Spyrus Got Approval of NSA

SPYRUS, Inc. announced that their new smaller form factor SPYRUS Hydra Privacy Card (Hydra PC) Personal Encryption Device has completed a detailed review by the National Security Agency (NSA) against strict security requirements for protecting data at rest in a personal encrypting USB flash drive.

In the last quarter of 2009, SPYRUS, Inc. announced that the patented Hydra PC Personal Encryption Device was the first and only commercial-off-the-shelf (COTS) encryption device approved to protect tactical data in accordance with CNSS Instruction 4009 at the SECRET level and below, when used with the approved operational security doctrine. Until yesterday, this was the only device to have this distinction.

The two versions of the Hydra PC Personal Encryption Device are the only two COTS personal USB encryption devices that have ever passed this review or met these strict security requirements. Both versions of the Hydra PC Personal Encryption Device are validated to FIPS 140-2 Level 3, and both versions also exceed the new security requirements recently issued by the US Department of Defense (DoD) for encrypted flash drives approved for use on DoD networks.

While the first Hydra PC Personal Encryption Device is about the size of three stacked Express Cards, the new design is 30% smaller – closer to the size of a traditional USB flash drive at 66.85 mm (2.63") x 24.21 mm (.91") x 8 mm (.31").

The new Hydra PC Personal Encryption Device uses removable microSD memory cards. Because the security is built into the base unit, the Hydra PC Personal Encryption Device offers infinite expandability. Need more storage? Insert any microSD card from any source. When an unknown microSD card is inserted into the base unit, it is not accessible until it is formatted, encrypted, and locked to the base unit. When the microSD card is removed from the base unit, the information on the card is completely unintelligible, even if it is later inserted into a different base unit.

With the correct password, you can use the Hydra PC to encrypt files and folders to any accessible location. Only encrypted files or folders can be stored on the memory card and they can be decrypted or securely deleted but cannot be moved off the card, ensuring mandatory data containment. The entire microSD card can be cloned to create an encrypted, authenticated backup.

Every file stored on the device is encrypted with a unique key – just like a bank vault with individual safe deposit boxes. At encryption, both the plaintext and the resulting ciphertext are digitally signed and time-stamped, and the originator’s credentials are embedded. The encrypted file becomes the sealed document of record because, when encrypted, nothing can be altered without destroying the ability to decrypt the file. The content, time of encryption, and the device used to encrypt the file can all be independently verified, ensuring nonrepudiation.

The Hydra PC provides secure data containment by limiting the use of a specific device to administrator-authorized computers within a defined domain, preventing both removal of sensitive data and unauthorized access to the Hydra PC or its data. Even with the correct password, the encrypted data cannot be decrypted outside of the secure domain. Even if a device is captured and the owner forced to give up the password, the data still cannot be decrypted without access to a computer inside the domain. Additionally, all ports on authorized computers can be blocked so that only the Hydra PC, and no other "rogue" USB device, can be used.

"Once again, we are extremely proud to have worked very closely with NSA to qualify the new small form factor Hydra PC Personal Encryption Device as a product secure enough to safeguard tactical data at the SECRET level. AES encryption alone, without equally strong key management and a secure implementation, is just not good enough to protect sensitive data," said Tom Dickens, SPYRUS Chief Operating Officer. "For only the second time in history, NSA has approved a personal USB encrypting memory device that every DoD or Federal employee and contractor can purchase to protect tactical data at the SECRET level and below, without the burden of Type-1 security paperwork and controls. If it is good enough to protect classified data, it will be good enough to protect commercial sensitive or personally identifiable data."