USB Armory

The USB armory is an open source hardware design, implementing a flash drive sized computer.

The USB armory is the world smallest secure computer. It can safeguard data and run trusted applications, preventing unauthorized access or execution. Minimal attack surface, vast performance and capabilities.

Compact. Customizable. Secure.
Fits right in your pocket, your laptop, your servers.

Applications

The capability of implementing arbitrary USB devices in combination with the USB armory speed, the security features and the flexible and customizable operating environments, makes the USB armory the ideal platform for all kinds of personal security applications. 

The USB armory is a prime platform for the following applications:

  • Encrypted storage solutions
  • Hardware Security Module (HSM)
  • Enhanced smart cards
  • Electronic vaults (e.g. cryptocurrency wallets, e-voting)
  • Key escrow services
  • Authentication, provisioning, licensing tokens
  • USB firewall

TamaGo

In addition to native support for standard operating environments, such as Linux distributions, the USB armory is directly supported by TamaGo, an F-Secure Foundry developed framework that provides execution of unencumbered Go applications on bare metal ARM® System-on-Chip (SoC) processors.

Traditional OS

TamaGo unikernel

 

memory-unsafe programming language

 

memory-safe programming language

TamaGo allows a dramatic reduction of the attack surface by removing any dependency on memory-unsafe languages (e.g. C), Operating Systems and third party libraries.

programming language %

Project page:

Security Features

The USB armory incorporates a vast number of features that can support a wide variety of security architectures. Its capabilities allow the safe storage of data as well as the trusted execution of operating environments and their applications, natively on the device itself.

Beyond simple smartcards or security tokens, the USB armory is a personal, self-contained, secure server

Secure boot

The HAB feature enables on-chip internal Boot ROM authentication of initial bootloader (i.e. Secure Boot) with a digital signature, establishing the first trust anchor for code authentication.

Secure boot

True Random Number Generator

The CAAM (i.MX6UL) and RNGB (i.MX6ULZ) provide true random number generation for cryptographic operations.

True Random Number Generator

Bluetooth

The built-in Bluetooth (BLE) module allows wireless communication which, in combination with other security features as well as the internal+external storage, enables innovative multi-factor secure storage solutions.

Bluetooth

Secure Storage

The SNVS (Secure Non-Volatile Storage) enables encrypted storage of arbitrary data using unique keys. Combined with Secure Boot (HAB) this allows complete lockdown of data through a trusted application.

Secure Storage

RAM Encryption

The BEE is included only in boards mounting the i.MX6UL SoC, it supports on-the-fly (OTF) AES-128 (ECB or CTR) encryption/decryption on the AXI bus, allowing OTF DRAM encryption.

RAM Encryption

External security element

The NXP SE050 features hardware acceleration for elliptic-curve cryptography as well as hardware based key storage.

External security element

Replay protection

The eMMC RPMB features allows replay protected authenticated access to flash memory partition areas, using a shared secret between the host and the eMMC.

Replay protection

Example use cases

GoKey

The GoKey application implements a USB smartcard with innovative properties. Featuring an SSH based management interface, the card provides a dramatically improved security model over traditional smartcards. By leveraging on the TamaGo framework, GoKey is written and executed with only high-level code, minimal dependencies and a memory-safe environment.

Project page:

Interactive encrypted drive

The USB armory provides secure execution of cryptographic operations and data storage.

The user can unlock the USB armory over Bluetooth, authorizing only need-to-know contents, to ensure safe operation even on untrusted laptops.

Project page:

Remote Hardware Security Module

When hosting facilities cannot be trusted, the USB armory, plugged on a server, complements its potentially unsafe environment with self-contained, tamper proof, HSM services.

Remote peers can authenticate the USB armory and use it, while the server remains an unprivileged party.

The server itself can also use the USB armory HSM services for CA/PKI or any other cryptographic purpose, without having access to protected keys.

Ordering

The USB armory is assembled entirely in Italy and is available for ordering from selected stores as listed below.

Additionally custom/bulk order inquiries can be placed directly by contacting usbarmory@f-secure.com.

Standard orders  
UA-MKII-ULZ-512M USB armory Mk II • i.MX6ULZ 900 MHz • 512 MB RAM • enclosure
UA-MKII-DA Debug accessory for the USB armory Mk II
Custom/bulk orders  
UA-MKII-UL-512M USB armory Mk II • i.MX6UL 528 MHz • 512 MB RAM
UA-MKII-UL-1G USB armory Mk II • i.MX6UL 528 MHz • 1 GB RAM
UA-MKII-ULZ-1G USB armory Mk II • i.MX6ULZ 900 MHz • 1 GB RAM
UA-MKII-ENC Enclosure for the USB armory Mk II

Related resources

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs