Skip to main content

You Can Steal My Laptop But You Can't Steal My Data - FDE for OS X

posted onMarch 2, 2009
by hitbsecnews

By: L33tdawg

"Moron leaves laptop in strip club - 400 gazillion records lost" - "Travellers warned that laptops may be seized and examined at random" - Seems like not a day goes by when you either read about someone losing a laptop that had some super-top-secret-information-that-shouldn't-have-been-on-there-in-the-first-place or you hear about how the government has increasing powers to basically do whatever they want to you when crossing International borders including examining the contents on your laptop or seizing it indefinitely.

For me it's more a worry of having my laptop stolen than being stopped at some random airport and having my laptop seized for 'examination'. It's with that in mind that I went about looking for a proper disk encryption solution for OS X - don't get me wrong, the built in File Vault encryption in OS X is certainly fine for creating encrypted file containers (say to store your documents or financial information) or to encrypt your Home directory, it however doesn't support encrypting your ENTIRE hard drive. In short, its just not good and a less than ideal solution; besides, I've heard numerous horror stories about File Vaults gone wild and users ending up losing their entire Home Directory - basically everything important.

Up until recently though, there hasn't been a Full Disk Encryption solution for OS X - The guys from the free and open source TruCrypt project have been promising to have FDE coming for OS X 'soonish' (they've had this capability for Windows for a couple of versions already). The only available solutions for Mac users at the moment are both commercial - the first, Checkpoint's FDE for OS X and the second, PGP's FDE for OS X. I took a brief look at the installation documentation for the Checkpoint product however it seemed to cater more towards the enterprise market with its need for a central key server to store and manage keys should a user forget his/her pass. In short, it was just overkill for my needs.

PGP's offering on the other hand seemed to do precisely what I needed and then some - basically Full DIsk Encryption with on-boot passphrase protection in addition to providing PGP Mail and Document encrypting functionalities as well. At USD169, the price point is also not too much to swallow; at least for the average business user - I doubt most home users would have a need for FDE - (FileVault and a combination of encrypted DMGs should suffice to keep your porn collection 'safe').

Installation and Setup

Getting PGP FDE installed is not as difficult as one might imagine - You basically grab the installation packages from the PGP website, fill-in the purchase order forms and wait for your activation key to be sent to you. I did the installation on a Santa Rosa Macbook Pro 15.4" 2.4Ghz with 4GB of RAM - the machine has the stock standard 160GB 5400 RPM hard drive that shipped with it.


Fig 1: The main installation package


Fig 2: Welcome to PGP Installer

One of the first things you’ll need to do is to create your own PGP key – prior to installing PGP FDE, I was using GPG (GnuPG) together with Enigmail for Thunderbird. As such, I didn’t really need the PGP Mail functionality nor the drag and drop file encryption. That being said, I saw no way to import my GPG key into the installer in order to not have to create a new key.


Fig 3: Keyring Selection


Fig 4: Key Creation Summary

All I wanted from PGP was really an truly just the Full Disk Encryption portion of things, so submitting the key is I guess not really mandatory and you can choose to skip the key submission step (Fig 5)


Fig 5: Key Submission


Fig 6: The main PGP Desktop window


Fig 7: The main PGP Desktop window showing the PGP Disk option


Fig 8: Once you’ve selected the drive you want to encrypt and chosen your options (I left mine as default), the encryption process will begin and you can resume working while PGP does its thing in the background (Fig 9).


Fig 9


Fig 10: Drive encryption in progress. The time remaining count was pretty accurate and in the end the entire encryption process of my 160GB drive took just under 6 hours.


Figure 11: All done.

Performance and Real World Use

Although you don’t need to reboot after the encryption process is completed, I chose to do so anyway – the first thing you’ll be greeted with after the boot up chime is the PGP window asking you for the master password.

Once the system has booted up (this took marginally longer than usual – an increase of about 30 to 45 seconds) you’ll notice pretty much NOTHING that tells you the system has been encrypted. The machine performs exactly the same way and on my MBP, the responsiveness felt exactly the same as it did before. There was definitely not any noticeable slowdown either in launching applications or searching for documents or performing other disk intensive tasks.

One thing I did notice is that my system RAM started getting used up a lot quicker than it used to. Prior to FDE, post boot up, I’d have about 3GB of RAM free. This has now dropped to about 2GB. The other issue you’ll notice is with regards to page ins / page outs and swap used – they’re going to really grow quite large. Over the past 3 months, I’ve seen times when page ins/page outs has hit over 1.5 million and the swap has grown to 3GB. On average however (I reboot my machine perhaps once a week at most), the swap stays around the 2GB mark with page ins / page outs hovering between a 100,000 and 300,000.

In terms of actual performance numbers – a quick run through with XBench shows an overall Disk rating of 23.24 – this is more or less comparable to the performance numbers we saw from the 2.0GHz Black Macbook with 2GB of RAM and 120GB HDD we tested against when we did the Santa Rosa review. The MBP scored 39.35 in the original test and it only had 2GB of RAM at the time. As such, the current score of 23.24 WITH 4GB of RAM would be considered quite a large drop if you’re looking at only the numbers. For me though; a system that FEELS fast is definitely more important than one that scores high on benchmarks. ;)

Should you get it?

This depends entirely on what value you put on the security and privacy of information on your laptop. I personally feel USD169 is not really a lot to pay for the peace of mind that having a fully encrypted drive gives me.

References

PGP
http://www.pgp.com/products/wholediskencryption/

Enigmail
http://enigmail.mozdev.org/

GnuPG
http://www.gnupg.org/

TruCrypt
http://www.truecrypt.org/

HITB: Review of the new Santa Rosa Macbook Pro
http://hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=23547

Source

Tags

Articles

You May Also Like

Recent News

Friday, November 29th

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th