Full disk encryption options

Was thinking about flipping the switch on FileVault, but the reported issues with backup restorations, increased susceptibility to corruption due to sparsefile usage, etc., have me concerned.

I currently use encrypted DMGs for the absolutely must-not-be-plaintext stuff, but I don't particularly want anything on my laptop available in the case of theft.

I'm also using a Time Capsule in conjunction with Time Machine for backups at the moment.

All that said, is anyone using, say, TrueCrypt or some other approach to full-disk encryption which they support?

 

PGP whole disk ... and lose the time capsule

one thing to note is TM can be quite a chore with an encrypted disk no matter what kind of encrypter you use

http://paulstamatiou.com/review-pgp-whole-disk-encryption-for-mac-os-x
http://www.pgp.com/products/wholediskencryption/index.html

 

Been reading up on PGP's WDE. Other than the $149 tag, it looks promising. And, if I remember correctly, it's not container encryption in the sense that FileVault and TrueCrypt are, which would seem to me to be the safer approach in terms of avoiding data corruption.

AND Time Machine works as expected with it.

I prefer WDE, and the container approach and various horror stories around the net have me concerned, but I can't help but wonder if I ought to just flip the switch on FV, use that, deal with the less-fluid backup routine, and hope I never have any of these "This account needs to be repaired", etc. errors.

 

You can give it a go, but I have seen a few too many account needs repaired errors for my liking. I have a few too many business customers that used to get rather excited over them. well that and their TC's blowing up regularly

 

Using PGP WDE -- seamless as expected. I am still using a Time Capsule / Time Machine, and it appears that backups aren't quite as I thought they were. The size of the hourly backups are considerably larger -- we're talking anywhere from just a few tens of megabytes to the 2+ GB backup running right now -- despite the lack of any new files that could account for this.

Given that WDE doesn't use container encryption, I don't quite understand why this is. What am I missing?

 

This seems to be a true problem with Mac. I have had clients asking me for whole HDD encryption solution for Mac and I couldn't find one that is stable. What I recommended to my client is to use virtual encryption desk, like PGP Virtual Drive or TrueCrypt's.

At work, we use Windows and we deploy PointSec HDD encryption and it works very well with almost no data corruption.

So anyone have any other insight on PGP or TrueCrypt on whole HDD encryption?

 

Weird, I could've sworn I already replied to this.

Anyway, the issue I was describing just above your post kind of "went away" -- maybe I had mass-tagged MP3 files and had some huge backups afterward or otherwise couldn't place the reason for the size of the backups, but it's no longer a problem.

As far as PGP WDE itself goes, it's been pretty seamless. Am currently running it on 10.6.4 with no problems whatsoever. Little bit of a performance hit when working with large files, but a negligible one. For me, I'd rather take that and not have to worry about selective encryption with small disk images, or FileVault and the potential for container corruption and backup hassles with TM.

I will say that some time ago, I was in a position where I had to use a Time Capsule backup to restore some ~120 GB of data, and when it finally finished, a lot of it was corrupted. PDF files weren't opening, MP3s didn't play, the usual kind of thing. I don't remember if I had PGP WDE installed at the time, but that's what happened. I also don't know if it was an issue with the wireless backup routine I was running, or if maybe I'd interrupted one too many backups mid-stream by closing my laptop like an idiot without checking to see if TM was running, but that's what happened.

Was able to re-restore from a third, USB hard drive with no problems, so I don't particularly think that WDE had anything to do with that (and technically, I don't see how it could have if everything is en/decrypted on the fly).

 

Exi,

With full disk encryption, is SuperDuper still work to backup and restore your HDD?

SuperDuper just make a copy of your HDD content instead of a HDD Image (I believe), so theoretically it should work, but I just want to confirm with you.

 

Don't know. Haven't yet tried it (or CCC) to create a clone.

 

Was just poking around on the issue of clones with WDE present and found this post from earlier this year.

Search the page for "Carbon Copy Cloner" to get to the relevant bit. In short, it looks promising.

Reading that post also makes me question my routine. For what I do, constant restarts would be a huge hassle. Am I incorrect in assuming that my laptop, when locked, would still be protected if it were stolen even if I were logged in? Given that PGP WDE is not a container-based system, my impression is that files can only be decrypted on the fly if someone tries to access them as me or any other listed user in PGP's settings. Not sure I see how they would get past the lock screen. Guess I should also be setting a firmware password on the machine.

I also plan on taking the risk and applying the upcoming OS X 10.6.5 update without decrypting/re-encrypting like PGP advises. Sounds like a boilerplate sort of warning to me.

 

easy to bypass, you pull a stick of ram or add a larger one and no more password protection.

 

So what's to stop someone from resetting an account password by booting from an OS X CD?

 

absolutly nothing. guess how I remove password most times when a laptop comes in for repair and the user has not given me their firmware or OSX password.

 

Is this with Full HDD encryption or not? If yes, I don't think this is an issue because the HDD is encrypted at boot level. But then again I am not an expert in OSX.

I know that for Windows, full HDD encryption with Checkpoint PointSec software will stop even booting from Linux CD. The HDD is encrypted at boot level and, as a matter of fact, when I boot my laptop, the first thing I see is the PointSec HDD encryption login.

 

With full HDD encryption.

I just had an adventure. I figured I'd try and see if my machine, which is fully encrypted using PGP WDE, would boot without password prompting from an OS X disc -- which it could, of course.

And then I figured I'd set a firmware password (despite the quick remove-RAM-and-boot thing). Hey, I'll give it a try.

And then my machine wouldn't boot. At all. Got the folder-with-question-mark in response to trying to boot. No firmware password prompt, and I couldn't boot from a CD again by holding "C" like usual. I didn't think to try and hold "option" to manually specify boot target (this HD does have Windows 7 Pro installed via Boot Camp, btw), but not being able to boot from CD was pretty bad in itself.

What I noticed from there was that changing the amount of RAM like canuk was saying (for me, pulling one of two 2 GB sticks) made the machine secure boot to the PGP loader on the very next try, but iirc, if I turned off the machine and then tried to boot again, I'd get the folder/question mark despite still having half the RAM in there. If I put the stick back in, it'd boot. But not the next time... oddly.

End result was that I pulled a stick, did a triple PRAM reset I saw mentioned on another site I found on my phone (is "triple" needed?), put the stick back in, made sure it was consistently booting and could still boot discs and Windows, and here I am. Wasted an hour I needed to spend doing other stuff.

Along the way, I did notice that this OS X partition was invisible when trying to use the password reset utility on the CD (as expected), and that I couldn't set this partition as the boot target on restart (as expected) from the CD.

So, I guess back to what I was worried about: with whole disk encryption, and if I'm logged in but locked, is that THAT vulnerable?

 

sorry about not giving you the full directions EXI as I wasnt sure if the mods would get grumpy on me, I use 2 PRAM resets a third is not necessary.

 

fwiw: this is a terrible idea. Made OS X unbootable (got the "no go" signal). Had to decrypt from Windows.

 

WARNING: 10.6.5 update will break PGP WDE, as reported here:

HERE..

 

Yup, found out about that afterward.

10.6.5 and WDE work fine together when everything's said and done -- it's just when you use the delta 10.6.5 update via Software Update. PGP was saying that you can use the combo updater for 10.6.5 with no problem.