TweetFollow Us on Twitter

Macintosh Data Encryption

Volume Number: 25
Issue Number: 04
Column Tag: Encryption

Macintosh Data Encryption

Protecting data at rest through disk encryption

by Rich Trouton

Introduction

One of the hot new items in recent years, in both government and corporate IT, has been laptop encryption. In large part, this is a technical solution to a human problem: data theft, loss or exposure. People lose laptops, thieves steal laptops because they're valuable, the kids find information that they're not supposed to on Mom's or Dad's computer and tell all their friends about it, and so on. Does everyone need encryption? Maybe not. My own personal yardstick is "Is there anything on this machine where I would have a problem with it being posted on the web, or tacked up on a public bulletin board?" If your own answer is "No", you probably don't need to encrypt anything. If your answer is "Yes", then you probably should.

How best to protect your data?

There are two main encryption strategies that are in use today on the Mac. The first is file and folder encryption and the second is whole disk encryption (WDE). Both have their pluses and minuses, especially with regards to data recovery. After all, encryption boils down to "scrambling your data so that other people can't read it." Normally, you try to make sure that all your data is intact; encryption strives to deliberately scramble what is saved to the hard drive. The trick with encrypting your data is that you want to scramble it in such a way that authorized people can unscramble it while no one else can.

File and folder encryption works pretty much like it sounds. It allows you to encrypt and decrypt selected files or folders. Tools that use this method make you choose what you want to encrypt and don't encrypt anything that's not selected for encryption. By and large, this is the method of data protection that Apple has chosen to support, and Apple has provided some great tools with Mac OS X for file and folder encryption. Another third-party encryption tool available for Mac OS X that uses file and folder encryption is TrueCrypt, which is an open-source project that supports Windows Vista/XP, Mac OS X, and Linux.

Whole disk encryption is also fairly self-descriptive. It encrypts an entire hard drive and everything on it. In this model, everything on that hard disk is encrypted and the only way to have it not be encrypted is to move it off of that drive. Because of this, WDE is the preferred encryption method for most corporate and government environments. Using this encryption strategy has been problematic for the Mac until fairly recently. In fact, until May 2008, there wasn't a whole disk encryption software solution available for the Mac that supported an encrypted boot drive. There are now a couple of software packages that support Intel-based Macs, but PowerPC-based Macs still don't have a WDE software package that allows you to boot from the encrypted drive. On the whole disk encryption side, the two main software packages available for the Intel Macs are PGP's Whole Disk Encryption and Checkpoint's Full Disk Encryption.

Mac OS X's built-in encryption solutions

As mentioned earlier, Apple has chosen to support the file and folder encryption method with its encryption tools. The main tools are encrypted disk images and FileVault in Mac OS X 10.3.x and higher.

Encrypted disk images are just like any other disk image you can create with Disk Utility, with the exception that they are password protected and that password is used to encrypt the disk image with AES-128 128 bit encryption when the disk image is first created. You can use them like any other disk image file. It may be copied to, or created on, network volumes or removable media including Zip drives, USB flash media or FireWire hard drives. A particularly nifty feature of encrypted disk images is that when mounting the disk image from a remote server, is that all disk image-related communication between the computer mounting the disk image and the server is protected with the same 128 bit encryption used to create the disk image.

FileVault takes the same encrypted disk image technology that Apple created for encrypted disk images and uses it to protect one particular folder: your account's home folder. How FileVault does this is by creating an encrypted disk image that's able to grow or shrink with the amount of data stored in your home folder, mounting that encrypted disk image when you log in and then un-mounting it when you log out. The user's home is encrypted using the same AES encryption that is available for encrypted disk images and the contents of the home folder are automatically encrypted and decrypted on the fly.

FileVault has some upsides and downsides. The biggest upsides are cost and ease of use. It's built-into Mac OS X (v 10.4 and higher), so you're getting it for the same price that you paid for OS X. Apple has also gone to a considerable amount of trouble to make sure that you hardly notice anything different about working from an account that's not encrypted from one that is encrypted. One other attractive feature of it is that, because only the home folder for a particular account is being encrypted, you're able to support the rest of the Mac like you always have without having to deal with the extra complications that encrypting the OS and your applications may bring.

The biggest downsides have to do with backups and with using network accounts where the password is managed from a server, instead of from your own Mac. In most cases, these accounts are being provided by an external directory service (like Apple's Open Directory or Microsoft's Active Directory).

With regards to backups, the problem is that FileVault, at its heart, uses a password-protected encrypted disk image. The backup software will not be able to unlock the disk image while you're logged out of your account and only backup the files you changed since the last backup operation, so it will try to copy the entire file. Worse yet, if you change the encrypted disk image while it's being backed up (for example, by logging in to the account) you can corrupt the backup, making it hard or impossible to restore your files if needed. That's one of the reasons why Time Machine on 10.5 only backs up a FileVault-encrypted home when the user logs out. The best solution I've found so far is to use Time Machine with an attached disk drive and log out of my account on a daily basis, but that may not be workable for everyone.

The problem with network accounts from an external directory service combined with FileVault is again that FileVault is using a password-protected disk image. The disk image only knows the password that's able to unlock it and doesn't check with any other sources, like the external directory service that actually manages your password. So it doesn't know that you forgot your password and had to call your company or school's help desk to get it reset, and it doesn't pick up the new password when IT resets your account's password on their end. All it knows is that the password that you put in to the login screen doesn't match the one that it needs to unlock the disk image. Fortunately, Apple has provided a way to reset the encrypted disk image's password via the FileVault Master Password, but this is a solution primarily built for dealing with OS X's own local accounts instead of network accounts. Leveraging the Master Password to help you recover network accounts that have FileVaulted local homes usually requires some work on the command line. The best solution here is both user education and IT training. The user education is training your users that they need to change their account's password from their FileVault-encrypted Mac. The IT training is in the various methods of recovering a FileVault-encrypted account's data and is for when your users forget their training, or just forget their password.

Third-party encryption solutions

There are a number of encryption solutions available from sources other than Apple. I'll only be covering the ones I'm most familiar with: TrueCrypt, PGP's Whole Disk Encryption and Checkpoint's Full Disk Encryption.

TrueCrypt on OS X offers both file and folder encryption and whole disk encryption for non-boot disks, but does not currently have all of the abilities that it does in its Windows version (which include whole disk encryption of boot disks, as well as offering the ability to create and run your PC from a hidden encrypted operating system). TrueCrypt is also free and offers the best cross-platform compatibility of the encryption systems I've looked at, as it supports Windows, Mac OS X and Linux. If you need to work cross-platform and keep your encryption solution the same, TrueCrypt is a pretty good solution.

From an enterprise IT standpoint, TrueCrypt has the disadvantage of not having a back door. If you don't have the password, you don't get in. Period.

You can download TrueCrypt from the TrueCrypt website at http://www.truecrypt.org/.

PGP's Whole Disk Encryption for Mac OS X offers file and folder encryption and whole disk encryption, though it only supports WDE for boot disks on Intel Macs. (On Power PC Macs, PGP still supports whole disk encryption, but you can't boot from any of the encrypted drives). PGP is very good at providing data scrambling and unscrambling without interfering with the user, which is pretty much what you want from an encryption product. You can even use your Mac normally while the initial encryption is running, as PGP is smart enough to know what disk sectors are already encrypted and which ones are not, allowing the system to work normally during the whole process. You will probably notice a very high loss of performance during the initial encryption process because the hard drive will be in really heavy usage (after all, PGP has to read and rewrite the entire disk surface).

From an enterprise IT standpoint, PGP has another advantage in that the company also provides server-based management tools to manage the encryption policies of your PGP-encrypted machines. Don't want your users to be able to turn off their encryption? PGP's management tools can provide that ability. Want to be able to show your auditors how many encrypted Macs you have, what's encrypted, and the last time they talked to the management server? PGP's management tools can provide that too. Your user forgot their password for unlocking PGP's encryption? PGP's management tools can provide a one-time password that acts as a recovery key which you can give to the user to unlock their encryption when they've forgotten their own PGP password, even if the user is off the network and frantically calling you just prior to that important presentation that they're giving 3000 miles away from the home office.

The main downside to PGP is that Boot Camp does not currently work in combination with an PGP-encrypted boot drive. If you need to run Windows on your PGP-encrypted Mac, I suggest using software like Paralllels or VMWare.

You can download an evaluation copy of PGP from the PGP website at http://www.pgp.com/desktoptrial/index.htmldownloads/

Checkpoint's Full Disk Encryption for Mac OS X is similar to PGP's overall design when it comes to whole disk encryption for Macs, though Checkpoint's solution is for the Intel Macs only and does not support Power PC Macs. Like PGP, Checkpoint's encryption is pretty good at scrambling and unscrambling your data in a transparent fashion, and also allows the Mac to be used normally during the encryption process.

Where Checkpoint fell short in my testing has been in the area of enterprise IT management, with the biggest problem being the issue of recovery keys. Unlike PGP, which offers the option of having the recovery key be generated and managed by a management server, Checkpoint's recovery key is generated by the Checkpoint software on the Mac itself. The problem then is that the recovery key then needs to be copied off of the computer and stored somewhere else. The Checkpoint-generated recovery key also periodically updates (usually, this is triggered by the Mac changing its hostname or some other similar global variable) so you need to also make sure that the copy of the recovery key you have is the latest one or you may not be able to use the key to recover your encrypted data.

For more information about Checkpoint's Full Disk Encryption for Mac OS X, you can go to http://www.checkpoint.com/products/datasecurity/pc/index.html

Protect your encrypted data - Back up

Protecting your data with encryption is a great way to guard it, but does require you to remember yet another crucial password, and losing the key is like losing the combination to an unbreakable safe. What's the best way to protect your data against this? Backups, backups, backups. Make a regular backup of your encrypted data to somewhere you know is safe. As mentioned earlier, Time Machine can back up your FileVault-encrypted home folder when you log out and you can use other backup tools to back up your data once you've unlocked the encryption and logged in to your account. One consideration to keep in mind is that there's usually no point in encrypting the files on your Mac if you've got an un-encrypted copy of your files in a place where the backups can be compromised easily.

Conclusion

Encryption is an important method of protecting your data. As we've seen, most methods can be transparent to the user. Depending on your needs, the Macintosh platform offers several different styles of encryption. From the built-in, disk-imaged-based home-directory-only FileVault to several vendors offering driver-level full disk encryption, you can choose how bullet-proof you need the protection to be.


Rich Trouton is a Macintosh sysadmin with over ten years of experience, both in the enterprise space and in the small business space. He lives in Maryland and is currently providing Macintosh support for an unnamed government agency.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

SteerMouse 5.1 - Powerful third-party mo...
SteerMouse is an advanced driver for USB and Bluetooth mice. It also supports Apple Mighty Mouse very well. SteerMouse can assign various functions to buttons that Apple's software does not allow,... Read more
File Juicer 4.57 - $18.00
File Juicer is a drag-and-drop can opener and data archaeologist. Its specialty is to find and extract images, video, audio, or text from files which are hard to open in other ways. In computer... Read more
1Password 6.7 - Powerful password manage...
1Password is a password manager that uniquely brings you both security and convenience. It is the only program that provides anti-phishing protection and goes beyond password management by adding Web... Read more
CleanMyMac 3.8.1 - $39.95
CleanMyMac makes space for the things you love. Sporting a range of ingenious new features, CleanMyMac lets you safely and intelligently scan and clean your entire system, delete large, unused files... Read more
Monolingual 1.7.8 - Remove unwanted OS X...
Monolingual is a program for removing unnecesary language resources from OS X, in order to reclaim several hundred megabytes of disk space. If you use your computer in only one (human) language, you... Read more
Lyn 1.8.9 - Lightweight image browser an...
Lyn is a fast, lightweight image browser and viewer designed for photographers, graphic artists, and Web designers. Featuring an extremely versatile and aesthetically pleasing interface, it delivers... Read more
Tweetbot 2.5 - Popular Twitter client.
Tweetbot is a full-featured OS X Twitter client with a lot of personality. Whether it's the meticulously-crafted interface, sounds and animation, or features like multiple timelines and column views... Read more
BusyCal 3.1.7 - Powerful calendar app wi...
BusyCal is an award-winning desktop calendar that combines personal productivity features for individuals with powerful calendar sharing capabilities for families and workgroups. Its unique features... Read more
Adium 1.5.10.3 - Popular instant messagi...
Adium is a fast and free instant messaging client which supports AIM, ICQ, Jabber, MSN, Yahoo!, Google Talk, Yahoo! Japan, Bonjour, Gadu-Gadu, Novell Groupwise, SIP/SIMPLE (Text), and Lotus Sametime... Read more
Adium 1.5.10.3 - Popular instant messagi...
Adium is a fast and free instant messaging client which supports AIM, ICQ, Jabber, MSN, Yahoo!, Google Talk, Yahoo! Japan, Bonjour, Gadu-Gadu, Novell Groupwise, SIP/SIMPLE (Text), and Lotus Sametime... Read more

Latest Forum Discussions

See All

Sudoku Sweeper (Games)
Sudoku Sweeper 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: A minimalist mashup of Minesweeper and Sudoku. Logic puzzle perfection. Every row, column and zone contains a bomb and one of... | Read more »
Under Leaves (Games)
Under Leaves 1.0.0 Device: iOS Universal Category: Games Price: $1.99, Version: 1.0.0 (iTunes) Description: Journey into the forest, the jungle or the depths of the deep blue sea. Find chestnuts for the pigs, a caterpillar for the... | Read more »
Ninja Pizza Girl (Games)
Ninja Pizza Girl 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: In the not-so-distant future, rampart traffic congestion has resulted in only one way to deliver pizzas across town in thirty... | Read more »
SCRAP (Games)
SCRAP 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: That day, for no apparent reason, SCRAP decided to wake up and run. He had to, because his activation was a mistake the "Factory" could... | Read more »
The Bunker (Games)
The Bunker 1.1 Device: iOS Universal Category: Games Price: $3.99, Version: 1.1 (iTunes) Description: The critically acclaimed console hit "The Bunker" comes to iOS, The groundbreaking live-action thriller adventure set in a real... | Read more »
Die With Glory (Games)
Die With Glory 1.2.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.2.0 (iTunes) Description: Die with Glory is an epic adventure game where your goal is to die in glorious fashion. You must help Sigurd, a brave old... | Read more »
Get Ike in the new Fire Emblem: Heroes u...
One of the most popular Fire Emblem characters is finally available in a new update to Nintendo'sFire Emblem: Heroes. [Read more] | Read more »
Die With Glory in a new viking adventure...
If you're a fan of classic adventure games you'll do well to pick upDie With Glory, the gorgeous new title from Cloud Castle inc. Die With Glory updatesthe gameplay of the same kind of adventure classics such asMonkey Island for modern, mobile... | Read more »
Get up to speed with everything you need...
In case you haven’t heard, MU Origin just got a colossal new update with new all-server events, battle modes, and systems making their way to the land of MU. Here’s a handy guide to everything you need to know about the latest content. [Read... | Read more »
Minimalist puzzle game, Cuts, free on iO...
If you're looking for a gorgeous puzzle experience on iOS devices, developer Gamebra.in's aesthetically interesting puzzler, Cuts, is discounted to free on the iOS App Store right now. [Read more] | Read more »

Price Scanner via MacPrices.net

Digital Paper Tablet Offers Distraction Free...
I typically spend 8-10 hours a day gazing at the screens in my laptops and iPad, as tools of my livelihood, I don’t as a rule use electronic devices for pleasure reading. I subscribe to a daily... Read more
“Today at Apple” Bringing New Educational Ses...
Apple has announced plans to launch dozens of new educational sessions next month in all 495 Apple Stores ranging in topics from photo and video to music, coding, art and design, and more. The hands-... Read more
Smart Finance Free Comprehensive Personal Fin...
Moscow-based indie developer, Alexander Survillo has announced the release and immediate availability of Smart Finance: Personal Finance, Budget & Money 1.1.4, an update to his comprehensive... Read more
12-inch 1.1GHz Retina MacBooks on sale for $1...
B&H has 12″ 1.1GHz Retina MacBooks on sale for $100 off MSRP. Shipping is free, and B&H charges NY & NJ sales tax only: - 12″ 1.1GHz Space Gray Retina MacBook: $1199.99 $100 off MSRP - 12... Read more
13-inch 2.7GHz Retina MacBook Pro on sale for...
B&H Photo has the 13″ 2.7GHz Retina MacBook Pro on sale for $130 off MSRP. Shipping is free, and B&H charges NY & NJ tax only: - 13″ 2.7GHz/128GB Retina MacBook Pro (MF839LL/A): $1169 $... Read more
15-inch 2.2GHz Retina MacBook Pros available...
B&H Photo has the 15″ 2.2GHz Retina MacBook Pro available for $200 off MSRP including free shipping plus NY & NJ sales tax only: - 15″ 2.2GHz Retina MacBook Pro (MJLQ2LL/A): $1799.99 $200 off... Read more
13-inch Touch Bar MacBook Pros on sale for up...
B&H Photo has the 2016 Apple 13″ Touch Bar MacBook Pros in stock today for up to $150 off MSRP. Shipping is free, and B&H charges NY & NJ sales tax only: - 13″ 2.9GHz/512GB Touch Bar... Read more
Apple refurbished Apple TVs available for up...
Apple has Certified Refurbished 32GB and 64GB Apple TVs available for up to $30 off the cost of new models. Apple’s standard one-year warranty is included with each model, and shipping is free: -... Read more
12-inch 1.2GHz Retina MacBooks on sale for up...
B&H has 12″ 1.2GHz Retina MacBooks on sale for up to $160 off MSRP. Shipping is free, and B&H charges NY sales tax only: - 12″ 1.2GHz Space Gray Retina MacBook: $1439.99 $160 off MSRP - 12″ 1... Read more
HyperX Ships Pulsefire FPS Gaming Mouse, Winn...
Your reporter is a longtime fan of gaming mice for general purpose coomnputing use, finding them typically superior in comfort and performance. HyperX, a division of Kingston Technology Company, Inc... Read more

Jobs Board

*Apple* Mac Computer Technician - GeekHampto...
…complex computer issues over the phone and in person? GeekHampton, Long Island's Apple Premium Service Provider, is looking for you! Come work with our crew Read more
Product Manager, *Apple* Platforms - Viacom...
…Product Manager to drive the execution of its iOS and AppleTV experiences. The Apple Platform Product Manager will be a leader in our Agile/Scrum environment and Read more
Geek Squad *Apple* Master Consultation Agen...
**500662BR** **Job Title:** Geek Squad Apple Master Consultation Agent **Location Number:** 000286-Canton-Store **Job Description:** **What does a Geek Squad Read more
*Apple* Mobile Master - Best Buy (United Sta...
**500710BR** **Job Title:** Apple Mobile Master **Location Number:** 000279-North Olmsted-Store **Job Description:** **What does a Best Buy Apple Mobile Master Read more
*Apple* Engineering Specialist - CSRA (Unite...
Apple Engineering Specialist All times are in Eastern Daylight Time Requisition ID Job Locations US DC Washington DC Posted Date Category Engineering Sciences Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.