Addonics CipherUSB Review – Portable Encryption Made Easy

Addonics CipherUSB
by Brett Thomas on July 3, 2013 in Security, Storage

As important as data encryption can be for the home user, it’s even more imperative in the enterprise. The problem? The most effective measures are usually cast aside in lieu of something a little easier to deal with. With the CipherUSB, Addonics hopes to bring “simple” and “most effective” together as one. Does it succeed?

Highlights & Final Thoughts

Though my above points are certainly things that I hope Addonics takes to heart, I have to give the company some serious points for adding a product to its lineup that does exactly what it’s supposed to do – make storage encryption simple. If the password strings themselves are complex enough and protected appropriately, the devices can be programmed once and handed out to staff as needed.

Throughout all of this review, I haven’t really touched much on the subject of price, and that’s because it’s frankly negligible for what the CipherUSB actually offers. ECB FLE models cost $39.95, and CBC is $69.95. Add $10 to either if you want Mac compatibility as well. For the convenience and the fact that you don’t need one device per person or per storage device, this is practically a steal.

Addonics CipherUSB Use Chart

Is there room for improvements? Yes, and some of them really need to be made (like the file extension issue). The software should be redesigned for its target market, but it does work. Overall, the device lacks polish, not function.  However, the couple glaring flaws it has are very large indeed, impacting both usability and security – which are the two things it’s supposed to have.

All of this puts me in an unfortunate position as a reviewer – If Addonics puts just a little more work in (even if only to handle the file extension issue), the CipherUSB CBC FLE would be a no-brainer recommendation.  As it stands right now, though, it’s some great hardware with promise if only someone would clean up the UI… and that’s a little harder to swallow, since the hardware isn’t designed by Addonics.  In fact, the only real place Addonics can actually add to the value chain here and leave its own mark (aside from just being the best company to market Enova’s device in a different country) is the software, so skipping this is just a bitter pill overall.

Addonics CipherUSB

We’ve contacted Addonics to see what’s coming up, and the company has stated that it does intend to improve the application.  For the time being, though, I can’t really give a firm “recommended” or “avoid this.” If what you want is simple but strong encryption without any bells or whistles and you’re willing to develop a strong enough passphrase that it can’t get bruteforced, you needn’t look farther than the CipherUSB. However, a little extra work by Addonics would go a long way to turning this from “does what it says on the label” to “you really should be using one of these.”

 tl;dr: If you’re not using Linux, not picky about the interface and you don’t mind the unchangeable “.Addonics” giveaway file extension, the simple-to-use security of the CipherUSB is incredibly versatile and well worth the low price. However, there’s a lot of room for improvement in the software itself, and the file extension can be a security risk that reduces powerful AES256 encryption to a basic dictionary attack.

Page List

1. Introduction, Uses & Setup
2. File-Level Shenanigans, Pros & Cons
3. Highlights & Final Thoughts

  • Brett Thomas

    Since I’ve been asked on Reddit, I thought this was worth posting here:

    I was given a thorough explanation of how the final key was generated by Addonics in my testing, but I chose not to disclose its origination method in the article. Here’s why:

    Though it’s totally possible to either ask them (whether they feel inclined to disclose that publicly or not), it’s really not relevant and I can’t see how on earth it would impact using the device except to make it that much less secure by giving a map of what the final key should look like. Since the final key is never moved off of the device (even into host memory), I can’t for the life of me see where disclosing that is beneficial.

    I’m never a fan of “security by obscurity”, but the particular behavior is all hardware-based and so I feel its only disclosure should be either by Addonics or by someone disclosing the design of the ASIC…so I’m not terribly inclined to go detailing its mechanisms simply to show I know them.

    Suffice it to say that the final key is a product of the initial password, is hardware generated, and is 32 bytes of what amounts to randomness from that process. Since THAT is what is used to encrypt your data, the final encryption won’t be bruteforceable (imagine doing 32char string bruteforcing across the entire ASCII spectrum as your input values…32**256?!).

    The issue, as always, comes down to controlling your initial password. The final key generation is just a nice way of making sure that people who pick weak or repeatable passwords don’t end up with easily bruteforceable encryption on their files.

  • Jesse Crawford

    So, to double check that I understand this correctly, the device can only have one password configured at a time? So, say I have two USB devices I would like to encrypt with different passwords, I could not easily use the same unit back and forth between the two?

    • Brett Thomas

      Hi Jesse!

      First question: The device can only have one password at a time? That is correct. The device will only store one password at a time, so putting in a new password overwrites the old one.

      Second question: I could not easily use the same unit back and forth between the two? That one, I’d say “It’s still really easy.” Changing the password takes only a couple seconds and is done in the same utility as encrypting files with. It also doesn’t re-format or re-initialize the connected device (on the FDE versions). So if you wanted to switch drives, you pull the one out, plug the new one in, and change the password on the CipherUSB. The new drive will then show up like nothing was out of the ordinary.