PGP Whole Disk Encryption: Now for OS X
It’s all too often that laptops are stolen and data like company secrets and employee social security numbers is divulged to unauthorized sources. It’s not just that; there are a number of reasons why you might want to enforce the privacy of your digital documents. It might have something to do with the U.S. government’s recent publishing of its policy for seizing laptops at borders or maybe the FBI has knocked on your door once before (true story).
In case you’ve wondered what an FBI agent’s business card looks like.
I’m going to take a guess and say that most people have enough information on their hard drive, or accessible through their hard drive (ie, passwords that can be used elsewhere), for a computer-savvy criminal to easily steal their identity.
Taking out the human element, which is still a huge part of security if you’ve ever read Kevin Mitnick’s The Art of Deception, the chances of your identity being stolen from your stolen laptop can be significantly reduced with hard drive encryption. Apple’s built-in FileVault home folder encryption doesn’t count. If Apple built it, they can most likely give certain authorities backdoor access. Well I take that back, there’s no need, FileVault has already been cracked.
Enter PGP Whole Disk Encryption for OS X. The just released application encrypts your entire hard drive and has pre-boot authentication.
PGP Whole Disk Encryption locks down the entire contents of a laptop, desktop, external drive, or USB flash drive, including boot sectors, system, and swap files. The data encryption software continuously safeguards data from unauthorized access, providing strong security for intellectual property, customer and partner data, and corporate brand equity.
I won’t go into the details until I test it out this weekend and report back. PGP WDE isn’t cheap and retails for $120 USD but if you like the idea of hard drive encryption and don’t mind if it doesn’t cover your entire OS drive, check out TrueCrypt.
Disclaimer: Everything has vulnerabilities, potentially even PGP WDE. I am not: a lawyer, a security expert. I am: 22.
What security precautions do you take with your precious data?
Great artcle. However, you imply that TrueCrypt cannot encrypt an entire drive. I don’t think this is correct. I’m pretty sure TrueCrypt offers the facility to encrypt an entire drive.
@n/a - I said it can’t encrypt the entire bootable OS drive (which I am only 90% sure about.. I looked into TrueCrypt and installed it but backed out when I didn’t think it could encrypt the entire host OS drive), but it can definitely encrypt entire volumes. Can anyone confirm?
I may be wrong, but it does look like TrueCrypt can encrypt the entire OS drive.
http://www.truecrypt.org/docs/?s=system-encryption
Tell me more about the FBI officer, lol. I download alot of things so I’m kinda worried now..
actually, truecrypt DOES do whole hard drive encryption now (fairly new feature with their latest releases) — http://www.bauer-power.net/2008/02/new-version-of-truecrypt-out-now-with.html
$120 if you’re a US resident; 141€ if you live in the EU. That’s ~$207, or a 72,5% increase.
Are we paying a fee for the guy that had to sit down and do the currency conversion?
Doesn’t matter if your hard drive is encrypted with something unbreakable if the NSA, FBI or whoever want access you have to legally give them access or you go to jail.
Good for keeping thieves out though
I use the luks encryption on linux, which is free.
@jrin - thanks for the confirmation!
@Jordan - it was something unrelated, he needed my help heh.
@jrin, @Ben: Ah, it’s only Windows for now. I was stuck in Apple-land.
Paul,
Do you really think it’s the NSA who cracked FileVault? :-)
I bet they did already, but they’d never publish details about it.
nsa.org is not NSA :)
I am using a trial version now. Looking forward to your results. I might be brave, and install it after making a clone of my HD.
@David - Not true. See: http://news.cnet.com/8301-13578_3-9834495-38.html
“A federal judge in Vermont has ruled that prosecutors can’t force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase… …has a Fifth Amendment right not to turn over the passphrase to prosecutors”
I too have been looking for a good solution for HD encryption. Its really a travesty that there’s not a better solution out there for macs. Windows has a pretty good line up, like Point Sec, etc… but Macs have been totally lacking in this department.
I tried FileVault once more a month or so ago and its still a horrible solution. Beyond the annoyance of having your user folder as a disk image, there’s software problems as well (can’t run any of Adobe’s updaters comes to mind). Its just a hassle and it shouldn’t be.
I remember hearing about TrueCrypt and went to try it out but ended up with the same conclusion that you came to in that it can’t do it.
I had also remembered hearing about PHP over on Ars but when I went to their site, the UX was incredibly horrible and I couldn’t find any information on where to actually download or purchase the thing.
I’m VERY interested to hear your testing results. Specifically, I’d like to know how good of a job it does at providing a transparent experience (besides the boot password obviously).
@Yarin - good catch! I wasn’t paying enough attention, I’ve updated the post to reflect that.
Paul,
$83 is a little cheaper and includes WDE
http://na.store.pgp.com/desktop_pro.html
Paul
@Paul - yeah but that’s a subscription license for Windows. Not a perpetual license for WDE Mac. Mac pricing is different as it just came out, etc.
Sorry posted wrong URL
http://na.store.pgp.com/desktop_pro_mac.html
Still $83
Gotcha, I am cheap and stick with the Subscription License ;)
@ Matt, that sounds more like a test case than cold hard fact as there are a number of cases where the judge has made them turn over the key. Yet another shining example of how backwards america can be. If you don’t turn over the key here you face up to 2 years in prison. And from all the white papers i have read your senate or whatever are looking into similar as i type
Paul, I am interested as to why you do this yet use S3, various online services, google, bandwagon etc…. surely there is nothing on your lappy that couldn’t be found by dodgy people or the government online?
I hope you write a follow up soon as i have always been interested in PGP for email mainly but its always proved to be a pain in the rear
@David - Would you mind referencing these cases where a judge has forced someone to reveal their passphrase and violate the 5th amendment?
@Matt, I can’t find off hand at the moment, it was during a law module i did. However, you need to read the department of Justice website:
“In Doe v. United States, 489 U.S. 201 (1988), the Court held that an order compelling a person to execute a form consenting to disclosure of foreign bank accounts did not violate the Fifth Amendment because the form was not testimonial. The compelled disclosure of decryption information to a third party would not seem to be any more testimonial. Moreover, we doubt whether such a disclosure would be incriminating, because unless and until the encryption product is used in the commission of a crime, the key would pose no threat of incrimination against the user.”
http://www.usdoj.gov/criminal/cybercrime/cryptfaq.htm#1a
http://www.bizjournals.com/sanjose/stories/1996/12/30/daily12.html
There are ways round your 5th amendment ‘right’ and if the bill that is looking to be passed regarding this whole facade goes through then it will be very black and white like it is here
@matt, made a post but it hasn’t shown up for some reason!?
@David - was in the spam bin, just saved it.
btw @David in regards to the bizjournals article from 1996, it says companies of encryption technology might need to keep a copy for the encryption key on hand. The beauty of PGP WDE is that you create your own key. :-)
@Paul, maybe one of us has miss read. It said keys to their CODE not your encryption key. I was reading that encryption tech companies now had to effectively give their algorithm or code for the software to a third party company under gov regulations. Which then allows the gov access via the third party negating the 5th Amendment violation and allowing the gov agencies easy ways of cracking the encryption on a suspects HDD.
I am excited about this. I have used truecrypt on the windows side of things. It works wonderfully. Have been waiting for osX WDE for some time. It is primarily a savior if you lose or have your laptop ripped off, and peice of mind for the corporate-set.
I will test soon hopefully this weekend. My biggest concern is what the compatibility will be with superduper. It is such a great program. Especially when you run incremental updates, I had just done a superduper update. The next morning I woke up and my air freezed, and wouldn’t boot. After a new logic board and hard drive replacement, 4 days later I can have my own box back again. Superduper is the primary concern for me with WDE, and maybe how it works in dual-boot environments.
@David - Here’s the flaw in that: “The compelled disclosure of decryption information to a third party would not seem to be any more testimonial. Moreover, we doubt whether such a disclosure would be incriminating, because unless and until the encryption product is used in the commission of a crime, the key would pose no threat of incrimination against the user.”
Here’s why, what you posted was a response to a hypothetical plaintext regime in the FAQ section giving the DOJ’s opinion on several issues. “16. Would such a hypothetical mandatory plaintext recovery regime violate the Fifth Amendment’s prohibition against compulsory self-incrimination?”
Post hard, concrete case law, such as I posted initially. Like a judge’s decision. Not the opinion of an agency.
@Matt, I don’t think your grasping it. Your first quote shows IMO, that handing over an encryption key is not incriminating unless the encryption product has been used to cover up or protect a crime. In which case using your 5th Amendment right in such a case could be taken as an admission of guilt.
And you have been given a Judge’s decision can you not read? Doe vs the US:
http://supreme.justia.com/us/487/201/
I don’t have time to trawl the net looking for it all, i did this 4-5 years ago. - google it yourself. There are several notable examples of which Doe is one. Again, the one you initially quoted is a ‘test case’ at best. I presume i don’t need to explain what a test case is?
There appears to be no solid yes or no in America at the moment and it would appear that wether you go to jail or not for not disclosing the information depends very much on the particulars of the case, the judge you have or indeed the state.
As for your last comment - maybe i am wrong but i thought the Department of Justice was the ‘agency’ that over saw the legal proceedings etc in the US…. making their opinion a little more than an opinion i’d say.
Hi,
I don’t think that you can really prevent a government institution to get to your data – unless you are willing to sacrifice good usability. In other words, anybody who has enough money will attack the weakest spot, and I think there’s a lot that a government can legally do that I don’t want to be subjected to.
Just think of backing up. A hard disk crash is much more likely than somebody accessing your data. Backup up an encrypted volume takes a long time even if you only copy changed data since the backup program cannot distinguish between important and unnecessary (temporary or swap) data.
I use FileVault, and my goal is to protect my privacy from the prying eyes of a thief or a technician – try getting your data off your laptop when it’s broken.
@joey, there is a file that you must exclude when cloning a drive.
http://tinyurl.com/5s747r . I love SuperDuper, but will wait for others to test first.
Just to add, I use:
http://www.knoxformac.com/
I store files i wouldn’t want others getting to in a knox vault. When i want them it just mounts as an image. To be honest i couldn’t care less if the gov or police want access. As long as if my mac is lost or stolen then people who get their hands on it can’t access it….. that’s fine by me. I guess it is or is along of the lines of Apple’s Filevault….. but I don’t know many thieves that would care to try and break it. Also any machine i have is tracked by orbicules undercover. The only other thing i could implement (no idea how) is a remote ‘off swich’.
I do nothing what so ever. I have nothing on my laptop that has any great detail into who I am. I use gmail (web interface only) and make sure that it never keeps cookies. I keep no documents on here that make a fraudster into me. so..the only thing it could get is that I’m James Bayliss, and i use a macbook pro.
contacted the superduper folks. next version will be wde friendly…
>The next update will be supporting whole disk encryption.
–
>Dave Nanian
>Shirt Pocket
all is good. got the dual boot going with backtrack3 for some learning. Need to get wi-fi drivers next.
going to wait on wde til duper update is out.
@David your comments on this post remind me a lot of an xkcd comic. I really think you should check it out. http://xkcd.com/386/
Some Rumors say, that whole disk encryption, slows down your OS, is this true?
How’s your trial of PGP going? Thinking of installing it myself this weekend..
I installed it 3 days ago. It went very smooth. Install pgp desktop, dream up a long password, let it run for about 3 hours on my Air. Upon reboot you receive a new pgp splash screen. When you enter in your password it jumbles it up a bit so that it looks like there are more letters than are actually being input.
I haven’t really used the air in production this week, but it seems fine speed-wise. I am quite happy with it.
Looking forward to a new super-duper update.
Very smooth.
great article i use dekart but truecript will be better