The Apricorn Aegis family of flash drives, HDDs, and SSDs has been around for quite a while. I’ve generally rejected them based on price alone. Recently a customer requested training that included this drive. Since learning the Aegis and its capability, I’m very impressed. If you have compelling data security needs, this product might be for you.
Note: This article contains affiliate links.
The Aegis SecureKey is a hardware-encrypted flash drive. The most conspicuous feature is the raised PIN pad on the top of the device. The Aegis SecureKey comes in three versions. The versions I have used and taught are the SecureKey 3z and the SecureKey 3.0. Both are functionally identical. The 3z is a more streamlined version, and it also supports the USB 3.1 protocol. The newest version is the SecureKey 3NX, which is similar in function and form to the 3Z, but is advertised to run at a cooler temperature.
The cases of all variants of the SecureKey are aluminum, and all meet IP67 ratings for dust- and water-resistance. The SecureKey 3.0 is the most ruggedized version. It comes with a removable aluminum housing that encircles the device and protects the PIN pad. The SecureKey is also certified FIPS 140-2, Level 3 (the latest SecureKey, the 3NX is pending certification). The SecureKey ships in a padded container that is sealed with a tamper-resistant sticker.
Price-wise the SecureKey line falls in the middle of the road between inexpensive “normal” flash drives and the ultra-expensive IronKey from Kingston, its nearest competitor. MSRPs for the SecureKey 3Z and 3NX models range from $59 for a 2GB 3NX to $199 for a 128GB 3Z. By comparison, MSRPs for the IronKey range from $117 for a 4GB model to over $700 for a 128GB drive.
The Aegis SecureKey 3.0 comes in larger sizes to match its considerably larger form-factor. Sizes for the 3.0 range from 16GB ($129 MSRP) to 1TB ($699 MSRP). SecureKey models can sometimes be had for slightly lower prices on Amazon.com; I paid under $180 for a 128GB 3Z.
Aegis SecureKey Features
The Aegis SecureKey comes with a raft of features that will be exciting to security nerds (like myself). First and most importantly is hardware-level encryption. Information is encrypted on the device, and cryptographically tied to the device. The encryption on this device is AES-256 (in XTS mode). This has quite a few benefits.
No software has to be run on the host device, as was the case with the IronKey, making it truly operating-system agnostic. The Aegis SecureKey is formattable for FAT32, NFTS, exFAT, and macOS Journaled. Some of the other benefits of hardware-level encryption will become apparent as we discuss the other features of the Aegis SecureKey.
Important note: the Aegis SecureKey has an internal battery that powers certain functions on the device, like allowing you to enter the decryption key before it is connected. The battery is charged whenever the device is connected to a computer.
The SecureKey comes without a PIN assigned, and rules that prevent lazy (enterprise) users from using terrible PINs or no PIN at all. First, the device will not function at all until a PIN has been established. It will not be mounted by the computer and data cannot be written to it. PINs must be between 7 and 16 characters, and PINs consisting of repeated digits (1-1-1-1-1-1-1-1) or sequences (1-2-3-4-5-6-7 or 7-6-5-4-3-2-1) are disallowed.
Fully setting up the device requires setting two PINs: an Admin PIN and a User PIN, which can be the same but should probably be different. The User PIN is used to access and use the basic storage and read/write functions of the drive. The Admin PIN allows you to manipulate the other functions the drive supports.
The single biggest benefit of the SecureKey’s hardware-level encryption is its invulnerability to keyloggers. The PIN is entered on the device before it is even plugged into the computer. Upon entry of the correct PIN, the device unlocks for a period of 30 seconds. During this period it can be plugged in and mounted; if it is not plugged into a computer within 30 seconds it will be locked again.
The administrator PIN is useful for IT professionals setting these devices up for enterprise users. The Admin PIN is also necessary for home users. Entering the Admin PIN allows many of the advanced features of the Aegis SecureKey to be configured. These features are the ones most likely to excite long-time readers of this blog.
Unattended Auto-Lock: The Aegis SecureKey can be configured to automatically lock if not accessed after a predetermined period of time. By default the key will remain unlocked as long as it is attached to a computer until the lock button is pressed or it is ejected. The unattended auto-lock can be programmed to lock the device after 5, 10, or 20 minutes.
Configurable Brute Force Protection: The Aegis SecureKey has a default brute-force protection limiting login attempts to 20. This number can be reduced, but cannot be increased, and the protection cannot be removed. The number of PIN attempts can be reduced to as few as four.
Self-Destruct PIN: The self-destruct PIN is a tertiary PIN (in addition to the Admin and User PINs) that destroys all data on the device when entered. This PIN can be used under duress to ensure no data is recovered from the device. Like the Admin and User PINs the self-destruct PIN must be between 7 and 16 characters long.
When the self-destruct PIN is entered, all decryption keys will be destroyed. This will render any data on the drive cryptographically inaccessible. The drive will appear empty, but will also appear to function normally. The self-destruct PIN can be used to unlock it at will and new data can be written to it. This is a pretty clever feature; the data on the device can be destroyed without making it immediately apparent to an adversary that you’ve destroyed it.
Read-Only Mode: The ability to place the drive in read-only is really, really cool. This allows you to unlock the drive and attach it to untrusted (i.e. public or work) computers to access data. This provides a good layer of insurance that malware cannot be written to the drive. The drive can be placed in read-only mode in both the Admin and User modes.
Full Reset, Change PINs, etc.: Should you find yourself locked out of the device or simply wanting to start from scratch, you can.
The Aegis SecureKey and its operation are extremely well documented. The Aegis SecureKey ships with a quick-start guide that allows the user to set basic functions like the Admin and User PINs. Detailed user manuals (running around 20 pages each) are available for all versions of the SecureKey at Apricorn’s site:
Apricorn also has a decent YouTube channel that provides tutorials for many of the aforementioned functions. YouTube demonstrations are all conducted with the SecureKey 3.0 (the oldest model in the line), and it isn’t immediately obvious that all of the steps apply to later variants. I’ve gone through most of them with my 3Z and the steps seem to be the same on both devices.
Problems with the SecureKey
My only complaint with the SecureKey – and there’s really no getting around this – is that it looks very alerting. If this device is on your person it is obvious that you are in possession of a security device. If you are personally or professionally concerned with keeping a minimal profile (consult your threat model), this might not be the device for you.
My Use-Case and Impressions
I haven’t been very excited about the Apricorn line of products until recently. In fact, I believe I may have discouraged users from purchasing them on the podcast. That was the voice of inexperience, and having used this drive for over a month, it has found a permanent home in my electronics bag. Though expensive, I believe the level of security provided is well worth it.
I use the 128GB Aegis SecureKey 3Z as my travel backup drive. With the additional risk of loss or theft inherent in travel, this is massively preferable to a software-only encrypted drive. As you might imagine, I’m not content to leave well enough alone so I encrypted the disk’s storage partition with VeraCrypt.
The Apricorn Aegis line of products offers a very impressive capability. In the near future I will almost certainly add an Aegis Padlock DT hard drive to my personal security plan, as well, and slowly begin decommissioning the considerable number of non-hardware encrypted hard drives I have.