PGP Whole Disk Encryption

Similar Messages

• PGP Whole disk Encryption but for Windows Partition only ?

  Hi,
  Slightly unusual situation here. I want to use my MacBook Pro at work and home. OSX at home and XP at work. Now at work they have a strict policy of only allowing computers on the network with PGP Whole disk Encryption. I've looked into this and there doesn't appear to be a way of setting this up via bootcamp because PGP makes use of MBR which as far as I know bootcamp doesn't use and PGP themselves say bootcamp isn't supported.
  Looking around the web there are various articles about tripple/quad booting Mac systems not using bootcamp but things such as Grub or reFIT. I'm wondering if there is a way of using this boot technique but using the partition option when installing PGP for windows and only setting it up on the defined windows partition.
  Has anybody tried this or have alternatives ?
  Thanks in advance
  Steve

  Hi Steve:
  Windows has a boot manager built in. Windows can be installed on a logical NTFS partition, the boot
  manager can sit on a tiny fat or fat32 primary partition. I have used this arrangement on my PC's
  many times. I have not tried it on a Mac, but it should work. You will need to have some working
  knowledge of partitioning to pull it off.
  I don't know how PGP designed their software, but it should support this arrangement, unless they
  have some cheesy engineering design built into their software that would prevent it from working.
  The windows boot manager has been with NT from the beginning. It is not rocket science, NTLDR
  sits in the usual spot reserved for system boot files, the boot ini file tells NTLDR what partition
  the /windows/system32/ntoskrnl.exe is on and NTLDR passes the ball to ntoskrnl and away
  she goes if everything is Kosher. Windows boot manager can boot other OS's as well.
  Be aware though that windows may assign a drive letter to the windows installation other than
  "c" (usually "d" of "f". That doesn't keep anything from working though.
  Kj

• PGP whole disk encryption and Snow Leopard

  I've got Leopard with PGP whole disk encryption on it but am having difficulties in installing SL as it want to wipe the HD.

  Hi Thomas
  Sorry I was trying to save this as a post rather than a question but it hasn't seemed to save my edited message for some reason.
  PGP for me is better in that it encrypts the whole disk rather than just the user account. Using FileValut is really unfriendly with TimeMachine, it slows the computer down and for a lot of people you can't actually activate it if you don't have enough space remaining on your HD.
  PGP will encrypt your whole disk without slowing it down or taking up any additional space. It also works better than a firmware password that can be bypassed by resetting the PRAM.
  The problem with PGP is that in trying to install Snow Leopard the installer doesn't recognise the boot partition even once the encryption has been removed. This causes it to prompt the user to wipe the HD. Here's the solution I found after some pain I might add:
  Remove all the encryption from your HD and Time Machine.
  Back up!
  Start the Terminal from the Leopard Installer (Utilities->Terminal). This has to be done from the installation disk.
  Type diskutil list
  Identify your system disk. In most cases it is disk0s2
  There's a volume called "Boot OSX" on the next partition, probably disk0s3. If your system is different than disk0, then use that identifier in place of disk0 for the rest of these instructions.
  Type diskutil unmountdisk disk0
  Type gpt remove -i n disk0 where the n is the last number of the boot partition; for example, disk0s3 would be 3; you would type gpt remove -i 3 disk0
  Exit Terminal
  P.S. if you accidentally remove the wrong partition OSX wont start up but don't worry, run disk utility from the installation disk and create a new partition and restart. All your data will still be there!

• Whole Disk Encryption

  I have a T510, Windows 7, 64-bit.  I recently used PGP Desktop 10.1.1 to encrypt the "C:\" partition only using the Windows P/W (in a domain).  After rebooting the PGP login page appeared as expected, accepted the login and would not start the O/S.  Re-imaging the HDD from backup failed to recover the system.  Those of you that are using PGP Desktop could you please share with me the steps/best-practice you are taking to encrypt the HDD?
  Also,  Do you still have to decrypt the HDD before performing backup/image of the HDD to be able to recover?
  Thanks,

  It's complicated   That vulnerability (which affects a number of encryption technologies) depends on the key being in memory which is used in many cases to prevent the user from having to enter two separate logins when they wake from sleep.  It is possible to configure FileVault in such a way that it's not an issue, but it's less convenient to use.
  FileVault has a setting, destroyfvkeyonstandby, which can alleviate this, but be aware that security is ALWAYS a tradoff between "ultimate security" and usability.  In this case, I think the default case is reasonable and the exploit mentioned has too many requirements to be a real concern.
  To see all the details on FileVault 2, you can open a terminal window and type 'man fdesetup" and among it is this information on the FileVault key, etc:
    On supported hardware, fdesetup allows restart of a FileVault-enabled
       system without requiring unlock during the subsequent boot using the
       authrestart command. WARNING: FileVault protections are reduced during
       authenticated restarts. In particular, fdesetup deliberately stores at
       least one additional copy of a permanent FDE (full disk encryption)
       unlock key in both system memory and (on supported systems) the System
       Management Controller (SMC).  fdesetup must be run as root and itself
       prompts for a password to unlock the FileVault root volume.  Use pmset
       destroyfvkeyonstandby to prevent saving the key across standby modes.
       Once authrestart is authenticated, it launches reboot(8) and, upon suc-
       cessful unlock, the unlock key will be removed.  You can also use this as
       an option to the enable command if the system supports this feature.  The
       supportsauthrestart command will check the system to see if it supports
       this option.

• Whole disk encryption with boot camp?

  I'm a network administrator and have been dedicated Windows until now.  We are just about to receive our first Mac Air 13" in the office and trying to work out we can keep our security policy in tact whilst giving the flexibility of using Windows.
  Pretty sure we want to do boot camp so the user can decide which OS they want to go into and not have any performance issues.
  Do you know of any products that will encrypt the entire hard disk this without giving booting issues?
  Alternatively, if these products break booting they would have to log in to the Mac OS and then run a virtual machine (think it's called parrallels).  Is there a noticable performance hit on this?
  Thanks in advance - this is very new territoty for a long term windows fan boy
  Adam

  The encryption is dependant on the OS version. To my knowledge there is no way to Encrypt the Whole Drive with any one piece of software and then install both OS X and Windows on that drive. For the encryption to work it has to work with the OS installed. So you have OS X and then use Boot Camp to install Windows. Then use FileVault in OS X and whatever encryption system you want for the Windows partition/install.
  I could be complete mistaken.

• I am getting "this disk cannot be used to startup" when trying to upgrade to Lion.  I do have whole disk encryption software on the MACBOOK AIR

  after downloading the LION OSX upgrade I am getting an error "This disk cannot be used for startup" I can go any further.  I am using checkpoint fulldisk encryption software on the MACAIR

  You've answered your own question. 
  Lion will not install on a disk with 3rd-party encryption.

• Full disk encryption for the Mac ?

  I desperately require a security measure against data compromise in the event of a physical theft of one of my Macs.
  Is there some full disk encryption solution, similar to the TrueCrypt solution for Windows, that can work with a Mac? (TrueCrypt works on Mac but not its feature of full disk encryption)
  Any other ideas on reinforcing security in such physical theft incidents?
  Thanks!

  Visited http://www.macintouch.com/
  PGP Corporation is now shipping PGP Desktop 9.9 for Mac OS X, a major update of the encryption software. Highlights of this release include full support for pre-boot authentication, full support for external drives (including the sharing of Whole Disk Encrypted thumb drives between Mac and Windows clients), use of the FIPS 140-2 validated PGP SDK for cryptographic operations,
  http://www.pgp.com/

• Hard disk encryption/Using mac in NHS?

  Hi,
  Does anyone have any experience using a mac (legally) in the NHS? I have been in touch with the IT dept at the Trust I work in, and have been told "they don't support macs". Apparently whole disk encryption is required. It seems the MacAffee encryption software that the NHS uses does not work on macs. I have tried to find mac encryption software on the CESG and under the Common Criteria to argue my case, but haven't been successful. Surely it's possible to encrypt a mac and use in the NHS (I don't even need to connect to the netowrk, just work with the odd bit of patient information)????? I'm sure there must be other mac users who have experienced similar problems, but haven't been able to find any entries in the forums - apologies if I have missed the blindingly obvious.
  Any advice gratefully received!

  Thank you for your responses. Unfortunately the Mac disk utility is not sufficient, as it is not whole disk encryption. I have looked at PGP and truecrypt, which I'm sure would do the job, but I have been told "no, get a windows-based computer". I have contacted the CESG, which advises on such matters, but apparently they don't have any Mac approved software either, and can't advise on an appropriate level of security. This is apparently up to the individual trust, who need to do an impact assessment (but it is clearly much easier just to say no!)....If anyone has had any luck getting their Mac approved for hospital use, I'd be interested to hear. Surely someone in the world's third largest employer uses a Mac at work

• Disk Encryption

  The company that I work for is requiring that we encrypt our computers. I'm currently running Parallels with XP Pro (all of our software is proprietary and will only run in windoze) so I can run all of our software inside of my superior Mac. The requirements for the encryption are as follow...
  - 256 bit encryption
  - The tool must prevent unauthorized access to the master boot sector, and to the Windows and Novell network logins
  - The tool must provide secure delete functionality for all unused space on the hard drive
  - 100% of all data files (including temporary files, hibernation files and scraps/fragments) must be encrypted by the tool
  - Partial hard drive or file level encryption is not acceptable
  Since it requires the entire disk to be encrypted I figure that I can not use File Vault. Does anyone out there know of a program that will cover all of these requirements so the big whigs in our home office are happy? Thanks.

  The setup you're describing is just not simple enough to cleanly fit their requirements. If you can find out what they're "really looking for" you can almost certainly satisfy their requirements.
  The common solutions for Windows add custom software to the (non-OS) software that boots the machine. Afaik, nothing like this exists that will then continue the boot the machine via Mac OS. So in the end, it comes down to whether or not their policy allows you to bring non-work files (e.g. Mac OS) to work without encrypting them. Here are two hypothetical approaches for if they do allow that or not, respectively:
  -Show them Windows running in a virtual machine which has its runtime ram, captured session ram, boot record, and entire virtual drive encrypted in their entirety (via filevault & XP software). Promise them that all work-related files will remain on the 'Windows side'. If you'll allow me a little digression, this option will almost certainly not satisfy them, as I can gather from the requirements that they [are not hipster linux-geeks sitting in a dark server room in the basement, but are likely, rather, operating under management with a foundation of extreme paranoia because of an article someone read somewhere and] have adopted a sweeping "default-deny" policy, i.e. "our way or the highway".
  -Move the Mac OS off of the internal drive completely and use BootCamp. Mac OS is just fine booting from an external/pocket FireWire drive that you can, in a very real sense, think of as a separate machine. When they boot your MacBook [Pro] they will see, in every way, an intel notebook running XP and SafeGuard, BitLocker (or whatever other XP, whole-disk-encryption solution your coworkers are using).
  Keep us posted. Good luck.
  Joel
  p.s. I haven't actually done any of the above (other than run Mac OS from an external drive so that the internal could have no Mac OS installed at all, just XP --works great).
  Mac: Pretty much one of everything Apple sells   Mac OS X (10.4.9)  

• Anyone using SecureDoc Full-Disk Encryption for Mac from WinMagic?

  Currently I am using Mac OS X v10.5 on a MBP and want to upgrade to Snow Leopard. I use PGP full disk encryption.
  I do not want to wait anymore for PGP v10 before I can upgrade to Snow Leopard. In my search for a replacement for PGP I found SecureDoc Full-Disk Encryption for Mac from WinMagic.
  https://www.winmagic.com/products/full-disk-encryption-for-mac
  They claim to be Snow Leopard compatible
  https://www.winmagic.com/kw/download.php?url=/datasheets/securedocmac_brochure20090925a.pdf
  I have two questions:
  1) Does anyone have experience with SecureDoc Full-Disk Encryption for Mac from WinMagic?
  2) Where can I buy one? PGP has a store where I ordered my copy of the software. But I can't find a store anywhere for SecureDoc. With some trouble I found a reseller in the Netherlands, but they don't reply to any questions.

  I am currently testing a trial license from Checkpoint Full Disk Encryption.
  http://www.checkpoint.com/products/datasecurity/pc/index.html
  The company where I work is a Checkpoint reseller, and normally only has dealings with other companies, not end users. But we arranged a trial license and I can buy a single user license Checkpoint Full Disk Encryption if the test proves Checkpoint Full Disk Encryption is a good solution.
  I created a bootable usb disk with Snow Lepoard on it. But I was unable to install FDE on it. After reboot I only get a blank screen, that's it. Probably it isn't supported to boot from a full disk encrypted removable drive, I can understand that.
  I can't create a virtual Snow Leopard machine (legal reasons) to test it on. And all FDE solutions I found aren't compatible with Mac Server, which is a shame because you can virtualize Mac Server legally.
  So now I am planning to change the hard-disk of my MBP this evening with another hard-disk to test Checkpoint FDE there. I don't want to upgrade my current Leopard installation to Snow Leopard only to discover it doesn't work as expected. I could of-course use my current installation and when it doesn't work rollback to a timemachine backup, but before that I have to decrypt my disk and uninstall PGP witch will take 1-2 days, and encrypt again when the test is over. Not pratical.
  I will let you know how the test with Checkpoint Full Disk Encryption went!

• My time machine 3 TB HD was encryption enabled and it took forever.  I tried reformattiing, it is online, but, get this Partition map repair failed while adjusting structures to fit current whole disk size.  Any comments appreciated.

  My time machine 3 TB HD was encryption enabled and it took forever.  I tried reformattiing, it is online, but, get this Partition map repair failed while adjusting structures to fit current whole disk size.  Any comments appreciated.

  This issue has been in discussion (actively) since last August here:
  https://discussions.apple.com/thread/4218970?start=0&tstart=0
  After months and months of new reports, it's pretty clear that this is an Apple Mountain Lion problem and one that Apple needs to address.  As one frsutrated user noted :
  >>There is no consistent solution for a user.  Apple has to supply it.  All you can do is submit a bug report to
  >> http://www.apple.com/feedback    
  Please, if you are encountering this problem you will save yourself a lot of wasted time and energey simple by joining me and others in asking Apple to fix this problem: Make a bug report.
  Thanks!

• Winmagic Securedoc and New Macbook Pro for Full Disk Encryption (FDE)

  Hi, I wonder if anyone had any experience with this. I've installed a seagate Momentus FDE drive (...421 series) on my new macbook pro and tried installing Winmagic securedoc to manage full disk encryption. It seems that despite all their recommendations re: hibernatemode and lidwake and sleep vs hibernation, the MBP crashes when I close the lid and then awaken it (by opening and pressing the power button). It cannot be awakened via an external keyboard either. Note that both hibernate and sleep work fine without securedoc. As securedoc appears to be the only viable FDE solution, I'd really like to get it working. Has anyone had any luck getting it to work with the new MBPs?

  PGP is another alternative as I have used it for the past few years on all of my Macbook Pros. I also own SecureDoc but have not installed it on the new Macbook yet.
  I do know that PGP disables hibernate during the install as it can cause problems.

• Questions before whole disk encription (dmcrypt+LUKS)

  I am intending to encrypt my two internal laptop drives. That means a 128GB SSD (partitions: Arch, swap, Windows7) and 750GB HDD with most of the data (two partitions: data, and system backup).
  I intend to do it using dm-crypt + LUKS (my understanding is that's the best method for the job), and I am going to do it in-place, which means on existing system/data, using this ingenious script: http://www.johannes-bauer.com/linux/luksipc/
  However, I have some questions that I was unable to find answers to:
  1. I am going to encrypt entire SSD. I know that SSDs work better if they have manual overprovisioning left so that TRIM may work properly, extending the life and performance of the SSD.
  For this reason, right know on my 128GB SSD (Samsung 830) I have 12GB of unpartitioned space left.
  But if I encrypt the entire drive, then even if the unpartitioned space is still there when I run gparted from within the encrypted system, will the TRIM mechanism still see it as unpartitioned, or will see the whole disk as partitioned and occupied due to full disk encryption?
  2. If I get it right, I need to separate boot partition, and leave it unencrypted. So I will put it somewhere on that SSD. But if I intend to do dm-crypt+LUKS  block device encryption, doesn't it mean that it will encrypt everything on that SSD? If so, then should I go around it?
  3. I am not clear on the process itself, and wiki does not say anything about it. I think I need some kind of key file to access encypted partitions. But when in the process and how am I supposed to generate it? And what to do with it so that system remains bootable from syslinux? wiki.archlinux.org/index.php/Disk_Encryption is very rich in theoretical information, but I found nothing about the encrypting process itself.
  4. As I mentioned, the SSD contains also a small Windows partition for duel boot. Do I need to take some extra steps to ensure it runs, or will it work as long as the Arch boot work?
  Does anyone know answers to (any of) those questions?

  @Lockheed SSD do not interpret the disk table as far as I know, therefore it does not make a distinction between "unpartitioned space" and "partitioned, but unwritten space". The involved layers for a LUKS-encrypted partition is:
  +------------+-------------------+------------------------------------+
  | ext4 | /dev/mapper/Arch | mount with "discard" (default) |
  +------------+-------------------+------------------------------------+
  | LUKS | /dev/sda1 | cryptsetup --allow-discard option |
  +------------+-------------------+------------------------------------+
  | phsyical | | disk needs TRIM support |
  +------------+-------------------+------------------------------------+
  When a filesystem is mounted, you can use fstrim / to TRIM free space. To TRIM a whole drive (e.g. just before reinstalling when you have a backup on a secondary disk), you can use blkdiscard /dev/sda.
  (2) "block device" likely refers to the model where data is read/written in blocks rather than per byte ("character device" such as /dev/null). Encryption is also done per block, not per byte. If you write a file of 1 byte, then the encryption would still touch the whole block size which is more than 1 byte (typically a power of 2, e.g. 512 kiB).
  (3) with LUKS you can have multiple key slots. Knowing one of them does not give any knowledge over the other key slots. Keep all keys secret, only one is needed to access your data... By the way, while I used a key file to migrate my old data to the new encrypted partition, I already had a passphrase in a key slot. The keyfile was just occupying another key slot. At boot, the keyfile would be used to unlock the device, but in case of emergency I could use the passphrase instead.
  (4) if you are not going to need it, then just wipe it completely (possibly after making a backup, just in case.). If you ever need Windows, use it in a virtual machine. As ball said, LUKS is incompatible with MSWIN.

• External Disk Encryption

  Just formatted a new external 2TB drive
  Plan to copy content to it from several smaller older drives.
  I've just enabled disk encryption.
  I assume it will only start to encrypt stuff as I add it and not encrypt the whole empty drive ?
  AC

  Decided it was a bad idea and that it was probably trying to encrypt the whole disk as there was steady stream of disk activity listed in Activity Monitor.
  Ejected the disk which I could not then access without repairing, and eventually repartitoned unencrypted.
  Looks like I'll revert to using encrypted sparsebundles which are quick, expandable and will also give a degree of backwards compatibility.
  AC

• HP Protecttools - Disk Encryption - How do I recover a hardrive that no longer boots

  I have an HP Laptop that has the HP Protecttools Disk encryption enabled, but will not boot. I need to pull information off of the drive for the employee who owns the laptop and I am unable to becasue of the encryption. I know you can use the key that is generated during the encryption process to unencrypt the drive at the first login screen, however because the drive is not booting I do not get that screen. Is there any utility I can run from a CD/DVD to unencrypt the drive from a command line using the encryption key?

  Hello Charon.  I understand you need to decrypt a drive for a computer that cannot boot.
  What problem is causing the drive to be unable to boot?
  Which notebook are you working with?  Please use this document to locate the product number and use that to identify the notebook.
  Since HP Protect Tool is generally used in an Enterprise environment you may also want to post your question to HP's Business Boards.  Here is a direct link.
  I hope you have a great day!
  Please click the white star under my name to give me Kudos as a way to say "Thanks!"
  Click the "Accept as Solution" button if I resolve your issue.