Bugging Out with Personal Information - ITS Tactical

Shop the ITS Store!


Bugging Out with Personal Information

By John D. McCann

A copy of your personal information should always be included as part of a bug-out bag or evacuation kit. I have often been asked why we need this information and have had people say that they have this information secured in a safe in their home.

Is that information actually safe? Are you certain that your safe will survive a major fire? What if a tornado destroys or removes you house and it just can’t be found? A nuclear emergency, such as the one in Japan, might mandate an evacuation where you are not allowed to return.

There are many reason to carry important personal information when you evacuate. I like to carry a backup of my personal information on me at all times, as well as in my bug-out bag. The real problem is securing that information. I have seen it often recommended that all your personal information be placed in a file folder and kept in a large zip-lock bag. Obviously, if this file is found or stolen, you have a real potential identity theft problem. So what do you do?

The IronKey

I used to carry my personal information on a USB flash drive. Unfortunately, for years, I could only find software encryption, which is not always as secure as it is made out to be. Some software encryption can be easily broken, leaving your information vulnerable.

I was limited to this solution until I met a reader of my book, Build the Perfect Survival Kit, who worked for a large bank. For work, he used a product that was designed to meet the most demanding military, government, and enterprise security requirements. Needless to say, I was very interested. It was just what I was looking for!

The device is the IronKey, an extremely secure USB flash drive, ready to protect data everywhere it goes. There are various models of the IronKey, but the basic model, the S200, is more than adequate for the purpose of carrying confidential information. They are available in 2 GB, 8 GB, and 16 GB. The other models provide features more for business applications, which are unnecessary for my needs.

So what is so great about this USB flash drive? The IronKey is the only USB flash drives validated to meet the stringent Level 3 requirements of FIPS 140-2, a U.S. government computer security standard. The S200 protects data with strong AES 256-bit hardware encryption. It has “always-on” data encryption, whereby all user data is encrypted with AES CBC-mode hardware encryption. Unlike software-based encryption, this “always-on” protection cannot be disabled. Since the IronKey Cryptochip generates and stores strong, random encryption keys, encryption routines run faster and more securely than on any software-based encryption system.

Practical Applications

This all sounds good, although a little technical, but it was some of the other security features that sold me. This device is really physically hardened. Its rugged metal casing protects it against physical damage, and the internal components are sealed to protect against tampering. It far exceeds military waterproof requirements. No one can access files stored on an IronKey drive unless they authenticate with the correct password. All encryption and password verification are performed in the hardware, and cannot be disabled by malware or a careless user. Self-defending IronKey drives also provide hardware-level active protections against the spread of malicious code.

When an IronKey drive is plugged into a laptop or desktop computer, the user must authenticate with a password before encryption keys are enabled and data and applications are accessible. Unlike software-based encryption, the IronKey protects against cold-boot and malware attacks by not exporting AES encryption keys to the host PC. IronKey Basic protects against brute force password guessing attacks by using non-volatile access-failure counters stored on the Cryptochip itself. If a thief tries to break into an IronKey drive and enters 10 incorrect passwords, the Cryptochip securely erases all encrypted data with patent-pending Flash Trash technology. This ensures no data can be recovered from the device. If the IronKey detects a physical attack, it will initiate a self-destruct sequence (kind of reminds me of Mission Impossible). It is nice to know that if you lose this device, the information on it will not get into the wrong hands!

There is a lot more information I could provide in regard to the IronKey USB flash drive, but I think you get the idea that this is a great way to securely carry personal and confidential information. Both my wife and I carry one on our key ring, and have an extra for the bug-out bag.

Personal Information

What type of information should be kept on such a device? Although not a complete list, the following is information that might come in handy:

  • A file containing actual scans of important identification and documents, such as: drivers license, passport, social security card, pistol permits, birth certificate, marriage and death certificates, the deed to property owned, vehicle titles, contracts, insurance policies, wills, and medical prescriptions.
  • A file containing emergency phone numbers: personal contacts, doctors, dentist, healthcare provider, insurance companies, and central station security provider.
  • A file with credit card information: card numbers, expiration dates, security codes; and information to contact the provider, should a card be lost or stolen.
  • A photo or video inventory of valuables in your home, to include: computers, firearms, pantries and other areas where emergency supplies are maintained (you might have to prove to an insurance company that such items existed). I also like to show the actual house from various sides, outside, as well as the contents of each room, inside. Don’t forget garages, out-buildings, tools, etc.

Obviously, there is other information that can be contained on such a secure device. By carrying a copy of your personal information on a secure device, you will always have a backup, even if you lose your home or wallet. As always, be prepared to survive, and always have a backup!

Editor-in-Chief’s Note: Please join us in welcoming John D. McCann as a contributor on ITS Tactical! I’ve been a longtime reader of John’s work and his first book,  Build the Perfect Survival Kit  helped me design the kit I EDC. John is also the owner of  Survival Resources, a company that specializes in survival kits, survival kit components, and outdoor skills courses. He’s just released a new book too that I’m currently reading, called  Stay Alive! Survival Skills You Need.

Are you getting more than 14¢ of value per day from ITS?

Thanks to the generosity of our supporting members, we’ve eliminated annoying ads and obtrusive content. We want your experience here at ITS to be beneficial and enjoyable.

At ITS, our goal is to provide different methods, ideas and knowledge that could one day save your life. If you’re interested in supporting our mission and joining our growing community of supporters, click below to learn more.


  • Dan Bond

    Great points! I have no passport yet; been working since i was 16 and never saw the need but I’m getting one asap and will scan and seek a duplicate. Good to know about the ironkey too. I store all of my info on flash drives currently but I’m sold by the self destruct erasure feature the ironkey provides. Thank you, John and welcome to the think tank! Looking forward to more articles from you.

  • Wow, fantastic article. This definitely shed some light on how to go about keeping data, and keeping it securely. The info about how IronKey works, and all the things that don’t work (attack wise) was very helpful. Thanks so much!

  • bluesgt380

    Excellent thank you!

  • Jeff Stevens

    “software encryption can be easily broken”? I’d love to see someone crack TruCrypt.

    A better solution than carrying something physical which can be lost is to keep it online. Use Dropbox or GMail to store your information, and you’re not dependent on having a losable item.

    • Tim

      While I agree that TrueCrypt is powerful, and uploading the encrypted files to Dropbox or Gmail might be a reasonable solution, you’re still trusting your information to a 3rd party.

      And if they’re hacked or have a security mishap (like the recent Dropbox incident), you won’t know if your files are compromised.

      With a physical item, at least I know where it is at all times and when it’s missing.

  • kmac179

    I have carried one of these for about 3 years, it is without a doubt one of the best tools in my toolbox. It has been through hell and back many a time. It is been submerged, ran over, dropped, and countless other assaults. The only thing I would like to see is a faster read/write, takes a while to transfer larger files

  • lmeehan

    make sure when scaning any of those important docs you get rid of the memory/copy that most modern scanners keep of scanned items. i make sure my scanner is never hooked up to a wi-fi or internet capable computer. when/if i get rid of it i will rip and destroy the memory before having the scanner recycled

  • kmac179

    After thought question…

    What do you use to tether it to your keys?

  • Steve H

    I keep a lot of this stuff on my dropbox as well. However, since the Megaupload shutdown I’m feeling a bit more weary about storing stuff on a third party site that can be shut down without notification. I do have a web server so I might just bury an encrypted folder on there and store all my encrypted personal info backups there. Other than that, I try to keep that info on my iPhone at all times, but it’s only as secure as the software (I can nuke it if it goes missing thanks to iCloud).

    When we had our false-alarm a few months ago, I was out with the Cat, my laptop, phone and keys within 1.5 minutes (and that includes being woken up by the alarm in the middle of the night and moving down from the second floor). I’ve been trying to get an Iron-Key type solution for some time, but it is not available outside of the US due to its hardware encryption. If I could find something similar here in Canada, I’d be using that in a heartbeat, but over the few years I’ve been looking, I’ve not found anything…

    • Dude! The first thing I’d do if I found a phone (and have nefarious intent which I don’t of course) is to disable wireless so it can’t be remote nuked! Unless it was locked…but then I’d pull the battery. I wouldn’t recommend keeping all this private/sensitive stuff on yer phone unless it’s encrypted very well. Also, I would strongly advise against putting it on a web server where someone could hack and steal it to disseminate offline (ok, again, if encrypted strong enough that should buy you enough time to get things changed before it gets cracked but you never know…). I guess the same trust (er, lack of trust) is present with cloud providers wherein you might have less knowledge if something is compromised…I like the ironkey with keepass holding all the stuff would be the way to go as others have suggested (again, the idea being that the moment it’s lost, you have time before it could be cracked to get things changed so it’s useless by that time). Maybe keep a copy on a second ironkey in a safety deposit to recover in case you lose your mobile one eh? ;o)

  • Tim

    Also, use KeePass Password Safe to store all that information onto a hardware encrypted thumbdrive.

    That way you get double the protection. Also KeePass can help you organize all that stuff as well.

  • Personally I carry a novelty USB drive that looks like a lego figure on a key ring. On that I have stored a small set of tools and reference material. For personal docs, such as scanned licenses, passports, etc. I have those in a password protected zip.

    I realize from a cryptography point that is not world class encryption, but given the context it’s more than appropriate.

    Here’s the attack vectors as I see it:
    1) some undesirable party would have to possess my key ring
    2) said party would have to recognize the USB drive for what it is (not just some toy)
    3) plug it in and view the files and notice a boringly named zip file among dozens of files
    4) realize the zip is password protected
    5) dedicate effort and resources to cracking the password
    6) worst case (not to make light of it), this could result in identity theft

    All my personal account details and passwords contained files are offset by a value only I know.
    e.g. bank account 123-4567 with an offset +2 == 345-6789
    and I’m careful to avoid names of website of financial institutions

    • Another thought regarding “bugging out”.

      Assume a natural disaster where you must evacuate and your house is destroyed, you want insurance policies, identification etc. so you can provide it to authorities.

      With all that in mind, while you don’t want a typical crackhead to paw through this material, you need to ensure this content is viewable on a wide range of platforms. It could be an ancient WinXP machine at some municipal office, a neighbor’s MacBook or anything really.

  • Thanks for some of the nice comments.

    Jeff, I personally like it physical. If the internet goes down (or is shut down…) I would not have access to my info (I try to depend as little as possible on things like the internet that I have no control over). Physically having it (I keep a duplicate Ironkey in the safe) does not make me dependent on the internet for retrieval. We all trust different things, and although it can be lost, so can anything else. Just a chance I’m willing to take.

    kmac179, although it comes with a small split ring, I use one of the micro snap-link to attach it to my keyring. We sell them at Survival Resources.


  • On my own keying I’ve got a LaCie iamaKey. While it’s probably not as rugged as the IronKey, I do like that its silhouette won’t stand out on my keychain:



  • Hello all,

    I have been visiting ITS for some time and enjoy the articles. I have been hesisant to chime in on some of the computer related articles in the past. This is mostly due to the way people just love their Tech and will defend it come hell or high water, but being an IT Security Administrator (White Hat) I just had to say a few things… I know either you agree or you don’t so toss those stones if you want but here it goes….

    I use (as do my customers) Ironkey Personal and Enterprise, they work great!! I have had one of mine to around 120′ underwater (I keep an older one on my scuba gear so I can snag pics from other divers after dives) and to this date it still works great! (Ironkey makes a nice black drive now too)

    As to the people above, the only way your cracking TrueCrypt is if the user uses a weak password, or if you have access to a CRAY and about 25 years (when using high security settings).

    When we crack TrueCrypt it is always weak passwords, a nice rainbow table and a few days we are in, if it’s a strong solid password it can run through every table we have and never even get close.

    @ Tim it doesn’t matter if the “cloud” data is taken if you are using good encryption, that is the whole point of the encryption in the 1st place. “They” can hang on to that data for years and never get in. It is true you should be careful of what data you send to 3rd parties both in access to services and in software as a service like dropbox, however with good solid encryption (again like a TrueCrypt) and good strong passwords you are good to go.

    Ironkey does have a password manager built in, and if you are concerned about the loss of the IronKey you can make a secure encrypted backup on a local PC to upload to a place of your choice like a drop box (or just keep it local), and restore to a new Ironkey when you are able. (while this will not help you in the short term loss of the drive, it’s still better than paper or assuming that no one will notice your drive once its lost.). And for those of you who say “what if there is no more ironkey or internet” well we have bigger problems than your personal information.

    @ the Phone storage, if you store it unencrypted I can get it, plain and simple. I do not need your Password nor do I need to jailbreak your phone, if I have possession of the phone before it is remote wiped (assuming a DOD level wipe) I have the data. Forensic tools and software are super cheap (most free) and they will data mine your phone in seconds making a nice big fat copy for me to take my time and look at. Most phones remote wipe without Wifi, as a matter of fact most remote wipes are done over the 3g4g or Cell connections, the wipe is done at the phone it just needs to get the “do it” signal. On the plus side of getting data off a phone most people only choose to do a standard erase, simple undelete software will bring most of it back, some platforms support High Security DOD compliant wipes but most people just don’t choose that option as the default remote wipe (again depends on your phone). I have seen phones (proof of concept I wouldn’t allow someone to swipe and steal data from another person’s device) taken from a table downloaded, and put back before the user even noticed it was gone.

    @ John D McCann – I too like to have a “with me” backup of my data. 😀

    @ Sean – Password protected ZIPS are not encrypted and easily broken with 10 bucks in software. They are not encryption at all and are not appropriate for storing PII. Just because it has a password doesn’t mean it is encrypted. Big difference. Security through obscurity is never the right answer. (on that note to each their own if it works for you run with it :D)

    All in all in comes down to some simple life rules:
    1- Assume that your data will be lost or stolen at some point.
    2- Take steps to protect it with encryption and good passwords (doesn’t matter how good the lock if I leave a key under the mat)
    3- As with most things in life do not put all your eggs in one basket, but assume all baskets are going to get pilfered, backup and make sure the backups are encrypted.
    4- If you put it in the “cloud” (internet) assume it has been and will be accessed by someone other than you! System Admins, Backup and replication agents, etc. (Hacks are the least of your concern just think of the number of employees @ Google that probably have “access” to your data.)
    5- Don’t buy the hype, Technology can never replace common sense, if you can access it anywhere so can someone else.
    6- Do it in layers, not one approach is going to work for everything, and security in layers is the way to go.

    Lastly natural disasters suck!

    We helped clean up the data networks of a few companies in US disaster zones, the sheer amount of data lost and found by 3rd parties is staggering. In one part of the country where flooding was happening we had a contractor who assumed their entire data center was lost (it was underwater after all) three weeks later they get a call from DELL that they had ordered warranty service on one of the junked servers, turns out a little looting happened before the server room completely fell to the rising waters. (lucky the server was web only and contained no PII or PCI.) If your house is wiped from the map you will be glad you had a copy of things like SSN, BirthCerts, insurance paperwork etc. I truly feel for the people who have suffered in disasters it’s just earth shattering bad and to think that just a few hundred miles away someone is chilling at a Starbucks without a care in the world.

    Toss away 😀

  • Hector

    A similar device we use at work is the LOK-IT- FIPS Edition USB sticks. It has the same Level 3 requirements of FIPS 140-2 and requires a pin code on the device before it is even accessible on the computer. We chose these over the Iron Keys because we heard horror stories of the iron keys being troublesome on macs and having issues with some antivirus software.

    Another great feature is if the password is incorrectly entered in more than 10 times it just wipes the encryption key and forces a reformat of the drive, which means the drive is still usable. With the Iron Key, if you forgot your password or someone tries to break in and you recover your drive all you’ll have is an expensive paper weight.

    Hey if it’s good enough for the Dept of Homeland Security, Congress, The Supreme Court, and many top 500 companies, it’s gotta be worth something. I liked the ones we use so much I personally bought one for my BOB to hold my important documents.


    • Nice I will have to check Lok-it out! Thanks for the link!

      Yes the IronKey does crater well, but we have found that if we charge the users for the drive (if they destroy it) they just seem to take good care of them and I have yet to have 1 user crater the drive. we have had one loss and a confirmed silver bullet when it was plugged in some 2 months later. (Enterprise ED).

      someone else asked how do you attach it to your Keys, we issues ours with little rings we get from a lock smith standard split ring but smaller and way tuff. fits in the pre drilled holes. Some of our “on site only drives” (ones that cannot be unlocked without an internet connection from our home office) have braded cable passed though the pre-drilled keying hole and then through something large and hard to miss (a key keeper type thing, like you see for public restroom keys). This helps them not wander off when they are issued to a “team” or group.

  • Awesome tool, i really recommend it. I was planning on buying one and then this article really sold me on it. Since I’ve been using it I’m very impressed.

  • IronKey no longer makes this product. They are now entirely software / service based. Looks like Imation bought the product and is now selling it under their brand: http://store1.imation.com/store?Action=html&Locale=en_US&SiteID=imation&ThemeID=29942900&pbPage=landing_page

    • Addendum to my last post:
      I just checked my personal file space needs, not including music and other replaceable product. I’m talking financial data, medical record scans, photos and client information that I need. $300+ for an Imation 32Gb drive is just not palatable. Here is my budget-minded multi-platform and manageable option…
      1) Procure a hardened USB memory device like: http://www.amazon.com/Corsair-Flash-Voyager-64GB-CMFSV3-64GB/dp/B007WAYQPQ/ref=wl_it_dp_o_pC_nS_nC?ie=UTF8&colid=2BRAG9FWURGKQ&coliid=I13WQ8MDWV6GKT
      2) Get familiar with and download all versions of TrueCrypt: http://www.truecrypt.org/
      3) Install the version of TrueCrypt for your particular system.
      4) Format the drive using FAT32. Almost any OS can read this format. Create a secure container on it using almost all of the drive. Leave about 5Gb to copy the Truecrypt programs to.
      5) Copy all of the TrueCrypt versions on to the unencrypted portion of the drive. You may not always be able to access a Microsoft-ased system so an OS X and Linux version of the program will be helpful.
      6) Make entries to your calendar to refresh your encrypted data (monthly at a minimum) and at least yearly to refresh the TrueCrypt versions on both your computer and USB drive.

Do you have what you need to prevail?

Shop the ITS Store for exclusive merchandise, equipment and hard to find tactical gear.

Do you have what you need to prevail? Tap the button below to see what you’re missing.