What Can We Say?

From time to time, we are asked some deep dive questions about our production processes and the architecture inside of our encrypted hard drives.

We greatly appreciate all of the interest and are happy to tell you as much as our security policy permits in regard to our secure storage devices. We equally appreciate your understanding that we need to keep our secret sauce a secret, and there's a limit on what we can talk about when it comes to technical specifics. Whether it’s a writer working on a product review, an IT security officer at a conference, or even an existing customer, our corporate security policy precludes the outward discussion of our engineering designs, production processes, or the myriad components within our products and their sources. 

In a way, it’s a shame that we can’t talk more openly about our unique encrypted storage engineering because we’re very proud of what we have developed and remain committed to building the most innovative products in our space. But protecting our intellectual property, and more important, our customers’ data, must always come first.
--To further illustrate our commitment to protecting data stored on Apricorn devices, we won’t even discuss or publicize who our current and past customers are, even though the list is impressive and would serve as an effective marketing tool. 

If our silence makes us look like we have something to hide, well, you’re right.

With all of this said, we recognize that there are literally millions of Apricorn users who have been placing their trust in our encrypted products for nearly two decades, and they might appreciate some additional info. So we gave our silence some thought and came up with what we actually can say about what we do.

Is this stuff really engineered, assembled and tested in the USA?

Yup. Apricorn is a 42-year-old, privately-owned American company. Our products are TAA compliant, FIPS validated and NATO approved. The Apricorn facility is headquartered in Poway, California--always has been. Our onsite staff of hardware, firmware, and software engineers work shoulder to shoulder, right here in our building in San Diego County. We also have a full operations and assembly crew, as well as our sales and marketing team onsite. It all happens here in this single facility. All Apricorn products are designed, assembled, flashed, tested and packed for shipping within this same facility.

As for the process itself, the assembly and flashing steps are key points to expand upon: The assembly and flash processes involve several unique steps that are uniquely developed, implemented, and tightly controlled internally. To ensure that we maintain complete control of all Critical Security Parameters, we developed our own security controller system, which is rare for a company like ours. Nearly all of these types of security control systems are only found at various Contract Microchip Manufacturing plants located all over the world.

We took it upon ourselves to bring these final security control processes in-house to be certain that we create and maintain complete control of all CSPs. And for a final touch, the firmware in each encrypted drive is immediately locked down following the flashing phase, and can’t be further updated, modified, or corrupted by any malware such as BadUSB.

Component Sources:

While we won’t identify the chips we use or where any of our internal electronic components come from, we can tell you this: Our semiconductors are NEVER from China.

(And by the way, they're also not from Russia, North Korea, Iran, etc., so please don't ask.)

The concern over Chinese and other unfriendly states’ infiltration into our country’s critical infrastructures is something that security experts like Bruce Schneier have been warning us about for years. We have shared in their concern from the start, which is why we don’t use logic chips from China in any of our products. Beyond China, we maintain a less than zero trust for microchips from everywhere else too. Be it from Tucson or Taipei, we scrutinize every logic chip with the same sub zero trust processes. And that scrutiny is ongoing. 

All of our components come from various global sources. Each is carefully selected from – or custom engineered by – federally approved, reputable manufacturers from all over the planet. Further, every single component is then intensely scrutinized and tested both internally and then by top American security certification labs before they are ever incorporated into our production. To comply with our own policy, if we were to ever produce our own microchips, we would still send them out to a certified independent lab for testing, exactly as we do for everything else.

Has there ever been a successful attack on an Apricorn encrypted device?

To date, there hasn’t been a single one. NOT ONE. And to keep it that way, we regularly hire independent penetration testers to exploit or break into our devices on an ongoing basis. We are not seeking passing certification marks here--we want honest criticism and opinions from these testing labs on where actual or potential vulnerabilities may lie. We rely on this outside expertise to keep one step ahead of would-be attackers. If a vulnerability were to occur in our product line, we make sure that it’s found by us or our pen testers. In the testing processes, should we have pen-testers raise concerns or offer their points of view--rather than discount or disprove them--we listen, and continue to welcome this input, and if it makes for a more secure device, we develop solutions that address and resolve all warranted concerns.