Disk encryption question
I encrypted my boot disk when I installed Mountain Lion, however, when the machine boots up, it prompts for three options: the option to enter the disk password, the option for my general user account to login, and the option for a guest account to login.
The first time OS X booted after setup, it worked as I expected; that is, it prompted for the disk password before prompting for user login.
I'm asking because it seems pointless to encrypt the disk if someone can simply attempt log on as a Guest User, for example.
The "Guest User" is a pseudo-account created by "Find My Mac" that actually boots from the Recovery partition. Safari is the only application available. The primary boot volume remains locked. The idea is that a thief will be tempted to surf the web, giving you time to locate him and fast-rope through the window from a black helicopter to recover your property.
Similar Messages
-
T61 full disk encryption question
I have T61 laptop model 6464 4YU
Can I use full disk encryption if I upgrade my hard drive or I have to by a laptop model that support FDE.
There is a lack of information about FDE. I only found FAQ on Lenovo web site.
I have called Lenovo support, but rep. could give me a clear answer.
ThanksYour T61 supports FDE - see here, here, here, and here.
Don -
File Vault Disk encryption questions
I want to enable filevault 2. I read that with filevault 2 I no longer need to log out for time machine backups to work hourly. Will I need to enable the encrypt disk feature in time machine in order for my backup to be encrypted also? Or do I just encrypt my whole drive with filevault and let time machine back it up as normal.
You need to enable the encrypt disk feature in TImeMachine if you want your backup also encrypted. FileVault only encrypts your local drive when you enable it. TimeMachine backups are completely separate from FileVault.
-
HP Protecttools - Disk Encryption - How do I recover a hardrive that no longer boots
I have an HP Laptop that has the HP Protecttools Disk encryption enabled, but will not boot. I need to pull information off of the drive for the employee who owns the laptop and I am unable to becasue of the encryption. I know you can use the key that is generated during the encryption process to unencrypt the drive at the first login screen, however because the drive is not booting I do not get that screen. Is there any utility I can run from a CD/DVD to unencrypt the drive from a command line using the encryption key?
Hello Charon. I understand you need to decrypt a drive for a computer that cannot boot.
What problem is causing the drive to be unable to boot?
Which notebook are you working with? Please use this document to locate the product number and use that to identify the notebook.
Since HP Protect Tool is generally used in an Enterprise environment you may also want to post your question to HP's Business Boards. Here is a direct link.
I hope you have a great day!
Please click the white star under my name to give me Kudos as a way to say "Thanks!"
Click the "Accept as Solution" button if I resolve your issue. -
Bit locker security issues (easy to crack) disk encryption?
Bit locker security issues (easy to crack) disk encryption?
Problem 1: When the PC run I think its too easy to get malicious users (with usb pendrive) or spyware to get the encryption key (fast and easy)
youtube.com/watch?v=0npTlOq6q_0
Problem2:not resistant with bruteforce attacks
youtube.com/watch?v=zvaJxnvbGic
Problem 3: not resistant with boot hacking
Im using DriveCrypt plus pack and searched security issues in bit locker.The bit locker allow you the bruteforce/dic attack easy.I think It would be much safer 1. (I think the keys stored somewhere that is easily read) 2. Do not just be enough password
need a password+file combination to decrypt the disk. DriveCrypt plus pack use a file+password combination if you know the password but you wont have the file you can not decrypt the disk (protect with bruteforce attack).On system boot protected bruteforce
attak you can crash the (boot).If the boot system crash you can not decrypt the disk just the password you need the file+password combination plus to decrypt it. I am not a programmer but I see the BitLocker ( easy security catches to crack the disk encryption).Im
tested DriveCrypt and I can not get the key that easy (Problem 1). I have not tested it in greater depth just trying to (catches to crack software encryption).Where is your question, sir?
If the question were "is it easy to crack", the answer is "no". Your videos make use of several assumptions and ingredients and permissions that a normal attacker does not have.
"Problem 3" is not clear, please describe what scenario you are talking about. -
Need clarifications on disk encryption
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
Could you please clarify the following questions on disk encryption?
Whenever we enable/disable disk encryption, we are deleting all the cached data.
1. Why are we deleting all the DRE cache, when we enable/disable disk encryption? Instead we should encrypt/decrypt the data with the key that we got from CM. If we delete all the DRE cache, then we will lose the compression that we got from the DRE cache.
2. How can I verify that the files in the disk are encrypted, after disk encryption is enabled?Hi Thenna,
The partitions we encrypt are some of the largest on the system. We wouldn't have enough disk space to have two copies (encrypted & decrypted) of those paritions.
For verification, you would have to remove the disk drives and mount them on another Linux-based system. We don't provide a way to browse the cache contents.
Regards,
Zach -
How to disable user for disk encryption unlock
When I add an account that user is added to the list of enabled users when first booting a disk protected with Filevault2. I only want the master password to unlock disk encryption. I don't want to list admin or standard accounts. Is this possible?
This sounds like two different questions:
1. I only want the master password to unlock disk encryption.
This isn't possible to my knowledge.
2. I don't want the EFI bootloader to list all accounts upon first powering up the machine
Despite many customers' pleas, Apple has not changed the 'list all usernames' feature on first boot... however, waking from sleep, logging out or fast user switching to honor this request (when set in System Preferences). There are several discussion forums previously attempting to solve this issue, but no concrete solution yet. -
Anyone using SecureDoc Full-Disk Encryption for Mac from WinMagic?
Currently I am using Mac OS X v10.5 on a MBP and want to upgrade to Snow Leopard. I use PGP full disk encryption.
I do not want to wait anymore for PGP v10 before I can upgrade to Snow Leopard. In my search for a replacement for PGP I found SecureDoc Full-Disk Encryption for Mac from WinMagic.
https://www.winmagic.com/products/full-disk-encryption-for-mac
They claim to be Snow Leopard compatible
https://www.winmagic.com/kw/download.php?url=/datasheets/securedocmac_brochure20090925a.pdf
I have two questions:
1) Does anyone have experience with SecureDoc Full-Disk Encryption for Mac from WinMagic?
2) Where can I buy one? PGP has a store where I ordered my copy of the software. But I can't find a store anywhere for SecureDoc. With some trouble I found a reseller in the Netherlands, but they don't reply to any questions.I am currently testing a trial license from Checkpoint Full Disk Encryption.
http://www.checkpoint.com/products/datasecurity/pc/index.html
The company where I work is a Checkpoint reseller, and normally only has dealings with other companies, not end users. But we arranged a trial license and I can buy a single user license Checkpoint Full Disk Encryption if the test proves Checkpoint Full Disk Encryption is a good solution.
I created a bootable usb disk with Snow Lepoard on it. But I was unable to install FDE on it. After reboot I only get a blank screen, that's it. Probably it isn't supported to boot from a full disk encrypted removable drive, I can understand that.
I can't create a virtual Snow Leopard machine (legal reasons) to test it on. And all FDE solutions I found aren't compatible with Mac Server, which is a shame because you can virtualize Mac Server legally.
So now I am planning to change the hard-disk of my MBP this evening with another hard-disk to test Checkpoint FDE there. I don't want to upgrade my current Leopard installation to Snow Leopard only to discover it doesn't work as expected. I could of-course use my current installation and when it doesn't work rollback to a timemachine backup, but before that I have to decrypt my disk and uninstall PGP witch will take 1-2 days, and encrypt again when the test is over. Not pratical.
I will let you know how the test with Checkpoint Full Disk Encryption went! -
T440 SSD Samsung mz7te256hmhp-000L7 disk encryption
Does anyone knoiw hou to confirm that that my lenovo t440 with a Samsung ssd PM851 (mz7te256hmhp-000L7) support hardware based full disk encryption.I cant find anything in the BIOS about disk encryption, only a disk password option.How can a i be sure that the encryption is supported and if setting the disk password in the BIOS in enough?
I have finally gotten an answer from Samsung regarding encryption. Sounds like hardware FDE is only supported on the OEM version, not on the consumer version:
My Question:
Does the SSD 830 (Notebook 256G version: MZ-7PC256N) support Full Disk Encryption (FDE) with a password through the BIOS? I read on the web that your enterprise version of this product does support FDE, but it's not clear whether or not that is also supported on the consumer version.
Their Response:
Dear Customer...The retail market 830 series SSD does not natively support FDE. Only OEM version of the unit have the encryption placed. Samsung recommends the use of programs to encrypt the data on the drive... Thank You for choosing Samsung. -
Can host hacker break into guest that uses full disk encryption?
I know it is unlikely but let us say host has got owned, ie a hacker has managed to break into the host.
How would they go about breaking into a linux VM that uses full disk encryption?
They can't mess with the .vmdk without damaging it - it is encrypted by the guest.
They can't use vmrun because they do not know the guest passwords.
They can't attach to processes in the guest with debugging tools because they cannot see individual guest processes.
What can they do? And crucially, what can I do as a countermeasure?What really matters is WHERE you do the encryption. If the encryption is too low, data in the guest appears unencrypted. If it is in the guest, then the keys live in the guest and since SGX is not around at the moment, keys are somewhere in guest memory even for a little bit of time.
So the real question is what are you trying to achieve?
If you are trying to meet encryption at rest requirements then it makes no difference where you encrypt as the data on the disk will be encrypted and without the key no one can decrypt it. Now if you have keys generated within a VM without using DRNGD or some other high quatlity randomness source, then your keys could be predictable and you need to guard against making it easy for a brute force attack.
If you need to encrypt data in motion?
Then you need to consider how the VM is protected itself, how an application interacts with data to determine during 'motion' if someone should not be accessing the data even though they are already supposedly allowed to do so. Keys are in memory, so therefore you need to guard memory access for those keys to only the application in question. This is the hard part, and requires you to think seriously about logging, key management, etc.
So really what are you trying to achieve?
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast -
CheckPoint Endpoint full disk encryption
My previous employer mandated CheckPoint Endpoint full disk encryption on every machine accessing their intranet. Since I have not worked there for two years, their IT group refuses to support my MB air. I am trying to update my OS, but Endpoint will not allow this. I like the encryption, but if I had to choose, I would pick an updated OS. Does anyone know how to do this?
Back up all data to at least two different storage devices, if you haven't already done so. One backup is not enough to be safe. The backups can be made with Time Machine or with Disk Utility. Preferably both.
Erase and install OS X. This operation will destroy all data on the startup volume, so you had be better be sure of the backups. If you upgraded from an older version of OS X, you'll need the Apple ID and password that you used, so make a note of those before you begin.
When you restart, you'll be prompted to go through the initial setup process in Setup Assistant. That’s when you transfer the data from a backup.
Select only users and Computer & Network Settings in the Setup Assistant dialog—not Applications or Other files and folders. Don't transfer the Guest account, if it was enabled.
After that, check the App Store for updates and install the third-party software you need.
Before installing any software, ask yourself the question: "Am I sure I know how to uninstall this without having to wipe the volume again?" If the answer is "no," stop.
Never install any third-party software unless you know how to uninstall it. -
Hi,
I have confidential material on my laptop, a T61 i bought 2 years ago. Can I set the computer so that it is suspended when I close the top, yet I still need to put in my personal password to resume? I'd hate to have to reboot every time just to protect against the danger to the data.
And a related question: I have read about FDE (full disk encryption), but I can't really tell if the Hitachi 250 gig drive I ordered from Lenovo 2 years ago has it. Tech support was no help, and Hitachi web site didn't mention it (Hitachi hts5425k9sa00), but I gather that Lenovo does have FDE on all its drives for some time. So what does the password do to protect your data if it is not an FDE drive? Anyone go an idea?
Thanks,
woody
Solved!
Go to Solution.i think the major difference is that the FDE method is implementated at hardware level, and the other is done through software level. Apparently the seagate FDE does not suffer any performance hits, while i would imagine the software level encryption would cause a slight difference in speed. (But i am not 100% sure on this).
http://en.wikipedia.org/wiki/Full_disk_encryption
have a read of this article.
Regards,
Jin Li
May this year, be the year of 'DO'!
I am a volunteer, and not a paid staff of Lenovo or Microsoft -
X220 with Samsung SSD 830: Success? Full Disk Encryption (FDE)?
1. Have any of you tried installing a Samsung SSD 830 Series drive in the X220, and if so can you recommend or dis-recommend?
2. Can anyone definitively verify whether or not the SSD 830 drives support full disk encryption? I see conflicting information about that on the internet...
Thank you.I have finally gotten an answer from Samsung regarding encryption. Sounds like hardware FDE is only supported on the OEM version, not on the consumer version:
My Question:
Does the SSD 830 (Notebook 256G version: MZ-7PC256N) support Full Disk Encryption (FDE) with a password through the BIOS? I read on the web that your enterprise version of this product does support FDE, but it's not clear whether or not that is also supported on the consumer version.
Their Response:
Dear Customer...The retail market 830 series SSD does not natively support FDE. Only OEM version of the unit have the encryption placed. Samsung recommends the use of programs to encrypt the data on the drive... Thank You for choosing Samsung. -
PGP whole disk encryption and Snow Leopard
I've got Leopard with PGP whole disk encryption on it but am having difficulties in installing SL as it want to wipe the HD.
Hi Thomas
Sorry I was trying to save this as a post rather than a question but it hasn't seemed to save my edited message for some reason.
PGP for me is better in that it encrypts the whole disk rather than just the user account. Using FileValut is really unfriendly with TimeMachine, it slows the computer down and for a lot of people you can't actually activate it if you don't have enough space remaining on your HD.
PGP will encrypt your whole disk without slowing it down or taking up any additional space. It also works better than a firmware password that can be bypassed by resetting the PRAM.
The problem with PGP is that in trying to install Snow Leopard the installer doesn't recognise the boot partition even once the encryption has been removed. This causes it to prompt the user to wipe the HD. Here's the solution I found after some pain I might add:
Remove all the encryption from your HD and Time Machine.
Back up!
Start the Terminal from the Leopard Installer (Utilities->Terminal). This has to be done from the installation disk.
Type diskutil list
Identify your system disk. In most cases it is disk0s2
There's a volume called "Boot OSX" on the next partition, probably disk0s3. If your system is different than disk0, then use that identifier in place of disk0 for the rest of these instructions.
Type diskutil unmountdisk disk0
Type gpt remove -i n disk0 where the n is the last number of the boot partition; for example, disk0s3 would be 3; you would type gpt remove -i 3 disk0
Exit Terminal
P.S. if you accidentally remove the wrong partition OSX wont start up but don't worry, run disk utility from the installation disk and create a new partition and restart. All your data will still be there! -
Cisco Agent Desktop / Supervisor Desktop Issue with Full Disk Encryption
Has anyone had any issues related to running Cisco Agent Desktop or Cisco Supervisor Desktop on a machine running full disk encryption? Our desktop team installed full disk encryption software from Check Point, and it seams to be causing some issues with call monitoring, screen pops via workflow and connectivity to the UCCX server. It's not effecting every machine (that we know of), but the fix for us right now is to provide a desktop without the encryption software. I'm just wondering if this is related to us, or if there is any supporting documentation out there?
Any help is apprecicated.CAD for IPCCX v4 does not support windows 7. See compatibility matrix:
http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_compatibility/matrix/crscomtx.pdf
In my experience if you already have CAD installed and you upgrade the OS (without a fresh rebuild) CAD will work - but it is NOT supported. You should test this though.
You will not be able to install the older version of CAD on windows 7, the installer will give you errors.
Brian
please rate helpful posts
Maybe you are looking for
-
OIA 11gR1 + OIM 9.1.0.2 (BP12) Websphere class not found error user import
Hi All, I am integrating OIA (11gr1) with OIM 9.1.0.2 (BP12) patch and have followed the steps mentioned in the Sys Integration. However when importing users from OIM, the following error is thrown - OIM is on Websphere, OIA is on Tomcat - Thanks for
-
well this morning my ipad was disabled now i cant get i from unlocking so i need help unlocking my ipad
-
Problem while doing bdc for fv60
Hi frends, I got problem while doing BDC for fv60 tcode.i have given header items: vendor number invoice date posting date amount item data: g/l acc no: 100000 amount 1000 whatever these are all given in recording in recording after all giving thi
-
Every time I update firefox it will only run updater.exe when I try to restart
every time I update firefox it will only run updater.exe when I select firefox to run. The only way around this that I have found so far is to do a fresh install of firefox.
-
104-unsupported wireless network device detected - yet replaced with like for like card!
Hi, I am repairing a friends laptop where their wireless is no longer working. I ordered a new card on ebay which is the same model Broadcom BCM4311KFBG however I still get the above message. How is it not accepting this card? Surely it's in the whit