Need clarifications on disk encryption

Similar Messages

• Need 256 Bit AES Full Disk Encryption for a Mac.  The other discussions regarding this issue are very old.  Does anyone have any current advice regarding encryption software?

  Does anyone have any advice regarding 256 bit full disk encryption software for Macs?  The other discussions on the topic are years old, so I would like some current input.  Thanks for your help in advance.

  Depending on your Mac, you might not want to upgrade to OS X 10.7 or 10.8 as it will not run the PowerPC based software your currently using costing a bundle to replace it all, also they will slow down your machine if it's not a more recent issue. You don't want to upgrade OS X without AppleCare defending your possibly bricked logicboard that's for sure.
  Filevault encrypts the boot drive, however in doing so makes it near impossible to fix if you have a software issue and need to recover files directly or by using specialty software. Also it robs the machine of performance even more than the Lions do. So you will really need a SSD to work best with 10.7/10.8 and Filevault, then it has to be freshly installed. Filevault needs 50% free space on the boot drive, then it's going to write to the slower 50% half of the hard drive where performance is terrible compared to the first 50%.
  Also Filevault is cracked under certain conditions, and if someone gets their hands on the machine (like the law) and knows what they are doing.
  If you take your Filevaulted machine to Apple to fix, they are going to require the password to fix the machine obviously.
  Software based encryption is vulnerable, you might want to instead place your sensitive data on external self-encrypting hardware that doesn't rely upon software or computer hacks/bypasses (ike freezing the RAM) to get to it.
  http://www.datalocker.com/products/datalocker-dl3.html
  Iron Keys for portable USB self encryption, both work with any computer, so your not locked into one platform.
  With the senstive data off the computer and on a external device, there is the option of removing, hiding and securing the device. If used with a computer that's never connected to the Internet, it's safe from snoopers, except from a survelliance van parked outside your door.

• Do I need to set up anything for a hard drive with built-in disk encryption?

  I have a new lenovo x61 that has a hard drive with built in disk encryption.
  Do I need to activate the built-in encryption or is it automatic?
  Message Edited by Joshx61 on 12-20-2007 06:46 PM

  Re: link posted by RealBlackStuff - that article from 2006 is not talking about the drives with built-in full-disk encryption that are now an option on some thinkpads.
  Here's an article about the drives from when Hitachi (and Seagate) launched them just a few months ago:
  http://www.infoworld.com/article/07/08/30/35TC-drive-encryption_1.html
  Unfortunately, it doesn't provide as many details on the devices as I would like but it's a decent overview. (I still wish Lenovo would better document how to use the device and exactly what it protects against.)
  Message Edited by Joshx61 on 12-31-2007 09:48 AM

• HP Protecttools - Disk Encryption - How do I recover a hardrive that no longer boots

  I have an HP Laptop that has the HP Protecttools Disk encryption enabled, but will not boot. I need to pull information off of the drive for the employee who owns the laptop and I am unable to becasue of the encryption. I know you can use the key that is generated during the encryption process to unencrypt the drive at the first login screen, however because the drive is not booting I do not get that screen. Is there any utility I can run from a CD/DVD to unencrypt the drive from a command line using the encryption key?

  Hello Charon.  I understand you need to decrypt a drive for a computer that cannot boot.
  What problem is causing the drive to be unable to boot?
  Which notebook are you working with?  Please use this document to locate the product number and use that to identify the notebook.
  Since HP Protect Tool is generally used in an Enterprise environment you may also want to post your question to HP's Business Boards.  Here is a direct link.
  I hope you have a great day!
  Please click the white star under my name to give me Kudos as a way to say "Thanks!"
  Click the "Accept as Solution" button if I resolve your issue.

• Bit locker security issues (easy to crack) disk encryption?

  Bit locker security issues (easy to crack) disk encryption?
  Problem 1: When the PC run I think its too easy to get  malicious users (with usb pendrive) or spyware to get the encryption key (fast and easy)
  youtube.com/watch?v=0npTlOq6q_0
  Problem2:not resistant with bruteforce attacks
  youtube.com/watch?v=zvaJxnvbGic
  Problem 3: not resistant with boot hacking
  Im using DriveCrypt plus pack and searched security issues in bit locker.The bit locker allow you the bruteforce/dic attack easy.I think  It would be much safer 1. (I think the keys stored somewhere that is easily read) 2. Do not just be enough password
  need a password+file combination to decrypt the disk. DriveCrypt plus pack use a file+password combination if you know the password but you wont have the file you can not decrypt the disk (protect with bruteforce attack).On system boot protected bruteforce
  attak you can crash the (boot).If the boot system crash you can not decrypt the disk just the password you need the file+password combination plus to decrypt it. I am not a programmer but I see the BitLocker ( easy security catches to crack the disk encryption).Im
  tested DriveCrypt and I can not get the key that easy (Problem 1). I have not tested it in greater depth just trying to (catches to crack software encryption).

  Where is your question, sir?
  If the question were "is it easy to crack", the answer is "no". Your videos make use of several assumptions and ingredients and permissions that a normal attacker does not have.
  "Problem 3" is not clear, please describe what scenario you are talking about.

• PGP Whole disk Encryption but for Windows Partition only ?

  Hi,
  Slightly unusual situation here. I want to use my MacBook Pro at work and home. OSX at home and XP at work. Now at work they have a strict policy of only allowing computers on the network with PGP Whole disk Encryption. I've looked into this and there doesn't appear to be a way of setting this up via bootcamp because PGP makes use of MBR which as far as I know bootcamp doesn't use and PGP themselves say bootcamp isn't supported.
  Looking around the web there are various articles about tripple/quad booting Mac systems not using bootcamp but things such as Grub or reFIT. I'm wondering if there is a way of using this boot technique but using the partition option when installing PGP for windows and only setting it up on the defined windows partition.
  Has anybody tried this or have alternatives ?
  Thanks in advance
  Steve

  Hi Steve:
  Windows has a boot manager built in. Windows can be installed on a logical NTFS partition, the boot
  manager can sit on a tiny fat or fat32 primary partition. I have used this arrangement on my PC's
  many times. I have not tried it on a Mac, but it should work. You will need to have some working
  knowledge of partitioning to pull it off.
  I don't know how PGP designed their software, but it should support this arrangement, unless they
  have some cheesy engineering design built into their software that would prevent it from working.
  The windows boot manager has been with NT from the beginning. It is not rocket science, NTLDR
  sits in the usual spot reserved for system boot files, the boot ini file tells NTLDR what partition
  the /windows/system32/ntoskrnl.exe is on and NTLDR passes the ball to ntoskrnl and away
  she goes if everything is Kosher. Windows boot manager can boot other OS's as well.
  Be aware though that windows may assign a drive letter to the windows installation other than
  "c" (usually "d" of "f". That doesn't keep anything from working though.
  Kj

• The best disk encryption tool

  Hi,
  I was wondering what is your opinion on the issue which disk encryption tool is the best. I personally prefer encfs. Which one do you use/prefer and why?

  mdv wrote:Hi,
  I was wondering what is your opinion on the issue which disk encryption tool is the best. I personally prefer encfs. Which one do you use/prefer and why?
  I like encfs too.  Very easy to use, I can do it  on a directory-by-directory basis as needed, and I don't need to mess with pre-allocating loopback files and making sure that they're big enough to hold all the data.
  P.S.  Check out the "encfssh" script in that package.  I sent that in to the author and he added it to the package.  (Credit where credit is due:  the script is adapted from the original cfssh script from the old cfs package.)

• Disk Encryption password prompt

  I have 2 macbook Pro Retina machines, Identical. One for work and a personal one.
  Disk encryption is on for both machines.
  My work machine just logs me in no problem.
  My personal machine asks me for a disk encryption password every boot, then the login password. I can't find the setting to turn off the disk encryption password prompt.
  What did i do differently?

  So I solved it for myself.
  seems I had encrypted the disk using DU from the pre-boot environment, therefore the encryption had occured without my user account holding the "keys" to the encryption. The end result is that a password is needed for both my account and the encryption seperately.
  I turned off file vault as root from the command line and re-enabled it as my user. problem solved.

• PGP Whole Disk Encryption

  After my wife's iphone was stolen I was thinking of installing PGP whole disk encryption on my Macbook pro. PGP does not support Boot camp. Is there a way for me to take my install of Windows XP and transfer that to parrells? In other words take the entire partition and copy it into the Virtual Machine on Parrells or Fusion? Also how should I copy the windows partion, if I was going to do this sort of thing on the mac I'd use super super or carbon copy cloner to copy the entire disk over to another disk.
  thanks,
  jeff

  jevenson:
  I need to understand this post clearly. Just so you and I are on the same page, I am going to make some assumptions. You plan to install PGP Whole Disk Encryption on your OSx side. I suspect that you want it to cover your boot camp partition upon which Windows XP resides.
  PGP does not support Boot camp.
  I am assuming that by this you meant that should you install PGP on the OSx side then it would not cover the Windows side on a boot camp setup.
  Is there a way for me to take my install of Windows XP and transfer that to parrells? In other words take the entire partition and copy it into the Virtual Machine on Parrells or Fusion?
  No, at present, I do not know of any way to actually move Windows from a boot camp partition to reside on the OSx partition and run as a virtual machine under parallels or fusion without performing a complete installation under parallels/fusion.
  Now, having said that, there is another option for you. Parallels and Fusion both can use the boot camp partition with Windows as a virtual machine BUT without moving windows on the OSx partition. It will run WIndows as a virtual machine directly from the BC partition. So, you will be able to run OSx and Windows at the same time. What I am not sure is that if you have PGP installed on the OSx side and since parallels/fusion runs from the OSx side then will it encrypt the boot camp/windows when run under it?
  Axel F.

• Can host hacker break into guest that uses full disk encryption?

  I know it is unlikely but let us say host has got owned, ie a hacker has managed to break into the host.
  How would they go about breaking into a linux VM that uses full disk encryption?
  They can't mess with the .vmdk without damaging it - it is encrypted by the guest.
  They can't use vmrun because they do not know the guest passwords.
  They can't attach to processes in the guest with debugging tools because they cannot see individual guest processes.
  What can they do?  And crucially, what can I do as a countermeasure?

  What really matters is WHERE you do the encryption. If the encryption is too low, data in the guest appears unencrypted. If it is in the guest, then the keys live in the guest and since SGX is not around at the moment, keys are somewhere in guest memory even for a little bit of time.
  So the real question is what are you trying to achieve?
  If you are trying to meet encryption at rest requirements then it makes no difference where you encrypt as the data on the disk will be encrypted and without the key no one can decrypt it. Now if you have keys generated within a VM without using DRNGD or some other high quatlity randomness source, then your keys could be predictable and you need to guard against making it easy for a brute force attack.
  If you need to encrypt data in motion?
  Then you need to consider how the VM is protected itself, how an application interacts with data to determine during 'motion' if someone should not be accessing the data even though they are already supposedly allowed to do so. Keys are in memory, so therefore you need to guard memory access for those keys to only the application in question. This is the hard part, and requires you to think seriously about logging, key management, etc.
  So really what are you trying to achieve?
  Best regards,
  Edward L. Haletky
  VMware Communities User Moderator, VMware vExpert 2009-2015
  Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
  Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

• CheckPoint Endpoint full disk encryption

  My previous employer mandated CheckPoint Endpoint full disk encryption on every machine accessing their intranet. Since I have not worked there for two years, their IT group refuses to support my MB air. I am trying to update my OS, but Endpoint will not allow this. I like the encryption, but if I had to choose, I would pick an updated OS. Does anyone know how to do this?

  Back up all data to at least two different storage devices, if you haven't already done so. One backup is not enough to be safe. The backups can be made with Time Machine or with Disk Utility. Preferably both.
  Erase and install OS X. This operation will destroy all data on the startup volume, so you had be better be sure of the backups. If you upgraded from an older version of OS X, you'll need the Apple ID and password that you used, so make a note of those before you begin.
  When you restart, you'll be prompted to go through the initial setup process in Setup Assistant. That’s when you transfer the data from a backup.
  Select only users and Computer & Network Settings in the Setup Assistant dialog—not Applications or Other files and folders. Don't transfer the Guest account, if it was enabled.
  After that, check the App Store for updates and install the third-party software you need.
  Before installing any software, ask yourself the question: "Am I sure I know how to uninstall this without having to wipe the volume again?" If the answer is "no," stop.
  Never install any third-party software unless you know how to uninstall it.

• [SOLVED] full disk encryption

  Hi,
  i have bought myself a new laptop and i want to install arch with full disk encryption on it. I tried to do the installation in virtual machine to see how it works. I have followed the wiki (installation guide and LUKS).
  my setup:
  /dev/sda1 unencrypted /boot    /dev/sda2 encrypted /     /dev/sda5 encrypted /home      /dev/sda6  encrypted swap
  mkinitcpio.conf: HOOKS="base udev autodetect pata scsi  sata encrypt filesystems usbinput fsck"
  syslinux.cfg: APPEND cryptdevice=/dev/sda2:cryptroot root=/dev/mapper/cryptroot ro
  fstab: /dev/mapper/cryptroot    /     ext4    rw,relatime,data=ordered      0  2
  after reboot i got these messages: scrot
  Any idea what have I forgot or did wrong?
  Thanks
  Last edited by tlamer (2012-11-13 13:06:28)

  Lero wrote:
  I'm no expert on those things, although i have to ask if you did use LVM along with LUKS ?
  According to wiki https://wiki.archlinux.org/index.php/Dm … _LVM_setup for volume to mount early in boot process you have to add "lvm2" hook in mkinitcpio.conf.
  you need to add lvm2 only if you use LVM on LUKS on vice versa. I did not used LVM, so it wasnt necessary for me...
  Anyway... this thread wont be much useful... can i delete it?
  Last edited by tlamer (2012-11-13 13:08:57)

• Hard disk encryption/Using mac in NHS?

  Hi,
  Does anyone have any experience using a mac (legally) in the NHS? I have been in touch with the IT dept at the Trust I work in, and have been told "they don't support macs". Apparently whole disk encryption is required. It seems the MacAffee encryption software that the NHS uses does not work on macs. I have tried to find mac encryption software on the CESG and under the Common Criteria to argue my case, but haven't been successful. Surely it's possible to encrypt a mac and use in the NHS (I don't even need to connect to the netowrk, just work with the odd bit of patient information)????? I'm sure there must be other mac users who have experienced similar problems, but haven't been able to find any entries in the forums - apologies if I have missed the blindingly obvious.
  Any advice gratefully received!

  Thank you for your responses. Unfortunately the Mac disk utility is not sufficient, as it is not whole disk encryption. I have looked at PGP and truecrypt, which I'm sure would do the job, but I have been told "no, get a windows-based computer". I have contacted the CESG, which advises on such matters, but apparently they don't have any Mac approved software either, and can't advise on an appropriate level of security. This is apparently up to the individual trust, who need to do an impact assessment (but it is clearly much easier just to say no!)....If anyone has had any luck getting their Mac approved for hospital use, I'd be interested to hear. Surely someone in the world's third largest employer uses a Mac at work

• File Vault Disk encryption questions

  I want to enable filevault 2. I read that with filevault 2 I no longer need to log out for time machine backups to work hourly. Will I need to enable the encrypt disk feature in time machine in order for my backup to be encrypted also? Or do I just encrypt my whole drive with filevault and let time machine back it up as normal.

  You need to enable the encrypt disk feature in TImeMachine if you want your backup also encrypted.  FileVault only encrypts your local drive when you enable it.  TimeMachine backups are completely separate from FileVault.

• Power failure during full disk encryption

  I enabled the full disk encryption and during the encryption process I had a power failure.  Now my mac boots up, asks me for my login and password and then hangs in the apple logo and runs the processor and fans at full power.
  I am assuming that it may be finishing the encryption but I have left it on for several hours and it just stays in the same screen.  I am running a 2008 Macbook Pro with a 2.8 dual core processor, 6MB ram and 750GB HD.
  Does anyone know if it will eventually come back to life or should I be looking into rebuilding the drive?
  Thank you,
  -Matt

  For MisterFlo and others interested I'll elaborate a bit more, it was late when I posted..
  The Equium A300 was a Vista SP1 WinRE setup which requires the latest huge WAIK download you've mentioned (which supports Vista SP1 and Server 2008) plus also a Vista SP1 DVD or source files to create the ERD.
  For the original Vista RE setups you will need the older WAIK (which is a paltry 800Mb) and likely the previous 2007 Optimization Park for the pre SP1 ERD plus of course a Vista source.
  One final tip - don't boot off the HDD to try the repair until all the files are substituted and the permissions for the files you've replaced are fixed and the BCD else it's almost certain you'll get a 0xc000000f error - "the boot selection failed because a required device is inaccessible"