Reddit reviews Apricorn Aegis Secure Key 3Z 8GB 256-bit AES XTS Hardware Encrypted FIPS 140-2 Level 3 Validated Secure USB 3.0 Flash Drive (ASK3Z-8GB)

These have worked fairly well https://www.amazon.com/Apricorn-Hardware-Encrypted-Validated-ASK3Z-8GB/dp/B01N175FSF/ref=sr_1_3?ie=UTF8&qid=1526995213&sr=8-3&keywords=secure+usb+drive

It really depends on your threat model. There is no such thing as complete security. I'm no expert but I have several hardware-encrypted hard drives and flash drives, so I'll try to answer. I use them for similar purposes, so we likely have similar threat models.

First, it's important to recognize the inherent limits of an encrypted device like what you linked. It's only encrypted until you mount it, at which point an attacker with remote access can view the files just like you would. This can be countered by using an air-gapped computer, or one only used for these secure activities.

As for this particular device: The device you linked says it's FIPS 140-2, which means it's only tamper-evident, rather than tamper-resistant, and provides role-based authentication. So, a savvy hacker might be able to manipulate the hardware in some way to access the data (search "Kingston Datatraveler hack/vulnerability"), although you would be able to tell. You might combat this by using Veracrypt/Truecrypt containers inside the device, which is also good practice if you are backing up passwords somehow, as it enables easier password splitting (e.g. remember pin but backup Veracrypt password in pw manager).


A comparable tamper-resistant device (FIPS 140-3) is the Aegis 3z. If you're willing to pay more, the Kingston Ironkey is a literal iron fortress and is probably the hardest hardware to hack. It doesn't have a physical keypad, but autolaunches authentication software. This is vulnerable to keyloggers but arguably more secure against shoulder-surfing. It's also more configurable. The Kingston D300 is very similar (slightly cheaper), with the difference being the security chip (I don't know enough here to comment).A notable alternative is the Aegis Padlock, which is a literal hard-drive with a large keypad and lots of configurations (including false drives and keycodes that wipe the entire device, though other devices I've mentioned have similar features).


While shopping, it is good to note the distinction between FIPS-validated vs. FIPS-compliant, with the latter being little more than a promise, although few encrypted devices are actually verified.

Let me know if you want elaboration on anything. I have every device I mentioned and some knock-offs too. I don't know too much about about the technicals, but it's a field I'm looking to get into so I can try and answer until someone better comes along.

I'm low tech... my keys are stored on a VeraCrypt drive with a keyfile on a hardware encrypted USB flash drive. I actually use multiples of these for backups of the keyfiles. This way, the VeraCrypt drive can be backed up, but it is completely unusable without the keyfiles. I also do the same thing with my KeePass database. It sits locally and gets backed up, while the encryption keys are stashed on the encrypted drive.

I do recommend disallowing SSH in as root, provided you have some sort of console access somehow to get in. I once had a bunch of machines that console access was impossible (separation of duties), and because of policies, the machines required a PW change every 30 days, so I kept a root SSH key open just in case my account got locked, otherwise there would be no way into the machine.

At a previous job, I also keep a "bus book". This is a sealed folder that has not just a USB drive, but a DVD and printout of keys and passwords. This includes tape drive/library keys, everything. A copy of this was handed to two other people, and one copy was in the tape safe.

No, tails basically makes the computer a temporary burner because it boots from USB and leaves no trace when you are done. An actual burner computer would NOT BE AS SAFE as tails because you'd be leaving evidence on it (unless you used tails on it of course :)

I suppose you could do the literal thing and actually burn the computer when you were done (but that would get expensive if you make a lot of orders)

When you remove the USB drive with tails on it you remove the evidence. Only the USB will have any evidence (on the persistent volume). Want to NOT have that problem? Then get one of these: Apricorn Aegis Secure Key 3Z 8GB 256-bit AES XTS Hardware Encrypted FIPS 140-2 Level 3 Validated Secure USB 3.0 Flash Drive which is a lot cheaper than a silly "burner computer" :)

Recommended backup of private keys would be to a secure password manager such as KeepassXC.. Then your passwords are encrypted and can be stored safely offline or even in the cloud.

For offline safe storage of keys / wallets, I back up everything to an Apricorn Secure Key. Buy two so you have more than one backup. Nobody can get into these without a 10 digit pin/