Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Storage for spies: How the FIPS standard makes data extremely hard to steal

Jon L. Jacobi | Nov. 18, 2014
Keep it secret, keep it safe. When you want your digital storage to be encrypted, tamper-proof, and very hard to steal, you want the drive to have FIPS certification. The FIPS label means it complies with the Federal Information Processing Standards that delineate everything concerning government data security.

Level 4 adds the ability to withstand environmental attacks, such as in high temperatures and voltages that might be used in an attempt to compromise the crypto module. It's not meant to protect the device from monsoons or tornadoes. Staring down heat and high voltage is tough work, and achieving that level of protection adds a great deal of cost. FIPS 140-2 Level 4 is extreme overkill for consumers and even most businesses.


The FIPS standards we've covered so far apply to the protection of the device's cryptographic module. FIPS 197 describes the actual means of encryption. You don't hear much about FIPS 197 because it morphed into the Advanced Encryption Standard (AES). AES-128, AES-192, and AES-256. The numbers identify the length of the encryption key in bits: The longer the key, the stronger the encryption.

If you see AES listed as an encryption method on the storage device you're considering, you're looking at a FIPS 197 product. A host of other encryption algorithms are available, and with the NSA known to have supported many open source security projects (SSL, PGP, etc.) it's conceivable that a FIPS 197 device might be your better option. Just sayin'.

Do you need FIPS-certified storage?

As I mentioned earlier, most vendors get FIPS 140 certification so they can sell their products to the government. Unless you're protecting extremely sensitive information that a sophisticated criminal would go to great lengths to obtain, you'll be well served by a plain ol' hard drive and one of the free and readily available encryption programs such as... well, I was going to say TrueCrypt, but controversy has swirled around the limited version released by its developers before shutting down the project. That said, by all reports the 7.1a and older versions work as well as they ever did.

Tempests in teapots aside, Microsoft's BitLocker drive encryption (included with the Pro and Ultimate versions of Windows 7, and the Pro and Enterprise versions of Windows 8) will do the trick, and most non-FIPS-certified drives come with viable encryption software. Though pricey, Jetico's BestCrypt is the real deal, and the choice of many governments.

But if you must have (or simply want) something that's relatively hassle-free and basically un-hackable in the real world, go with FIPS 140-2 Level 3-certified hardware.


Previous Page  1  2 

Sign up for Computerworld eNewsletters.