Home

Awesome

Introduction

The Armory Drive provides a pocket encrypted drive solution based on the USB armory Mk II.

It allows one-tap unlock of a microSD backed encrypted USB drive through a companion mobile application.

The USB armory firmware is a TamaGo based unikernel which allows encrypted USB Mass Storage interfacing for any plugged in microSD card.

The encrypted storage setup and authentication is meant to be performed with the F-Secure Armory Drive iOS app over Bluetooth (BLE).

To understand the firmware capabilities and use see this Tutorial.

Security Model

See the detailed specifications for full explanation of the security model.

Installation of pre-compiled releases

Binary releases are available for the Armory Drive firmware.

The binary release includes the armory-drive-install tool (for Linux, Windows and macOS) to guide through initial installation of such releases and Secure Boot activation.

[!WARNING] :lock: loading signed releases triggers secure boot activation which is an irreversible operation to be performed at your own risk, carefully read and understand the following instructions.

The installer supports the following installation modes:

The armory-drive-install provides interactive installation for all modes and is the recommended way to use the Armory Drive firmware.

Expert users can compile and sign their own releases with the information included in section Installation of self-compiled releases.

Documentation

The main documentation can be found on the project wiki.

Operation

Pairing and initialization

See the Tutorial.

Disk access

When running with a microSD card inserted, the USB armory Mk II can be used like any standard USB drive when unlocked through its paired companion iOS app.

LEDonoffblinking
blueBLE activeBLE inactivepairing in progress
whiteSD card unlockedSD card lockedfirmware update in progress

Firmware update

The armory-drive-install provides interactive upgrade of all installation modes and is the recommended way to upgrade the Armory Drive firmware.

Alternatively only users of F-Secure signed releases or unsigned releases can use the following procedure on USB armory devices which have been already initialized with the Armory Drive firmware as shown in Pairing and initialization.

  1. Download file update.zip from the latest binary release
  2. If the USB armory contains an SD card, remove it.
  3. Plug the USB armory.
  4. An "F-Secure" disk volume should appear.
  5. Copy update.zip to the "F-Secure" disk.
  6. Eject the "F-Secure" disk.
  7. The white LED blinks during the update and turns off on success, a solid blue LED indicates an error.
  8. Put the SD card back in.

Installation of self-compiled releases

[!WARNING] These instructions are for expert users only, it is recommended to use armory-drive-install if you don't know what you are doing.

Compiling

Ensure that make, a recent version of go and protoc are installed.

Install, or update, the following dependency (ensure that the GOPATH variable is set accordingly):

go get -u google.golang.org/protobuf/cmd/protoc-gen-go

Build the TamaGo compiler (or use the latest binary release):

wget https://github.com/usbarmory/tamago-go/archive/refs/tags/latest.zip
unzip latest.zip
cd tamago-go-latest/src && ./all.bash
cd ../bin && export TAMAGO=`pwd`/go

The firmware is meant to be executed on secure booted systems, therefore secure boot keys should be created and passed with the HAB_KEYS environment variable.

Build the armory-drive-signed.imx application executable:

make DISABLE_FR_AUTH=1 HAB_KEYS=<path> imx_signed

An unsigned test/development binary can be compiled with the imx target.

Installing

To permanently install armory-drive-signed.imx on internal non-volatile memory, follow these instructions for internal eMMC flashing.

[!WARNING] Once loaded, even through Serial Download Protocol, the firmware initializes its configuration by writing on the internal eMMC, therefore corrupting its previous contents.

Support

If you require support, please email us at usbarmory@withsecure.com.

Authors

Andrea Barisani
andrea.barisani@withsecure.com | andrea@inversepath.com

License

Copyright (c) WithSecure Corporation

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation under version 3 of the License.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

See accompanying LICENSE file for full details.