Last week I boasted about the release of PGP Whole Disk Encryption for Mac OS X and how it is definitely something to consider if data privacy is of utmost importance to you. By encrypting my hard drive, I am able to keep all of my data safe from physical disk access and other such tampering. Since publishing that post I have installed and been using PGP WDE on my MacBook Air for about a week.
Installation and Configuration
Setting up PGP WDE had quite a few steps but was a pretty smooth process overall. After installing the actual PGP Desktop application, I was led through creating and publishing a PGP key. When that was done, it was time to embark on the task of actually encrypting my hard drive.
PGP Whole Disk provides the next level of security and convenience by encrypting your entire disk. The encryption process can be lengthy, however PGP desktop runs in the background. You may also pause and resume the process at your convenience.
All I had to do was select my hard drive, provide a passphrase and it began encrypting my hard drive. As the snippet above explained, PGP WDE encrypts in the background, unlike Apple’s FileVault which locks you out for hours while it encrypts. The entire encryption process took about 2.5 hours on my 1.6GHz MacBook Air, which had 55GB of data in use.
In Pictures: PGP WDE Setup
Setup PGP Keyring
Create New PGP Key
PGP Key Settings – Expert
PGP Key Support Settings
PGP Key Passphrase
PGP Key Creation
PGP Key Creation Summary
Publish PGP Key
Disk Encryption Main Page
PGP Encrypt Whole Disk
PGP Whole Disk Encryption – Add User
PGP Whole Disk Encryption Process
PGP Whole Disk Encryption Complete
Performance
The first question I get asked when people find out that my hard drive is encrypted is how the performance of my computer is affected with the constant encryption/decryption process going on in the background. I’m pleased to report that I have not experienced any negative, discernible performance issues. It feels exactly the same as before I installed PGP WDE.
Likewise, PGP WDE has not affected my workflow at all. No PGP application needs to be open during normal use. From the in-OS standpoint, you would never know that the hard drive was encrypted. It’s when you turn on the computer that you’re faced with a pre-boot authentication screen.
Pre-boot Authentication
In addition to the PGP key created during setup, a passphrase protects the computer at login. That being said, it’s important to pick a lengthy password with lots of entropy. For example, to take full advantage of AES 256-bit encryption you must supply a 64-character passphrase. Otherwise, the passphrase will be the weak link in your hard drive’s security, not the PGP keypair. Unfortunately, two-factor authentication, such as having the passphrase and a smart card/USB token, is not supported in WDE for OS X.
Additional OS X Security
My only complaint with PGP WDE is that passphrase authentication is not activated when waking the computer from sleep. That means that my laptop is most vulnerable when waking from sleep. Granted, it is still protected by OS X’s own password system.
OS X Login Keychain Settings
That’s why I changed my login keychain settings to lock when sleeping. That means that even if someone gains access to the system, they will not be able to use any applications that rely on login and password info stored in the OS X login keychain. That includes applications like Adium and Transmit.
More Security Paranoia
A common attack to gain access to encrypted hard drives is the cold boot attack where an attacker exploits a hardware vulnerability in RAM to find encryption keys, and then use those keys to decrypt the hard drive. I contacted PGP about this possibility and they told me that “it is stored on the MBR encrypted with AES-256.”
With PGP WDE, your encrypted hard drive is safe from cold boot attacks but that doesn’t mean someone can’t find other data in your memory – if your memory is removable. PGP WDE’s pre-boot authentication will prevent someone from rebooting your machine and booting up a live, lightweight Linux distro (such as BackTrack, Auditor, PHLAK and Knoppix-STD) that won’t disrupt the memory footprint too much and make data recovery from your memory a reality. The MacBook Air has soldered-in RAM chips: horrible from an expansion standpoint, but great from a security standpoint.
Me with a 185 liter dewar of liquid nitrogen.
With soldered-in RAM, people won’t be able to cool your memory with liquid nitrogen (as above) to retain data longer, remove it from your pre-boot authentication-secured system, put it in their computer and copy the contents of the memory before it heats up and flips all the bits. That’s just a long way of me saying that the MacBook Air is fairly secure from the hardware perspective. Even more so if you have a Solid State Drive in it. I digress, but SSDs are notoriously bad when it comes to data recovery; that is, bad for you if you legitimately want to recover your data, but good for you when your computer is in the hands of attackers.
The algorithms which map addresses to physical media locations vary from manufacturer to manufacturer – and in many cases – like the formula for making Coke or Pepsi – the details are closely guarded commercial secrets.
Data Recovery from Flash SSDs?
RAM chilled with any coolant, such as liquid nitrogen, retains data much longer and makes it easy for cold boot attackers to copy the contents of the RAM for snooping. Without cooling, RAM forgets data within 2 minutes.
For general protection from cold boot attacks, I recommend turning off your computer when you are in situations that it is possible for someone to gain physical access to your machine, in addition to setting your Mac to hibernate mode 0.
Other PGP Desktop Features
In addition to whole disk encryption, PGP Desktop provides a slew of security-oriented features. Notable features include encrypted zip files, secure email and AIM messaging and my favorite, PGP Shred. PGP Shred securely deletes anything you want and depending on your settings, can exceed the Department of Defense’s 5220.22-M media sanitization requirements, also known as NISPOM. It’s not as entertaining as popping CDs in the microwave when the Feds are knocking, but it gets the job done.
Speaking of the Feds, the Federal Trade Commission recently launched OnGuard Online, a site providing consumers tips on protecting themselves from online fraud and securing computers.
Thoughts
PGP Desktop’s support for Whole Disk Encryption for Mac OS X is a user-friendly security sidekick. It does not involve changing the way one works with their computer nor does it affect performance. (By the way, PGP WDE does not work with BootCamp). While WDE for OS X does not yet support enterprise-level security in the form of two-factor authentication, it is still highly effective in promoting data security. PGP WDE receives 10 out of 10 Stammys.
Disclaimer: My reference to the United States government as the “Feds” is entirely tongue-in-cheek and pop culture based, not intended to be derogatory or negative in any way, shape or form. Don’t sue me, I’m not Jon Lech Johansen (the guy who cracked DVD CSS and whose blog was once entitled “So Sue Me”).
Is PGP WDE right for you? How do you keep your data secure?
Update 12-3-08 After having used PGP WDE on a faster computer with an SSD, I began to notice that with WDE enabled, the reads and writes were considerably slower. So I ran a few benchmarks and discovered that this was in fact the case – up to 4 times slower.
Tweet This
Stumble This
{ 7 trackbacks }
{ 91 comments… read them below or add one }
One thing I’ve noticed about PGP related products going back about 10 years is how notoriously difficult they are to manage for the end user. I noted your screenshots included Expert Mode.
Is there a Wizard happy mode for end users as well?
Also, does the PGP product allow you to store PGP protected files if you enable .Mac/MobileMe storage elsewhere or place files on a foreign system or a USB key or does it require a NetShare license?
More from author
@Jay – yeah it is definitely gear more towards the active, tech-savvy user but there is a fairly simple non-expert mode. The expert mode was just for creating the PGP key. Other than that it was pretty good at being easy to understand. They’ve made a change in product design and seem to be designing less for the IT guy at the enterprise company that will install the software and have moved more to the mainstream consumer.
As for PGP protected archives, you can store them anywhere. It’s just that you will need PGP Desktop and the copy of your PGP keypair, and know your passphrase associated with your keypair to access and unarchive it. NetShare is a Windows-only solution aimed at the enterprise and teams, I wouldn’t expect a consumer like myself to even consider it. As for your private PGP key, I think you might have to keep a copy of that on your USB stick if another computer that has PGP Desktop on it doesn’t have your full key credentials yet. Not 100% on that.. will let you know what happens if I ever run into that situation.
More from author
Great post but I have one question – what about the backing up of your data? Can you back up an encrypted drive and then restore at a later point? I use SuperDuper for backing up my laptop and desktop and I couldn’t use PGP WDE if it got in the way of backing up my data.
More from author
@Ian – I believe someone in the comments of this post said that a new version of SuperDuper that is PGP WDE friendly is being developed now.
More from author
@Paul – Thanks for the link. The developer of SuperDuper said WDE would be supported in the next version. I’ll wait until then before using PGP WDE.
More from author
@Paul – I forgot to mention it but your coverage is timely. Autoboot and copy thumb drives and tools of opportunity are very real.
It seems like only a short time ago that Clear® (Verified Identity Pass, Inc.) had one of their laptops enter a wormhole and emerge a short time later. I have no clue what they may or may not have on their laptops for protection or encryption but the handling of the laptop or any smart device seems to be a weak link these days.
One area of concern with the bloom of data sync across an array of devices in peoples’ pockets and bags is the lack of uniform data protection — standards isn’t the word but a near apathy on the part of device and operating systems creators for these devices. Things like CSI sticks and other Paraben tools making their way into the general kit of those that desire them is only a mater of time.
What do you do use to protect your pocket devices?
More from author
@Paul, I’d now like to see a post on using PGP for encrypting emails and how you fair with that and sending to people who don’t use PGP etc etc
More from author
@Jay – for mobile phone security, I am waiting to beta test an application made by a security co in California that encrypts data and if your phone is stolen, it can tell you where it is. :-)
@David – thanks for the suggestion!
More from author
That mobile security tool, I don’t suppose they’re going to have an iPhone version? :)
More from author
@Damien – last I checked it was already in the works. :-)
More from author
Stammy, good to hear. That has appeared to be a dark underbelly of the iPhone world, it seems that neither Apple nor AT&T are willing to do anything if your phone is stolen. This service could help stem this problem.
More from author
The iPhone 3G has a password protected screen lock that will delete all data after a certain number of failed attempts to unlock it.
Thanks for the review Paul … I was really looking forward to it and wasn’t disappointed. I’m hoping they provide you with a free license or something for the review since I’ll for sure be purchasing a copy based on it.
Thanks!
More from author
Just encrypted my Macbook Pro after reading this review. 68gb of Data and so far I have to agree with you Paul there is no noticeable performance difference. Even in Aperture where I have thousands of photos I can’t see any difference. I guess I’ll see over time but so far so good!
The application is very easy to use and I love the simplistic interface.
Jack.
More from author
Very nice post, Paul. This has sparked my interest to look into personal encryption a bit more. Thanks!
More from author
How do you recover from an MBR corruption? Whether from an OS update or other factor. Since your Private PGP key is stored encrypted on the MBR, how would you recover from something like this and not lose access to your encrypted drive data?
@Nick – Well you can always backup your PGP keyring. I encrypted it with a different PGP key and put it on my S3 account.
As for MBR corruption – well that’s a big if. I’ve never dealt with any hard drive corruption in my 15+ years of computing. However, just like all the other big ifs, just keep backups and you’ll be fine. :-P
More from author
Paul,
Backing up your PGP keyring will *not* help you recover your WDE encrypted drive should you forget the passphrase.
WDE uses a symmetric key for the AES-256 cipher which is used to encrypt the whole disk, not the PGP private key.
The Universal Server provides Whole Disk Recovery Tokens (WDRT’s) which make recovering a lost passphrase no problem. However, if you are running standalone, use caution!
Yeah I got that, perhaps it didnt seem that way how i worded it. You always need your passphrase!
More from author
OK, so apart from the initial encryption time, why would I want to use this instead of FileVault?
@Ted – FileVault only encrypts the home dir. PGP WDE, as the name implies, encrypts the _entire_ hard drive. And its with your own PGP key, not whatever Apple wants.
From wikipedia:
More from author
so do you need to type in a 64 character length password every time you turn on your MacBook ? I assume you’d need to write this down somewhere, and need to have it with you all the time if you’re out and about with the computer?
@P – the absolute last thing you want to do is write down your password. While a 64-char password with lots of entropy provides the best protection, you don’t need to do that. You can get away with a shorter password and still attain somewhere around 80% of the strength of that larger password assuming you keep it lively with different punctuation, capitalization, symbols and the like.
Yes, it does ask for that password on every boot though. Just make it personally meaningful, perhaps a sentence transformed to increase entropy. If you really, really want to keep a written password around for emergencies, as in you totally forget your password, you might be okay putting it in a bank safe-deposit box. Just keep in mind that it is safe from everyone except the government, which can likely gain access to that safe-deposit box if need be. That’s why it’s good to keep it only in memory. The government won’t be able to make you divulge that information under the 5th amendment.. ideally.
More from author
Hey Paul,
Great write up. Made me decide to purchase this for my new MacBook.
I started messing around with WDE for an external drive. I’ve never done WDE for the actual OS drive even on Windows. I have moved my PGP key folders to an Ironkey flash drive for some added bonus. I know have to plug-in the iron key to access my external which is great.
My question is can the PGP WDE on the OS drive work the same way. When the laptop boots and prompts for my passphrase, can I lock it down to where it will only work if my Ironkey is plugged in?
I’ve been searching the interwebs for this answer with no definitive on the subject. I have backups (TimeCapsule + CloneDrive) but I don’t want to go through a restore if that doesn’t work.
Just looking for the answer before I do WDE on the OS drive.
Thanks in advance!
Charlie, unfortunately I don’t think that feature is available in the Mac version at this point. We’re always working to bring the features of all platforms into alignment, but from a prioritization perspective it would be great if you could file a feature request here: http://www.pgp.com/products/feature_request_form.html
More from author
Great read Dan, like you, I’m a very paranoid person about things like this.
He should come out with a iphone version for the app store. Not sure if that would fly with apple’s rules or not, if it would have to run in the background!
Going to give it a try today, thanks again!
This comment was originally posted on http://uneasysilence.com/)“>UNEASYsilence
WTF, $119 is he crazy. Thanks but no thanks I’ll stick to my encrypted disk images on Leopard!
P.S. He should offer a free trial so I can {k} it, LOL:)
This comment was originally posted on http://uneasysilence.com/)“>UNEASYsilence
Thanks for the linkage Dan. I had heard PGP was working on WDE for quite a while and when it finally came out I decided to give it a try. After having close friends have their laptops stolen and worry about having their identity stolen from all the personal information and saved emails on their computer, I had no problem spending the $120.
@ DOC – there is a cheaper $83 version for a 1 year license, as opposed to the $120’s perpetual license. Also by the way, there is a 30-day trial with PGP WDE. If you’re a security nut, I highly recommend giving it a shot.
This comment was originally posted on http://uneasysilence.com/)“>UNEASYsilence
More from author
Paul — thanks for the great review.
Do you know if PGP whole disk encryption (pre-boot) works on software RAID volumes in Mac OS X?
More from author
Paul, thanks for the review of PGP WDE for Mac!
I had nothing to do with the Mac version (I’m more on the business side), but I’m very glad you’re having a great experience with it. I’ve heard a number of long-time PGP Mac users say that this is the most solid version of PGP for Mac they’ve ever seen.
You may be interested in knowing that your review got circulated pretty widely in the company, so a lot of PGPers will be reading it. Thought I’d let you know.
On the question about MBR corruption, we do provide a variety of recovery mechanisms. They’re listed in a technote on our support site (https://pgp.custhelp.com/cgi-bin/pgp.cfg/php/enduser/std_adp.php?p_faqid=1018). I’m not a Mac user, but mounting the disk and repairing it remotely via target disk mode seems pretty cool. Oh, and backups are good too…
This product would be very cool if you could install your copy of pgp wde on a second computer at home. Because if you encrypt an external usb drive, you can only read it from the one and only computer who runs pgp wde. This is kind of impractical if you want to protect data from your laptop to your desktop. I once was robbed at home and they took my mac mini (server) with all its data. I had a backup but I still am worried about it’s data in the wild.
The best would be a solution not license as per seats but per users.
is pre-authentification comes after the dong, grey apple and spinning wheel, or before ?
thank you for review
PGP WDE is a must for any Mac user who travels internationally, I’ve had my old PC taken in the back room by customs several times in the past (NZ, FR, UK) but I used SecurDoc by Winmagic and they always came out of the back room with a bit of anger in their eyes.
SecureDoc says their WDE for mac will be in beta by Oct but I’m satisfied with the PGP product, I’m heading off Monday for a trip to Europe so now the French won’t be able read my hard drive.
@Int Traveller, won’t work in the UK. We will just throw you in jail if you won’t unlock it when requested :P
More from author
Just to let others know, I’ve found no performance hit on VMWare fusion using PGP WDE unlike Apple’s FileVault which seems to cripple booting a VM.
Thanks for the great review by the way.
More from author
I also tried this on my air and macbook pro when it was released. I will probably end up buying the WDE license but I haven’t as of yet.
Q. So on the air you’re saying that if you try to boot from a DVD/CD in the Air CD drive that you’ll need to pass the WDE pre-auth first? I like that idea a lot.
Also, I initially had some problems installing it on my Air. Errors during the drive encryption so I reinstalled OSX from scratch and then it was able to encrypt the drive. The support in the forums is very good and they were doing their very best to help me to avoid me having to reinstall OSX to encrypt my drive.
So under their source code program they make the source available?
How does this work with Time Machine for backing up data?
More from author
It does work with Time Machine. Here’s a good thread on the topic that includes info from one of the developers:
http://forum.pgp.com/pgp/board/message?board.id=WDEforMAC&thread.id=99
Hi,
What license do you have? I have PGP Desktop Home 9.9. I have the menu option for WDE but when I click on it I am asked for a License number. I enter my number but nothing happens. Do you know if WDE is not included in Desktop Home?
Unfortunately, PGP Desktop Home doesn’t include WDE.
You can find a feature comparison of the various products here:
http://na.store.pgp.com/NA_featurecomparison.html
Interesting review – thanks.
You mentioned WDE doesn’t allow two-factor encryption. Say I only used PGP for Mac to make a PGPZip or PGP section on my hard drive, would it then work with a token of some kind? (In other words, if my use is not whole-disk-encryption, is the two-factor component of PGP Professional usable on a Mac?)
Thanks and all the best!
Jay
I’m not a Mac user, but just took a quick look through the release notes and docs. It’s a bit unclear because the docs don’t say explicitly that hardware tokens are *not* supported, but it also doesn’t say they are.
I’ll check further, and maybe get this clarified a bit in the docs.
@Paul, some questions:
1. have you tried encrypting an external drive yet?
2. Is it only useable on the mac that created it? Would seem dodgy that if your mac was stolen the contents of that drive were unlock-able forever.
3. If its not, would i need to have a license and PGP installed on another machine to access it? ie crated on my home mac but i want it accessible on a work PC.
3. Have you tried email encryption yet? if so how do people who don’t use PGP finding receiving your email?
More from author
Don’t recommend flipping your MacBook into a ‘boot in safe mode’ using any utilities like Onyx. If you do, it spins and then the automatic timer in PGP WDE kicks in and reboots the machine. Better start using TimeMachine if you use PGP WDE!
I just bought a new iMac and a West Digital 500GB ext hd. I want to encrypt the ext hd using PGP WDE, which I’ve just installed and configured on the new Mac.
When I get to the point of choosing ‘Encrypt a Disk’ the only drive PGP sees is the Mac internal drive. The West Digital however is mounted and quite usable, and I’ve put a few folders in there so there is a little data on it.
Any tips here?
Thanks
I just connected a Western Digital (WD) Passport 500GB FireWire 800 / USB and am having the same issue PGP cannot see it.
Is PGP limited to being able to encrypt only smaller than 500GB?
Digging thru this a little:
http://forum.pgp.com/pgp/board/message?board.id=WDEforMAC&thread.id=271
indicates that the partition format is the key… It must not be the Apple partition map but rather A GUID or a Master Boot Record partition.
@steve: You may want to head over to the support forum for WDE for Mac: http://forum.pgp.com/pgp/board?board.id=WDEforMAC
Duane, one of the lead engineers for the product, is very active there both answering questions and getting feedback.
Have any Mac users used this product with the PGP “Universal” Policy server? Supposedly it handles updates, policy and certificate distribution.
I work for a very small consulting firm (~10 employees) and we will likely be using PGP Professional on all our MacBook Pro’s — we are trying to figure out what advantages we get from the central policy appliance and if it even makes sense for a company our size.
Thanks for the informative review, I will opt for WDE as well. Any idea when the next release of WDE for Mac is around? I like this kind of software having at least one or more revisions under its belt. Any rough estimates?
More from author
Is a trial version available?
And why can’t a get the USD pricing for this application? I don’t see why I should pay about 50 percent more just because I live in Switzerland …
I’m posting this in the hopes that someone from PGP will actually read it …
I have found it *literally* impossible to try to find someone to take my money for PGP Professional (OS X) and Universal Server.
I own a small consulting company with 10 mobile MacBook Pro using consultants who travel nationally and internationally. We want to deploy WDE on all our laptops and I want to purchase Universal Server so I can audit the state of our corporate laptops.
I’ve been ignored by the PGP online sales contact form and I’ve also been ignored by both of the “PGP Silver” reseller/VAR companies I’ve contacted. At least the resellers bothered to respond (they just fail to deliver quotes and pricing).
Looks like PGP and the Resellers (a) don’t like small companies or (b) don’t like Apple-based small companies.
Can anyone here recommend a reseller who will actually take my money? Can someone let PGP sales know how difficult it actually is for small market firms to actually make sales contacts?
Thanks!
-Chris
email: chris@bioteam.net
More from author
Chris, I’ve forwarded your message on to a rep in the area and hope someone will be in contact with you soon. Sorry for the trouble in trying to get a hold of someone — I’ve also forwarded a link to this message to the person that runs our channel program in case he’d like to dig in and understand why our partners weren’t as responsive as they should be.
Bryan
More from author
@Paul/Bryan, I have a couple of questions for you as I’m trying to determine if PGP WDE is right for me. I use ChronoSync to b/u my Mac Pro to an external USB drive, and mirror documents between my Macbook Air and my Mac Pro
1) If PGP WDE were used on my Macbook Air and Mac Pro, can I still mount the Air from my Mac Pro and be able to read its contents (assuming both computers were logged in/passed the pre-boot auth)?
2) Can I encrypt my external USB drive and still continue to use ChronoSync to b/u files from my Mac Pro to it?
3) If my external USB drive is encrypted and I have to re-install OSX on my Mac Pro, can I (and how can I) access the external drive?
Thanks!
I’m not a Mac user, so I can’t give you specific answers. I’ll do my best though. You may want to try the peer-to-peer support forum at http://forum.pgp.com/pgp/board?board.id=WDEforMAC. Though it’s not official support, Duane, one of the lead developers, posts there a *lot*.
Anyway, here goes:
> 1) If PGP WDE were used on my Macbook Air and Mac Pro, can I still
> mount the Air from my Mac Pro and be able to read its contents
> (assuming both computers were logged in/passed the pre-boot auth)?
I’m assuming the Mac works like Windows (if not better) when mounting remote volumes. As long as your Air is turned on with the OS loaded (which means you’ve passed the pre-boot auth) you should be able to read its contents.
Alternatively, PGP WDE for Mac supports target disk mode — if that’s what you were getting at.
> 2) Can I encrypt my external USB drive and still continue to use
> ChronoSync to b/u files from my Mac Pro to it?
I’m not familiar with ChronoSync…….OK, I’ll just stop writing now. :-)
I searched the PGP forum since I seemed to remember a question about it, and see that it was asked by someone named “Mhaddy” — have you heard of this person? ;-)
Glad to see you found the answers there, and I also see that Duane did answer you too.
For reference for others interested in the answers, Mhaddy’s thread is here:
http://pgp.lithium.com/pgp/board/message?board.id=WDEforMAC&message.id=387#M387
More from author
## Summary: Apple owners in biz environments should strongly consider Universal Server as well as PGP WDE via PGP Desktop client software …
###
Just wanted to update my experience after posting earlier in this thread about being unable to find someone to sell my small business PGP WDE products along with Universal Server.
PGP found me via this post and hooked me up with a great reseller and I was able to deploy both WDE and Universal Server.
One thing I do want to mention people reading this thread – you may want to strongly consider checking out a price quote for PGP Universal Server. This is the product that lets you do centralized deployment on Apple systems. We bought it for two main reasons — (a) the ability to “prove” the encryption status of our laptop drives and (b) the ability to generate and use disk recovery tokens for cases where employees loose access to their passphrases.
Since PGP Desktop for Mac does not have the same sort of recovery-disk feature that the PC systems do, I think deploying WDE on Apple OS X without recovery tokens and additional decryption keys (ADK) is fairly risky. Given the way the law is going in my state (Massachusetts) there is a significant tangible benefit to the reporting tools that allow us to prove that our mobile platforms are in encrypted state should any go missing or stolen.
The smallest Universal Server license chunk is 10-seats and we needed less than that but still decided to make the purchase. Admittedly Universal Server is “overkill” for us as we only need a small subset of the features. That said though — the total cost was not unreasonable given the benefits and I’m glad we went that route rather than purchasing the 6-8 individual PGP Desktop licenses we were considering.
We only licensed WDE and Universal Server – no messaging products at all. I’m almost done being the sole corporate test case (having taken the encrypted laptop on three biz trips so far) and we’ll be rolling it out to all staff next month.
-Chris
chris@bioteam.net
More from author
You left me in a lurch when you said that PGP WDE is not usable with Boot Camp. I would have to sacrfice either the convenience of Boot Camp which enables me to use my Windows apps or forego PGP WDE in favor of what-I-don’t-know.
Could you advise?
Unless you need native device drivers ie. you’re gaming or something you can get by with Virtual Box, VMWare Fusion or Parallels.
And Sun’s VirtualBox is free… Saw the performance at MacWorld, impressive. It can pass the OpenGL calls from Windows apps directly thru to the Mac OS X graphics subsystem, bypassing any Windows VM inefficiencies.
http://www.virtualbox.org/wiki/Downloads
Sorry for leaving you in a lurch. As the other posters say, you may want to consider alternatives to Boot Camp. Our (many) Mac users use Parallels and VMware all the time.
Our devs do understand the desire for Boot Camp though.
More from author
@mhaddy (I tried posting this as a reply, but it didn’t get posted — sorry in advance if this is a double-post):
I can’t give you specific answers since I’m not a Mac user, but I’ll do my best. You may want to try the peer-to-peer support forum at http://forum.pgp.com/pgp/board?board.id=WDEforMAC. Though it’s not official support, Duane, one of the lead developers, posts there a *lot*.
Anyway, here goes:
> 1) If PGP WDE were used on my Macbook Air and Mac Pro, can I still
> mount the Air from my Mac Pro and be able to read its contents
> (assuming both computers were logged in/passed the pre-boot auth)?
I’m assuming the Mac works like Windows (if not better) when mounting remote volumes. As long as your Air is turned on with the OS loaded (which means you’ve passed the pre-boot auth) you should be able to read its contents.
Alternatively, PGP WDE for Mac supports target disk mode — if that’s what you were getting at.
> 2) Can I encrypt my external USB drive and still continue to use
> ChronoSync to b/u files from my Mac Pro to it?
I’m not familiar with ChronoSync…….OK, I’ll just stop writing now. :-)
I searched the PGP forum since I seemed to remember a question about it, and see that it was asked by someone named “Mhaddy” — have you heard of this person? ;-)
Glad to see you found the answers there, and I also see that Duane did answer you too.
For reference for others interested in the answers, Mhaddy’s thread is here:
http://pgp.lithium.com/pgp/board/message?board.id=WDEforMAC&message.id=387#M387
More from author
@Robert, Wm., Bryan and Paul: Many thanks for this info! Now, all I need to do is to choose among VirtualBox, Parallels and VMware. Choices, choices!
I’ve recently been reading about VirtualBox and it’s ability to use vmdk and conflicting reports in terms compatibiility with VMWare Fusion. So has anybody tried XP from VMWare Fusion and got their image working with VirtualBox. Presumably a “reactivation” is required as the hardware profile would be seen to change.
Oh, and for backup, I use Amazon S3 with full private key encryption. Pretty cheap and I can access my data anywhere thanks to JungleDisk.
This comment was originally posted on http://uneasysilence.com/)“>UNEASYsilence
@Ian
Sorry for your Mom’s loss, good luck!
This comment was originally posted on http://uneasysilence.com/)“>UNEASYsilence
My suggestion is to have a truecrypt volume (syncd to the could with dropbox) that you encrypt using a file (stored on pen drive and backup somewhere safe) and long pass phrase.
Then store all data, application settings etc. on the turecrypt volume (not sure how easy this is on a Mac, I am a mostly a Windows/Ubuntu/BSD users), and religiously run or schedule a secure delete program to clean up everything outside the truecrypt volume.
This way your Mac is completely secure if nicked, and all your data is securely syncd to the cloud and other computers, win win!
This comment was originally posted on http://uneasysilence.com/)“>UNEASYsilence
More from author
I use Drobo’s for in home backups
I use Zenfolio and Amazon S3 to backup all of my photos
This comment was originally posted on http://uneasysilence.com/)“>UNEASYsilence
More from author
The problem with solutions like TrueCrypt or File Vault is that while they look like a normal file system while you’re using them, they’re actually a big single blob of encrypted binary when you’re not using them. This makes them a complete fail for incremental encrypted backups. My home directory is normally between 20-30 gigabytes. Not like I can send that up to the cloud every day.
So, you either have a big encrypted volume OR you have easy backups. I restrain my paranoia and run an unencrypted file system with certain sensitive things encrypted on an as-needed basis. This allows for easy incremental backups to disk with Super Duper, and to the cloud as well.
This comment was originally posted on http://uneasysilence.com/)“>UNEASYsilence
I have been thinking lately about doing two partitions, an OS partition and a personal data partition. the problem with this is that I use windows and of course all the data that programs save (profiles and the like, which can contain important data) gets stored to OS partition, a work around for this is downloading portable applications, these are made to store your information in the same folder they’re installed in, and ensure that they will be encrypted with the personal data partition.
Another option is to get a large enough USB flash drive, and either keep it in your shirt pocket, or hook it to your key chain or phone, maybe store it in your wallet, if it doesn’t have a hole for a key chain, open up the device if possible, make a note on the outside where the internal components end, put it back together, and drill a hole. Then store all the information you want to keep save on that drive alone (I again suggest getting portable applications, but I’m not sure how a mac would deal with these) then if you want you can encrypt that with your favorite encryption software.
The last option I’ll suggest is to write your own operating system and then write all the programs for it, then only you would know how to get to your files! (I kid I kid)
This comment was originally posted on http://uneasysilence.com/)“>UNEASYsilence
Ian… I feel so bad for your Mom. I’m so sorry.
This comment was originally posted on http://uneasysilence.com/)“>UNEASYsilence
More from author
I do keep my personal data on a partition. I keep my keepass file in the cloud and can access it from my phone or pc. I keep a copy of my bookmarks in the cloud and in Foxmarks (latest version is awesome).
A bios password will stop almost everyone from getting in to a laptop. But that scares me. It would make you laptop worthless to thieves though.
I tried encrypting my data partition, but forgot to write down the password. I finally remembered it, but no longer encrypt anything. I leave the bulk of my files on my home PC (ubuntu) and put what I need on a 16g flash drive (have lost those as well). I am moving and syncing personal stuff to the cloud. When out and about I usually have a old laptop with a 12″ screen for work.
I never use remember me or my password on any computer. Never type in passwords in a public wireless network ( such a hassle).
My best security technique is that I live 15 miles from the nearest stoplight and it is 80 miles to the next one after that. No one locks their car, keys are often in the ignition or on the floor. I have to convince customers to encrypt there wireless networks as they feel it would be ok if someone used their network.
This comment was originally posted on http://uneasysilence.com/)“>UNEASYsilence
More from author
as far as encryption goes, i don’t do any of that. I tried it a few times, and it was good, while it lasted, but it wasn’t practical.
As a safety means, i have my data stored over various hds, (no raid). one hd for the OS (vista ultimate), one hd for recorded TV/movies, one hd for music, one for photos. I’m very paranoid about loosing data.
As far as backing it up after that, the OS i dont care too much about, tv i care alot about because i have whole series ive recorded, music is eh, most of it i can rerip, or redownload from iTunes. Photos i care the most about, those are on a dvd backup, once a month.
I’m also trying to setup an off site backup between me and my friend. Between the both of us we have plenty of computers to spare, we just need to figure out the easiest way to implement it. (I also don’t like to pay for services).
This comment was originally posted on http://uneasysilence.com/)“>UNEASYsilence
More from author
I believe the online storage solution Wuala is solving many issues that have been discussed above. Thought the hint could be helpful to enrich this discussion.
Wuala is a java desktop client (no installation required) which encrypts files on your computer employing the 128 bit AES algorithm upon insertion. The files will then be sliced into fragments and distributed around the P2P network. Since privacy was a major concern when designing Wuala, neither the password nor the encryption key ever leave the computer. Only an encrypted encryption key will be stored in the network to enable global file access. This gives the advantage of good privacy while it also means that the only key to your data is your password, which we will never be able to recover in case of loss. I believe that we are the only one or at least among the very vew personal online storage providers who grant this level of privacy (who can’t access your personal data), hence providing a unique level of data security.
Before working at Wuala, I liked Dominik Grolimund’s (CEO and Co-Founder of Wuala) speech at the Google Tech Talks to get a basic understanding of the technology, which I recommend to the interested parties, too. Then there are also some scientific publications further explaining our security and encryption mechanisms.
Disclaimer: I work at Wuala.
This comment was originally posted on http://uneasysilence.com/)“>UNEASYsilence
More from author
@Bryan from PGP
I am so stoked that I received a response from you — it is very much appreciated and is a credit to the customer service of your company. It’s nice to see down-to-earth PR people! Anyhow, yes, you have answered my questions (as had Duane at the forum link you provided) and PGP WDE for OSX is definitely something that I will be looking to invest it in the future. I am curious as to see what advancements Snow Leopard makes in the way of security and encryption and will probably make a decision sometime after that is released.
More from author
Hey, Mhaddy, I’m just glad to help.
Hopefully it’s also nice to see down-to-earth business development people though, since I’m actually not in PR :-). Yes, I actually just do this in my spare time, it’s not part of my job — though our PR person is pretty nice too…
Good luck in your endeavors.
Bryan
More from author
Has anybody here tried to use their Yubikey to authenticate with PGP WDE?
I back up nightly to an external HD (using Time Machine) and sync my contacts and calendars using MobileMe. If both my laptop and my external HD are stolen, I’m screwed as far as data loss goes, but if just one is lost I can retrieve everything. If I were more serious I would have a second external HD and backup daily at work.
So I’m a bit confused: is it that easy to hack a good-quality user account login password? How many thieves have such expertise? Do we really need to be so worried?
Eric
This comment was originally posted on http://uneasysilence.com/)“>UNEASYsilence
I believe anyone can overwrite your user password with the Mac install CD.
This comment was originally posted on http://uneasysilence.com/)“>UNEASYsilence
cat,
I knew that without a firmware password anyone can boot up from the Mac install CD, but does that give access to password-protected user accounts? I thought that a thief’s usual course of action at that point would be to erase the entire disk and then either use or re-sell the laptop. Am I mistaken?
This comment was originally posted on http://uneasysilence.com/)“>UNEASYsilence
Does anybody know if PGP have addressed the performance issues that were observed earlier in this thread?
Unfortunately not, PGP WDE still slows down hard drive performance:
http://www.macmacken.com/2009/02/17/pgp-whole-disk-encryption-vs-systemleistung/
The problem is, however, not PGP WDE-specific, all WDE applications suffer from performance issues.
More from author
Regarding the slowdown of hard disk performance: Does anyone know whether PGP WDE or FileVault fare better in this?
I’m using FileVault right now, and the slow down of my MBP w/ 4GB RAM is almost unbearable.
(Mathew Summerfield hinted at it, but only for starting VMs.)
More from author
A few comments on performance:
1. The “performance issues that were observed earlier in this thread” (Robert Nicholson) were referring to SSD drives, not traditional drives. Looking at prior comments on performance, everyone had mentioned seeing no degradation in typical usage vs. an unencrypted disk (see Paul’s bolded observation under Performance in the review, and comments by “Jack” and “Mathew Summerfield” above).
2. The graphs shown by MacMacken were generated using synthetic benchmarks, not typical user tasks. For example, the website for Xbench, the benchmark used by MacMacken, calls out these disk tests:
* Sequential
o Uncached Write
o Uncached Read
* Random
o Uncached Write
o Uncached Read
Needless to say, uncached reads and writes are not normal for everyday use (perhaps for transactional systems that can’t rely on write-behind caches in case of power outage, but that’s not the target market for WDE). This is fairly typical of hard disk speed benchmarks, and is why they’re a poor indicator for post-encryption performance.
Often times, synthetic tests are used to maximally exercise the underlying hardware to highlight even slight performance differences. This requires maximizing disc throughput to near-spec levels, something that doesn’t occur when (for example) saving a large file or opening an application. Typically, the OS leaves plenty of time for the crypto step to be interleaved with disk access without a perceived performance penalty.
But, as these tests increase arbitrary read/write speed, CPU time available for decryption decreases. As a result, the synthetically tested disk performance declines due to the added crypto step — but again, this is not representative of real-world use. In normal use, intelligent caching, OS housekeeping chores, and processing of read data by the calling application keep disks from operating anywhere near their spec speed, leaving the CPU ample time to perform the encrypt/decrypt step on the fly.
In short, take synthetic disk benchmarks with a grain of salt, and don’t use them as a sole indicator of WDE performance. Just because Xbench shows a 50% throughput hit doesn’t mean your Excel spreadsheet goes from opening in 10 seconds to 20 seconds. Is there a performance hit? Sure, probably. But a performance hit that only shows on a stopwatch (say, from 10 seconds to 11 seconds) is less relevant compared to the increased security and peace of mind you get from a fully encrypted computer.
Disclaimer: yes, I work for PGP.
More from author
There’s a performance hit for sure, not just probably. It’s not dramatic in everyday use, however, it’s noticeable, especially on notebooks with slower hard drives and of course for any data-intensive application such as backup, media library etc.
… the difference in performance is definitely larger but I agree nevertheless with your conclusion: PGP WDE is a convenient and hassle-free way to data security, that’s most important, the performance hit is tolerable if security through full disk encryption is seen as necessary.
More from author
@Bryan from PGP
Thank you for your comment. I’m not a hardware specialist, but that makes sense.
That brings up another question, though: Why does FileVault slow down my computer? What are the differences in how FileVault works and how PGP WDE works that make FileVault slow the computer down tremendously, while PGP WDE leaves it unaffected?
More from author
@Sebastian:
PGP WDE doesn’t leave your computer performance unaffected, the only question is whether the performance hit is noticeable in your everyday use.
PGP Desktop including PGP WDE is available as a trial version. Why don’t you just install PGP WDE on your system and see if it works for you? The slow down caused by PGP WDE won’t be worse than with FileVault and the usage is much more convenient. I haven’t had a single usage issue with PGP WDE so far and I’m willing to accept the performance hit since I put priority on secure data storage on my notebook.
More from author
I noticed that Bryan from PGP doesn’t elaborate on the SSD criticism and since I have an X-25M in my machine like Paul I’d like to know whether I’m taking a bigger hit relative to the hit I take on a “traditional” hard drive then when using an SSD with WDE.
I’ve read a lot about the pros and cons of SSDs, one major con that they all seem to cary is poor multi-tasking. Full blown read or write alone speeds are generally faster on SSDs, but at the same time generally much worse. So I, not that my opinion matters, would assume that the on the fly reading and writing of the encrypted volume severly zaps the volume, moreso than on a traditional HDD.
More from author
The section about the cold boot attack is completely wrong. PGP Whole Disk Encryption, and all other types of disk encryption, are vulnerable to it. When you turn off a computer, the RAM fades, but not instantly. If you make the RAM physically really cold first, it fades even slower, sometimes taking hours before the information is gone.
The encryption key “is stored on the MBR encrypted with AES-256″, but it’s also stored in plaintext (not encrypted at all) in RAM after you type in the pre-boot authentication password to decrypt it. There’s no way around doing on-the-fly disk encryption without storing the keys in plaintext in RAM.
The cold boot attack is when you take a computer that’s running, shut off the power (don’t shut down, just unplug it/remove the battery), cool off the RAM, stick the RAM in a new computer, and grab the plaintext encryption keys before that fade.
The good news is this isn’t much of a threat. People have written papers on it and done proof-of-concepts, but I don’t think it’s really widely used. It’s kind of hard to pull off, you need to have the software to grab the keys ready (as far as I know none has been published), and you need to be really sure you know what you’re doing so you don’t break the computer. Also, if this is just someone stealing a laptop with an encrypted disk and a locked screen, the attacker doesn’t have any way to know whether or not the disk is encrypted, so they’ll likely try rebooting before they try to cold boot attack, which will make it fail.
One can go back and forth on FileVault and WDE, but I for one am extremely happy I found WDE. For me, there were other issues that annoyed me about filevault and now they are all gone.
1. Filevault has a bug where your default settings are lost after every reboot (10.5.6/7) but with WDE this is no longer an issue. If you use thunderbird,firefox, or adium as default, it was always revert.
2. Adobe CS3 would not update correctly when using an account with Filevault enabled. I would have to log out just to do an update.
3. (built in)Apache did not work with Filevault due to permissions and symbolic links
4. No lag on shut down or log out for recovering space
5. Time Machine works like it is supposed to, and you can encrypt your backup drive. Not having to attach to the dmg just to recover a config file is nice.
6. VMWare performance is noticeable faster, it was crawling when the VM was inside of Filevault (I had too many DB’s/code I needed to protect)
7. Now I can use XAMPP/postgresql without worrying which DB is protected or PHP code with DB passwords are able to be stolen because they are not in the filevault.
There are work arounds, but now I don’t have to worry about any of them and I am very happy.
noz
I have been considering getting this for some time, but have yet to do so because of my worry about performance with video editing (which I do a lot of). I usually just use Apple’s built in disk utility for encrypting particularly sensitive files. Here is a little Video tutorialon my blog on how to use Disk utility for encryption of smaller groups of files.
More from author