#fail

If you have an unencrypted folder you can get data off in two ways. using the MacOS CD and reset the Root password which enables you to get into ANY account, or put the Mac in Target mode, hook it up to any mac, linux (or windows with the drivers) and just pull files right off.

Most thief’s will just erase or just pawn the system. I don’t think that is the point with most people who encrypt.

Take my situation. I am a developer who at any given point has over 4 databases on my system which hold very critical information, Credit Card Numbers, Passwords, Addresses, Health information. I can’t risk even the remote chance that my laptop gets stolen and the thief is good enough to get the databases off. (Remember there are a lot of hackers (black hats of course) that buy used systems in hopes someone left information on the computer)
Encryption is not for everyone. A gamer may not need it, grandma might not need it, but for some, it is critical to have some barrier against most black hats.

That’s interesting, for me it was the other way round. FileVault made my computer absolutely unusable when there were two or more processes accessing the hard disk.

With PGP WDE on a current 13″ MBP and my old MBP 15″ I have not experienced any major slowdowns. The only times when there is massive load on the CPU is a) the encryption process and b) when PGP crashes.

I’m very happy so far, and I if it weren’t for PGP’s issues with SSDs I would have upgraded to one of the new Intel ones already.

This is NOT a winner product. As a computer scientist, I can tell you that on-the-fly decryption of this nature should be roughly O(1)…. meaning almost zero performance impact. This seems like they did a bad job optimizing this thing.

1. Filevault has a bug where your default settings are lost after every reboot (10.5.6/7) but with WDE this is no longer an issue. If you use thunderbird,firefox, or adium as default, it was always revert.
2. Adobe CS3 would not update correctly when using an account with Filevault enabled. I would have to log out just to do an update.
3. (built in)Apache did not work with Filevault due to permissions and symbolic links
4. No lag on shut down or log out for recovering space
5. Time Machine works like it is supposed to, and you can encrypt your backup drive. Not having to attach to the dmg just to recover a config file is nice.
6. VMWare performance is noticeable faster, it was crawling when the VM was inside of Filevault (I had too many DB’s/code I needed to protect)
7. Now I can use XAMPP/postgresql without worrying which DB is protected or PHP code with DB passwords are able to be stolen because they are not in the filevault.
There are work arounds, but now I don’t have to worry about any of them and I am very happy.

noz

The encryption key “is stored on the MBR encrypted with AES-256″, but it’s also stored in plaintext (not encrypted at all) in RAM after you type in the pre-boot authentication password to decrypt it. There’s no way around doing on-the-fly disk encryption without storing the keys in plaintext in RAM.

The cold boot attack is when you take a computer that’s running, shut off the power (don’t shut down, just unplug it/remove the battery), cool off the RAM, stick the RAM in a new computer, and grab the plaintext encryption keys before that fade.

The good news is this isn’t much of a threat. People have written papers on it and done proof-of-concepts, but I don’t think it’s really widely used. It’s kind of hard to pull off, you need to have the software to grab the keys ready (as far as I know none has been published), and you need to be really sure you know what you’re doing so you don’t break the computer. Also, if this is just someone stealing a laptop with an encrypted disk and a locked screen, the attacker doesn’t have any way to know whether or not the disk is encrypted, so they’ll likely try rebooting before they try to cold boot attack, which will make it fail.

Great write up. Made me decide to purchase this for my new MacBook.

I started messing around with WDE for an external drive. I’ve never done WDE for the actual OS drive even on Windows. I have moved my PGP key folders to an Ironkey flash drive for some added bonus. I know have to plug-in the iron key to access my external which is great.

My question is can the PGP WDE on the OS drive work the same way. When the laptop boots and prompts for my passphrase, can I lock it down to where it will only work if my Ironkey is plugged in?

I’ve been searching the interwebs for this answer with no definitive on the subject. I have backups (TimeCapsule + CloneDrive) but I don’t want to go through a restore if that doesn’t work.

Just looking for the answer before I do WDE on the OS drive.

Thanks in advance!

PGP WDE doesn’t leave your computer performance unaffected, the only question is whether the performance hit is noticeable in your everyday use.

PGP Desktop including PGP WDE is available as a trial version. Why don’t you just install PGP WDE on your system and see if it works for you? The slow down caused by PGP WDE won’t be worse than with FileVault and the usage is much more convenient. I haven’t had a single usage issue with PGP WDE so far and I’m willing to accept the performance hit since I put priority on secure data storage on my notebook.

Thank you for your comment. I’m not a hardware specialist, but that makes sense.

That brings up another question, though: Why does FileVault slow down my computer? What are the differences in how FileVault works and how PGP WDE works that make FileVault slow the computer down tremendously, while PGP WDE leaves it unaffected?

Is there a performance hit? Sure, probably.

There’s a performance hit for sure, not just probably. It’s not dramatic in everyday use, however, it’s noticeable, especially on notebooks with slower hard drives and of course for any data-intensive application such as backup, media library etc.

But a performance hit that only shows on a stopwatch (say, from 10 seconds to 11 seconds) is less relevant compared to the increased security and peace of mind you get from a fully encrypted computer.

… the difference in performance is definitely larger but I agree nevertheless with your conclusion: PGP WDE is a convenient and hassle-free way to data security, that’s most important, the performance hit is tolerable if security through full disk encryption is seen as necessary.

2. The graphs shown by MacMacken were generated using synthetic benchmarks, not typical user tasks. For example, the website for Xbench, the benchmark used by MacMacken, calls out these disk tests:

* Sequential
o Uncached Write
o Uncached Read

* Random
o Uncached Write
o Uncached Read

Needless to say, uncached reads and writes are not normal for everyday use (perhaps for transactional systems that can’t rely on write-behind caches in case of power outage, but that’s not the target market for WDE). This is fairly typical of hard disk speed benchmarks, and is why they’re a poor indicator for post-encryption performance.

Often times, synthetic tests are used to maximally exercise the underlying hardware to highlight even slight performance differences. This requires maximizing disc throughput to near-spec levels, something that doesn’t occur when (for example) saving a large file or opening an application. Typically, the OS leaves plenty of time for the crypto step to be interleaved with disk access without a perceived performance penalty.

But, as these tests increase arbitrary read/write speed, CPU time available for decryption decreases. As a result, the synthetically tested disk performance declines due to the added crypto step — but again, this is not representative of real-world use. In normal use, intelligent caching, OS housekeeping chores, and processing of read data by the calling application keep disks from operating anywhere near their spec speed, leaving the CPU ample time to perform the encrypt/decrypt step on the fly.

In short, take synthetic disk benchmarks with a grain of salt, and don’t use them as a sole indicator of WDE performance. Just because Xbench shows a 50% throughput hit doesn’t mean your Excel spreadsheet goes from opening in 10 seconds to 20 seconds. Is there a performance hit? Sure, probably. But a performance hit that only shows on a stopwatch (say, from 10 seconds to 11 seconds) is less relevant compared to the increased security and peace of mind you get from a fully encrypted computer.

Disclaimer: yes, I work for PGP.

I’m using FileVault right now, and the slow down of my MBP w/ 4GB RAM is almost unbearable.

(Mathew Summerfield hinted at it, but only for starting VMs.)

Does anybody know if PGP have addressed the performance issues that were observed earlier in this thread?

Unfortunately not, PGP WDE still slows down hard drive performance:

http://www.macmacken.com/2009/02/17/pgp-whole-disk-encryption-vs-systemleistung/

The problem is, however, not PGP WDE-specific, all WDE applications suffer from performance issues.

Backing up your PGP keyring will *not* help you recover your WDE encrypted drive should you forget the passphrase.

WDE uses a symmetric key for the AES-256 cipher which is used to encrypt the whole disk, not the PGP private key.

The Universal Server provides Whole Disk Recovery Tokens (WDRT’s) which make recovering a lost passphrase no problem. However, if you are running standalone, use caution!

Hopefully it’s also nice to see down-to-earth business development people though, since I’m actually not in PR :-). Yes, I actually just do this in my spare time, it’s not part of my job — though our PR person is pretty nice too…

Good luck in your endeavors.

Bryan