It’s almost RSA time again. Which means one very important thing: I need to finally post the review of the very slick TPM-based Windows bootable thumb drive Jeff Jones (@securityjones) gave me at RSA 2011. I have been promising him this review since last March, and it would be just too embarrassing to not get it done before RSA 2012. So here we go.

As I said above, this slick little device provides a full self-contained Windows install protected by TPM. The entire thing is encrypted. When I was still doing ops, I kept it in my car for when I was out and about without my laptop. It was great for doing quick and dirty troubleshooting using a friend’s computer or library machine without having to worry about what might be on the machine I was using. You know, those public machines can be cesspools of all sorts of badness. Unfortunately it gets less use now that I’m during pure security, but I still pull it out now and again.


  • Completely encrypted
  • Uses its own memory and disk instead of the host’s
  • Great form factor
  • Ridiculously easy to use


  • Doesn’t play nice with some laptop video cards
  • Not as fast as using the native hardware by a long shot
  • Can’t boot off a Mac or via a virtual machine

What would have made this better? If it completely blocked access to the underlying drives and memory of the host box. Then I would have also used it as a safe browsing environment for conferences and airports and the like. That kind of capability would also be useful for those of you who need research NSFW sites using corporate machines. Admittedly, this would be a substantial feat, especially considering the need to access USB drivers for access to the host.

When I used it regularly it was great for confirming that production services were live at my company, and it also allowed me to respond to email using the web gateway. For long emails this was far more efficient then trying to use my phone.

If I were buying one, I’d have them preinstall essential security tools such as gpg, 1Password or another password manager, and the appropriate strong authentication software (such as a soft token). You’d also need ssh and VPN clients to make it even more useful. And while I’m putting together a shopping list, how about Skype? That would be really nice to communicate in a pinch. Though I’m not sure if it supports audio devices. Jeff? There are a couple other good use cases. For onsite incident response I would want forensics tools. If I were doing more technical consulting/pen testing I’d want one that booted Linux so I could have tools like BackTrack at my disposal.

All in all, even without those tools, it’s a nice form factor for carrying around an emergency OS. I wonder if it’d be possible to get one that dual-booted – that would be even cooler then carrying a couple. You know you have to cut ounces of extra weight when you can. And I know I can get a lot of this functionality from a regular USB thumb drive, which would greatly expand the available options and undoubtedly lower the cost. But for specialized use cases, including toting around ssh and X.509 keys, having a TPM chip and an encrypted drive is very attractive – not to mention the dedicated memory & disk. There are a couple of this type of device out there, and adhering to Securosis’ policy of not being vendor-specific, I won’t mention specific models, but if you have this kind of requirements you should check them out.