If your application needs to encrypt/decrypt data (for various reasons), are there any reasons why you would use a hardware device (e.g. a USB encryption device - like a Marx CryptoBox) instead of using a software encryption library (like .net Cryptography or writing your own) and keep your keys in a safe key store?
I am looking for some objective views on this matter.
To narrow down the question posed: what would your opinion be if the system that used the usb encrpytion dongle was housed in a physically secure server vault and there was only one system in existence (i.e. its not a software product that is distributed and run on many desktops) ? In very simplistic terms, the purpose of the above system is to validate (decrypt and compare) a piece of incoming encrypted data.
Thanks so far for your great answers!
It's not about what's more secure because nothing is 100% bullet proof. It's a question on "how to make it as difficult as possible"
You could see it from this point: If you store keys on the computer, they're there 24/7. If my pair of keys is on an external device, the keys are only accessible while attached to the device. ==> You reduce the timeframe in which somebody else can copy your keys. It's much easier to access something if physical access is not needed.
Think of online banking: Many banks have added "external" ways of authentifcation such as Tan / Tac /tanSMS/ tokengenerators etc. etc. Neither of those is secure for itself: I can steal your login password, I can steal your mobile phone, I can steal your Tac/Tan list and so on. But chaces are very low that I can steal all necessary elements at once => All pieces of the puzzle together create a quite secure solution.
Also think of these factors: