5 min

With the Ironkey D500S, Kingston provides important data with strong, validated protection. The uncluttered software and extensive features make it easy to keep data safe on this USB drive.

Many companies store important data in the cloud, even though this is by no means always the safest option. Data sharing over the internet is inherently risky, as attackers in a network can capture credentials via sniffers. To keep data manageable, USB sticks come in handy. However, these are very portable, so theft is a risk. Keeping data safe on this medium requires hardware security. The Kingston D500S has exactly that feature, and it’s based on XTS-AES 256-bit encryption.

Very strong encryption

We have seen Kingston equip IronKey with this form of encryption before. The IronKey Keypad 200 that we reviewed early last year also uses it. AES 256 is considered secure and a hard to crack encryption. As with the Keypad 200, the D500S features the FIPS 140-3 standard set by the U.S. NIST (National Institute of Standards and Technology). This is the second highest standard used by the D500S, although official validation for this particular device is still pending.

Specifically, Level 3 means that the USB drive is resistant to external tampering. That says it actually repels tampering and doesn’t just leave evidence of it having occurred – that goes one step beyond merely detecting an unusual voltage or temperature. If that isn’t available, a device equipped with Level 3 encryption must have undergone environmental failure testing (EFT). In short, these are exceptionally stringent requirements that the D500S meets. Level 4 would mean that all data is also immediately deleted if the tamper detection goes off, but that’s a bit too much to ask for a USB flash drive.

The big difference from the Keypad 200 is as the name suggests. Whereas the Keypad 200 features a key lock, the D500S asks for a password via software.

Tip: Kingston launches IronKey KP200, USB drive with hardware encryption

The physical casing is made of zinc and is waterproof, dust-proof and resistant to vibration and compression. Internal components are filled with epoxy to absorb any shocks.

Ease of use

The D500S pairs via USB ports with support for USB 3.2 Gen 1 or USB 2.0. Once the user has done so, Windows File Explorer recognizes it as a DVD-RW drive named IronKey Unlocker. Note that only Windows and macOS devices support this initialization. This is required to make use of the drive. In other words, those who want to use the D500S on Linux must first set up a password on Windows or macOS. After that, the drive works virtually the same on each platform.

The pre-installed IronKey app offers the option to enter a password or passphrase. The latter is an alternative to a password with up to 128 characters. There is also the option to use an additional admin password or passphrase through this app once a user credential is chosen. A hierarchy can therefore be built in where only administrators are allowed to modify settings and data, while a user has read-only access, for example.

Schermafbeelding van een software-interface "apparaatinitialisatie - d500s" van ironkey, met velden voor het maken en bevestigen van een veilig wachtwoord met specifieke vereisten.

An advantage of the D500S is the control you have over the keys. This is of a comprehensive nature: with a special Crypto-Erase Password, users can even choose the “nuclear” option where all data is not only deleted, but all traces of previous use are also invisible. In the process, the USB drive also generates entirely new private keys. Ten wrong attempts for the user password will have the USB stick blocked, while ten wrong admin login attempts will lead to a ‘crypto erase’. In other words, all data is gone forever when that gets triggered.

XTS-AES 256-bit encryption also implies that several keys are already present. This hardware-based solution creates different ciphers for the initialization vector (IV) and block encryption. Bruteforcing is already out of the question because you only get ten attempts, but even with unlimited opportunities, there’s little chance of success. If the device is equipped with an otherwise impossible-to-trace password, it would require millions of years of computing power to guess correctly.

Additional coverage

Since there is no physical lock like the Keypad 200, Kingston has to avoid keyloggers or screen loggers in some other way with the D500S. In fact, those malicious parties are watching every keypad press. Using keylogger protection, you can opt for a virtual keyboard. If infiltrators can watch along with your mouse movements, this is not enough. Therefore, there is a”randomizer” option, so that all keys are in completely different places than on a normal QWERTY keyboard. That way, as an attacker, you cannot tell what the password is from mouse movements.

Een inlogscherm dat wordt weergegeven op een digitaal apparaat met een virtueel toetsenbord geopend, inclusief opties voor opnieuw nemen en wisselen, en een veld 'gebruikerswachtwoord' dat wacht op invoer.

Availability

The D500S has several variants: Managed and Standard. The former is intended for enterprise or governments to perform fleet management. For that reason, they are (usually) more expensive than the Standard variant. Please note that the data listed below features street prices in the Netherlands, checked on April 22, 2024.

CapacityLowest price (standard)*Lowest price (managed)*Read/write speed (3.2 Gen 1)
8GB114.55 euros69.00 euro260 MB/s – 190 MB/s
16GB130.69 euro194.92 euro260 MB/s – 190 MB/s
32GB168.01 euro237.85 euros260 MB/s – 190 MB/s
64GB192.77 euros303.50 euro260 MB/s – 190 MB/s
128GB228.25 euros399.45 euro260 MB/s – 190 MB/s
256GB389.00 euros546.40 euro240 MB/s – 170 MB/s
512GB450.00 euros652.46 euros310 MB/s – 250 MB/s
*Revised April 22, 2024, including VAT

The combination of strong hardware-based security and physical protection makes these prices fair. Other parties charge similar prices and either offer the same kind of encryption or are still behind. Besides price, the choice between the Keypad 200 and the D500S depends mainly on preference: the difference in ease of use between a physical button and keying in a password via software is ultimately subjective. That aside, the D500S features a stronger shield than the Keypad 200, although the latter also has epoxy around the components for protection. In any case, the IronKey D500S offers a good balance of convenience and security, making it suitable for all kinds of organizations to securely share sensitive data.

Also read: Samsung T7 Shield review: external SSD for backups on the go