Skip to content

Frequently Asked Questions (FAQ)

Andrea Barisani edited this page May 6, 2022 · 11 revisions

Armory Drive FAQ

How can I install and use F-Secure Armory Drive ?

  1. Install our firmware release on a your USB armory Mk II.

  2. Download the F-Secure Armory Drive iOS app

  3. Follow the Tutorial.

A firmware upgrade/installation was suddenly interrupted or failed, what do I do?

In case a firmware installation or upgrade is suddenly interrupted (e.g. power loss) it might be necessary to perform an emergency recovery.

To do so launch the armory-drive-install tool, included with all binary releases, with the -R flag and follow instructions.

How does F-Secure Armory Drive protect my data?

The USB armory device, when using the F-Secure Armory Drive firmware, performs on-device encryption/decryption of the microSD card contents using hardware accelerated AES-128-CBC full disk encryption (FDE).

Encryption keys are freshly created at each pairing using the device True Random Number Generator, to protect Bluetooth communication with mutual authentication and microSD card contents.

The microSD card encryption key is derived from the combination of:

  • Mobile phone generated and stored key, communicated with mutually authenticated and encrypted Bluetooth communication at each unlock.

  • USB armory unique device hardware key.

This guarantees that the microSD card contents can be unlocked only with the right combination of USB armory device and unlocked paired mobile phone.

How does the USB armory protects F-Secure Armory Drive firmware and configuration?

The F-Secure Armory Drive firmware is meant to run on Secure Booted USB armory Mk II devices.

Secure boot allows firmware authentication with burned in read-only public keys, as well as confidential configuration storage with device specific hardware keys.

Additionally Firmware Transparency allows tamper-evident firmware authentication, this is performed on F-Secure signed releases by both the installer tool as well as the device firmware.

The drive name does not match the one I see in the mobile app!

This is normal, the drive name is arbitrary and like any disk drive it can be changed arbitrarily by the user when formatting it.

The identifier seen in the mobile app on the other hand is fixed and relates to the device Bluetooth interface.

When locking the drive from the mobile application the OS still sees a disk.

Windows and Linux correctly detect external locking as drive eject, macOS however does not handle this scenario correctly and shows an unresponsive drive in this case (the drive is effectively locked and data no longer accessible).

While the armory can be locked manually at any time either through the mobile application or by simply detaching it, it is always recommended to simply eject the drive from the OS, as this locks the drive wiping out data decryption keys from the armory internal memory.

When detaching without safe removal (e.g. eject) the same common recommendations of standard drives apply, data loss or corruption might happen if write operations are being performed. Also for this reason it is always recommended to simply eject the drive from the OS to lock it.

Can I use the F-Secure Armory Drive on an iPad?

Absolutely! But you will need another computer to format the microSD card if it's the first usage, as iPadOS does not offer the possibility to format peripherals.

Can I pair the F-Secure Armory Drive a second time?

Yes, but the pairing process will generate new encryption keys, which means the current microSD card content will be lost.

Can I pair with more than one F-Secure Armory Drive

Yes, an arbitrary number of USB armory devices, running the Armory Drive firmware, can be paired and selected for use in the mobile app, each device will be assigned its own key material and treated separately.

What happens if I lose or break my phone?

On iOS, if the iCloud keychain is enabled, the application and its settings will be restored automatically.

In other cases, a manual procedure to export the recovery QR code is available.

If you have a backup of the recovery QR code, you can use the Recovery from QR code function from from the Info screen:

image-20201013154554002

If you don't have a backup of the recovery QR code, the content of the microSD card is lost.

What happens if I lose or break the USB armory?

The contents of the microSD card are lost in either case as the USB armory holds part of the decryption key.

This also means that a malicious party cannot extract the full decryption key from a stolen unit.

What happens if I lose or break the microSD card?

The contents of the microSD card are lost.

What is the firmware technology running on the USB armory?

The F-Secure Armory Drive device firmware is a bare metal unikernel written in the TamaGo framework.

This open source framework allows powerful and secure firmware to be created with minimal attack surface and dependencies, solely using a high-level memory safe programming language (Go).

The F-Secure Armory Drive firmware is also open source and published in this repository.