your drive stolen is always a possibility, and with it comes the risk of not only losing your data, but the chance that it ends up in the wrong hands. While for a typical consumer this isn't a big deal, it is a huge issue for corporations and governments. Of course there have been various methods to safeguard your data with encryption, and we've also seen various hardware-encryption-based portable devices, so it's not like Kingston has invented something totally new. However, considering that Kingston is the world's leading vendor for flash-based storage solutions, with excellent reputation, worldwide availability and a great support network, I'd expect the IKVP80 to be considered by a lot of potential clients.

The biggest advantage of the Kingston solution over something software-based is that the drive will work with all operating systems, not only Windows, and you don't have to install or even start anything on the target machine. All you need is an operating system that understands the USB mass storage protocol, i.e. it can read files on USB sticks. Since the encryption is block-based and transparent to the host system you can format the IKVP80 with exFAT, NTFS, EXT4 or any other file system. Thanks to the integrated touch screen you only interact with your "known good" device while entering the password, which protects against keyloggers and similar attack mechanisms.

Physically, Kingston's drive looks great and is rugged enough thanks to the metal case. While the drive isn't tiny, it uses a 2.5" SATA SSD internally and not an M.2 NVMe drive, it's still compact enough to carry it around all day in a briefcase. Since the underlying storage is an SSD, and not a mechanical HDD, the enclosure is also a little bit lighter in weight. Unfortunately there is no IP dust or water resistance rating, which would have been a useful addition that wouldn't have added much cost; at least Kingston includes a neoprene carrying pouch for protection. The fact that an SSD is used, basically makes the device immune to shock, even during operation, because there is no moving parts. I guess the weakest point is the touch screen, which could scratch or shatter with enough abuse. The touchscreen is really easy to use by the way, much better and more precise than the resistive touchscreens from many years ago—you definitely do not need a stylus to operate it.

For performance, Kingston only promises "up to 250 MB/s read/write", which isn't a lot, considering we've been seeing multi-gigabyte transfer rates on some portable SSDs. In our performance testing we were able to confirm Kingston's performance claims, but it still means the drive is slower than nearly every other portable SSD out there. So if you need more performance, a software-based encryption solution paired with a higher-end portable SSD could be an option. The reason why performance is limited to 250 MB/s, is that the drive has to decrypt/encrypt data in real-time, which is handled by an onboard IC that's much weaker than the processor in your system. That is the price you'll have to pay for any hardware-based solution though, I doubt there's anything out there that's considerably faster than what Kingston offers here, probably the opposite.

Our test suite includes a scenario that tests sustained write speeds by filling the whole drive with a continuous stream of data. Here the Ironkey Vault Privacy 80 doesn't do so well. While writing the first 250 GB completes at the promised 250 MB/s, speeds drop considerably after that. With only 30 - 40 MB/s (!!) in that state, the drive ends up being MUCH slower than a harddisk-based solution. On average, filling the whole drive completed at 59 MB/s. I tried to confirm with Kingston but all I got was a long-winded "can vary from user to user" response. What they didn't write is that "your numbers are wrong", or "this is a known bug that we'll fix", so my numbers seem correct. After taking the unit apart I knew the reason for the slow speeds. Internally, the drive uses a 2.5" Kingston A400 QLC SSD, which, due to its QLC nature is just very very slow to write for very large transfers. Just to clarify, the drive will automagically clear its SLC cache and move data into QLC over time, so full transfer rates are restored after letting the drive idle for a while. It seems Kingston fell for their own marketing, which specifies the A400 with "up to 500 MB/s read and 450 MB/s write". Guess the engineers never checked what "up to" means and thought "hey, our encryption is limited to 250 MB/s anyway, so a 450 MB/s SSD will be perfect and since it's dirt cheap we'll have bigger profits". The IronKey Vault Privacy 80 1 TB in this review costs $350, and they are using a $65 SSD inside.

In terms of security, the VP80ES works really well, the engineers implemented a lot of clever features that harden security. For example, by default, the keypad on the touchscreen gets randomized, so an attacker can't just look at where your fingerprints are on the display and guess the code from that. To protect against brute force attacks, there's a limited number of attempts before the drive erases itself, and after a few attempts you have to power cycle the drive before it accepts new input. Being able to put the drive into read-only mode is useful when you're working with clients that you want to give files to, without any risk of your own data getting corrupted or infected. The various settings options are great and allow you to fine-tune the device's security to your requirements, I also very much like the ability to create an "admin" password that lets you override a forgotten "user" password.

On their pages Kingston talks about the ability to "safeguard against BadUSB attacks", which seems to be an impressive feature for uninformed people (including some reviewers). "BadUSB" certainly sounds like something you don't want and you definitely want to be protected against. The problem is that BadUSB is not an attack against you, but an attack that you perform, you're the bad guy here. To execute BadUSB you modify a harmless-looking USB device to do harm to the victim's machine as soon as the device gets plugged in, i.e. it executes commands or reroutes network traffic. You then put it on their doorstep with a note "secret files", "don't plug in", or "my personal porn", and the victim will insert it in their computer, no doubt. So marketing a product as "protects against BadUSB" is illogical, because buying it can not protect you from plugging in other USB devices. I reached out to Kingston for clarification, and their argument was "signed firmware ensures that our Product can not be used as the medium for such attacks". This is completely false and actually gives a false sense of security. If you find an IronKey Vault Privacy 80 on your doorstep, do not plug it in. While re-flashing the firmware might be impossible, it is trivial to take apart the unit, replace the components inside with your own hardware that execute a BadUSB attack.

I was able to verify that the data is really stored in encrypted form on the drive. While you might now think "duh, what did he expect?", some older "hardware-encrypted" drives actually stored unencrypted data and the passcode only toggled the storage unit's power. A somewhat surprising discovery was that the drive not only encrypts the actual data, it also scrambles the block locations on disk. Usually, a storage device appears as a large number of sequential data blocks that contain your data. The first sector is where the partition table is located, a bit after that comes the OS boot loader, etc. If you remove the drive from the IKVP80 and attach it directly to your host PC, you'll find some random-looking encrypted data at the start of the drive, not the partition table. I verified this by wiping the first block and putting the drive back in the enclosure—the original partition table was still there. This makes it much harder to attack the drive's cryptography, because you can't just grab a block of encrypted data, knowing that it will contain a certain piece of data in a specific format.

The biggest drawback of the IronKey Vault Privacy 80 External SSD is its high price, no doubt. Our tested 1 TB unit retails at $350, which is more than four times the price of an unencrypted 1 TB portable SSD. To be able to justify such a huge price increase you really must worry about your data. Considering the price and the drive's low performance, a workable solution could be to use some kind of cloud-based encrypted file transfer method, or to manually encrypt the files before putting them on a storage device and decrypt on the target machine. If you use open-source software for this task, then you can be sure that it always does the right things—with the IKVP80 you'll have to trust that Kingston has implemented the proper code, and that the device is free of backdoors. These alternative approaches are operating system dependent of course, and are more complicated, but the price difference could make up for it. On the other hand, as corporation or government entity, money is rarely an issue, which is why I'm sure the IKVP80 will definitely be a success. Apricorn and iStorage are the current market leaders for these kinds of devices, and their products are even more expensive than the Kingston drive, so compared to similar solutions the Kingston pricing is actually quite reasonable and none of these devices even offer a touch-screen and the advanced capabilities of the IronKey Vault Privacy 80.