Whole Disk Encryption

Similar Messages

• PGP Whole disk Encryption but for Windows Partition only ?

  Hi,
  Slightly unusual situation here. I want to use my MacBook Pro at work and home. OSX at home and XP at work. Now at work they have a strict policy of only allowing computers on the network with PGP Whole disk Encryption. I've looked into this and there doesn't appear to be a way of setting this up via bootcamp because PGP makes use of MBR which as far as I know bootcamp doesn't use and PGP themselves say bootcamp isn't supported.
  Looking around the web there are various articles about tripple/quad booting Mac systems not using bootcamp but things such as Grub or reFIT. I'm wondering if there is a way of using this boot technique but using the partition option when installing PGP for windows and only setting it up on the defined windows partition.
  Has anybody tried this or have alternatives ?
  Thanks in advance
  Steve

  Hi Steve:
  Windows has a boot manager built in. Windows can be installed on a logical NTFS partition, the boot
  manager can sit on a tiny fat or fat32 primary partition. I have used this arrangement on my PC's
  many times. I have not tried it on a Mac, but it should work. You will need to have some working
  knowledge of partitioning to pull it off.
  I don't know how PGP designed their software, but it should support this arrangement, unless they
  have some cheesy engineering design built into their software that would prevent it from working.
  The windows boot manager has been with NT from the beginning. It is not rocket science, NTLDR
  sits in the usual spot reserved for system boot files, the boot ini file tells NTLDR what partition
  the /windows/system32/ntoskrnl.exe is on and NTLDR passes the ball to ntoskrnl and away
  she goes if everything is Kosher. Windows boot manager can boot other OS's as well.
  Be aware though that windows may assign a drive letter to the windows installation other than
  "c" (usually "d" of "f". That doesn't keep anything from working though.
  Kj

• PGP Whole Disk Encryption

  After my wife's iphone was stolen I was thinking of installing PGP whole disk encryption on my Macbook pro. PGP does not support Boot camp. Is there a way for me to take my install of Windows XP and transfer that to parrells? In other words take the entire partition and copy it into the Virtual Machine on Parrells or Fusion? Also how should I copy the windows partion, if I was going to do this sort of thing on the mac I'd use super super or carbon copy cloner to copy the entire disk over to another disk.
  thanks,
  jeff

  jevenson:
  I need to understand this post clearly. Just so you and I are on the same page, I am going to make some assumptions. You plan to install PGP Whole Disk Encryption on your OSx side. I suspect that you want it to cover your boot camp partition upon which Windows XP resides.
  PGP does not support Boot camp.
  I am assuming that by this you meant that should you install PGP on the OSx side then it would not cover the Windows side on a boot camp setup.
  Is there a way for me to take my install of Windows XP and transfer that to parrells? In other words take the entire partition and copy it into the Virtual Machine on Parrells or Fusion?
  No, at present, I do not know of any way to actually move Windows from a boot camp partition to reside on the OSx partition and run as a virtual machine under parallels or fusion without performing a complete installation under parallels/fusion.
  Now, having said that, there is another option for you. Parallels and Fusion both can use the boot camp partition with Windows as a virtual machine BUT without moving windows on the OSx partition. It will run WIndows as a virtual machine directly from the BC partition. So, you will be able to run OSx and Windows at the same time. What I am not sure is that if you have PGP installed on the OSx side and since parallels/fusion runs from the OSx side then will it encrypt the boot camp/windows when run under it?
  Axel F.

• PGP whole disk encryption and Snow Leopard

  I've got Leopard with PGP whole disk encryption on it but am having difficulties in installing SL as it want to wipe the HD.

  Hi Thomas
  Sorry I was trying to save this as a post rather than a question but it hasn't seemed to save my edited message for some reason.
  PGP for me is better in that it encrypts the whole disk rather than just the user account. Using FileValut is really unfriendly with TimeMachine, it slows the computer down and for a lot of people you can't actually activate it if you don't have enough space remaining on your HD.
  PGP will encrypt your whole disk without slowing it down or taking up any additional space. It also works better than a firmware password that can be bypassed by resetting the PRAM.
  The problem with PGP is that in trying to install Snow Leopard the installer doesn't recognise the boot partition even once the encryption has been removed. This causes it to prompt the user to wipe the HD. Here's the solution I found after some pain I might add:
  Remove all the encryption from your HD and Time Machine.
  Back up!
  Start the Terminal from the Leopard Installer (Utilities->Terminal). This has to be done from the installation disk.
  Type diskutil list
  Identify your system disk. In most cases it is disk0s2
  There's a volume called "Boot OSX" on the next partition, probably disk0s3. If your system is different than disk0, then use that identifier in place of disk0 for the rest of these instructions.
  Type diskutil unmountdisk disk0
  Type gpt remove -i n disk0 where the n is the last number of the boot partition; for example, disk0s3 would be 3; you would type gpt remove -i 3 disk0
  Exit Terminal
  P.S. if you accidentally remove the wrong partition OSX wont start up but don't worry, run disk utility from the installation disk and create a new partition and restart. All your data will still be there!

• Whole disk encryption with boot camp?

  I'm a network administrator and have been dedicated Windows until now.  We are just about to receive our first Mac Air 13" in the office and trying to work out we can keep our security policy in tact whilst giving the flexibility of using Windows.
  Pretty sure we want to do boot camp so the user can decide which OS they want to go into and not have any performance issues.
  Do you know of any products that will encrypt the entire hard disk this without giving booting issues?
  Alternatively, if these products break booting they would have to log in to the Mac OS and then run a virtual machine (think it's called parrallels).  Is there a noticable performance hit on this?
  Thanks in advance - this is very new territoty for a long term windows fan boy
  Adam

  The encryption is dependant on the OS version. To my knowledge there is no way to Encrypt the Whole Drive with any one piece of software and then install both OS X and Windows on that drive. For the encryption to work it has to work with the OS installed. So you have OS X and then use Boot Camp to install Windows. Then use FileVault in OS X and whatever encryption system you want for the Windows partition/install.
  I could be complete mistaken.

• I am getting "this disk cannot be used to startup" when trying to upgrade to Lion.  I do have whole disk encryption software on the MACBOOK AIR

  after downloading the LION OSX upgrade I am getting an error "This disk cannot be used for startup" I can go any further.  I am using checkpoint fulldisk encryption software on the MACAIR

  You've answered your own question. 
  Lion will not install on a disk with 3rd-party encryption.

• Full disk encryption for the Mac ?

  I desperately require a security measure against data compromise in the event of a physical theft of one of my Macs.
  Is there some full disk encryption solution, similar to the TrueCrypt solution for Windows, that can work with a Mac? (TrueCrypt works on Mac but not its feature of full disk encryption)
  Any other ideas on reinforcing security in such physical theft incidents?
  Thanks!

  Visited http://www.macintouch.com/
  PGP Corporation is now shipping PGP Desktop 9.9 for Mac OS X, a major update of the encryption software. Highlights of this release include full support for pre-boot authentication, full support for external drives (including the sharing of Whole Disk Encrypted thumb drives between Mac and Windows clients), use of the FIPS 140-2 validated PGP SDK for cryptographic operations,
  http://www.pgp.com/

• Disk Encryption

  The company that I work for is requiring that we encrypt our computers. I'm currently running Parallels with XP Pro (all of our software is proprietary and will only run in windoze) so I can run all of our software inside of my superior Mac. The requirements for the encryption are as follow...
  - 256 bit encryption
  - The tool must prevent unauthorized access to the master boot sector, and to the Windows and Novell network logins
  - The tool must provide secure delete functionality for all unused space on the hard drive
  - 100% of all data files (including temporary files, hibernation files and scraps/fragments) must be encrypted by the tool
  - Partial hard drive or file level encryption is not acceptable
  Since it requires the entire disk to be encrypted I figure that I can not use File Vault. Does anyone out there know of a program that will cover all of these requirements so the big whigs in our home office are happy? Thanks.

  The setup you're describing is just not simple enough to cleanly fit their requirements. If you can find out what they're "really looking for" you can almost certainly satisfy their requirements.
  The common solutions for Windows add custom software to the (non-OS) software that boots the machine. Afaik, nothing like this exists that will then continue the boot the machine via Mac OS. So in the end, it comes down to whether or not their policy allows you to bring non-work files (e.g. Mac OS) to work without encrypting them. Here are two hypothetical approaches for if they do allow that or not, respectively:
  -Show them Windows running in a virtual machine which has its runtime ram, captured session ram, boot record, and entire virtual drive encrypted in their entirety (via filevault & XP software). Promise them that all work-related files will remain on the 'Windows side'. If you'll allow me a little digression, this option will almost certainly not satisfy them, as I can gather from the requirements that they [are not hipster linux-geeks sitting in a dark server room in the basement, but are likely, rather, operating under management with a foundation of extreme paranoia because of an article someone read somewhere and] have adopted a sweeping "default-deny" policy, i.e. "our way or the highway".
  -Move the Mac OS off of the internal drive completely and use BootCamp. Mac OS is just fine booting from an external/pocket FireWire drive that you can, in a very real sense, think of as a separate machine. When they boot your MacBook [Pro] they will see, in every way, an intel notebook running XP and SafeGuard, BitLocker (or whatever other XP, whole-disk-encryption solution your coworkers are using).
  Keep us posted. Good luck.
  Joel
  p.s. I haven't actually done any of the above (other than run Mac OS from an external drive so that the internal could have no Mac OS installed at all, just XP --works great).
  Mac: Pretty much one of everything Apple sells   Mac OS X (10.4.9)  

• Hard disk encryption/Using mac in NHS?

  Hi,
  Does anyone have any experience using a mac (legally) in the NHS? I have been in touch with the IT dept at the Trust I work in, and have been told "they don't support macs". Apparently whole disk encryption is required. It seems the MacAffee encryption software that the NHS uses does not work on macs. I have tried to find mac encryption software on the CESG and under the Common Criteria to argue my case, but haven't been successful. Surely it's possible to encrypt a mac and use in the NHS (I don't even need to connect to the netowrk, just work with the odd bit of patient information)????? I'm sure there must be other mac users who have experienced similar problems, but haven't been able to find any entries in the forums - apologies if I have missed the blindingly obvious.
  Any advice gratefully received!

  Thank you for your responses. Unfortunately the Mac disk utility is not sufficient, as it is not whole disk encryption. I have looked at PGP and truecrypt, which I'm sure would do the job, but I have been told "no, get a windows-based computer". I have contacted the CESG, which advises on such matters, but apparently they don't have any Mac approved software either, and can't advise on an appropriate level of security. This is apparently up to the individual trust, who need to do an impact assessment (but it is clearly much easier just to say no!)....If anyone has had any luck getting their Mac approved for hospital use, I'd be interested to hear. Surely someone in the world's third largest employer uses a Mac at work

• My time machine 3 TB HD was encryption enabled and it took forever.  I tried reformattiing, it is online, but, get this Partition map repair failed while adjusting structures to fit current whole disk size.  Any comments appreciated.

  My time machine 3 TB HD was encryption enabled and it took forever.  I tried reformattiing, it is online, but, get this Partition map repair failed while adjusting structures to fit current whole disk size.  Any comments appreciated.

  This issue has been in discussion (actively) since last August here:
  https://discussions.apple.com/thread/4218970?start=0&tstart=0
  After months and months of new reports, it's pretty clear that this is an Apple Mountain Lion problem and one that Apple needs to address.  As one frsutrated user noted :
  >>There is no consistent solution for a user.  Apple has to supply it.  All you can do is submit a bug report to
  >> http://www.apple.com/feedback    
  Please, if you are encountering this problem you will save yourself a lot of wasted time and energey simple by joining me and others in asking Apple to fix this problem: Make a bug report.
  Thanks!

• Questions before whole disk encription (dmcrypt+LUKS)

  I am intending to encrypt my two internal laptop drives. That means a 128GB SSD (partitions: Arch, swap, Windows7) and 750GB HDD with most of the data (two partitions: data, and system backup).
  I intend to do it using dm-crypt + LUKS (my understanding is that's the best method for the job), and I am going to do it in-place, which means on existing system/data, using this ingenious script: http://www.johannes-bauer.com/linux/luksipc/
  However, I have some questions that I was unable to find answers to:
  1. I am going to encrypt entire SSD. I know that SSDs work better if they have manual overprovisioning left so that TRIM may work properly, extending the life and performance of the SSD.
  For this reason, right know on my 128GB SSD (Samsung 830) I have 12GB of unpartitioned space left.
  But if I encrypt the entire drive, then even if the unpartitioned space is still there when I run gparted from within the encrypted system, will the TRIM mechanism still see it as unpartitioned, or will see the whole disk as partitioned and occupied due to full disk encryption?
  2. If I get it right, I need to separate boot partition, and leave it unencrypted. So I will put it somewhere on that SSD. But if I intend to do dm-crypt+LUKS  block device encryption, doesn't it mean that it will encrypt everything on that SSD? If so, then should I go around it?
  3. I am not clear on the process itself, and wiki does not say anything about it. I think I need some kind of key file to access encypted partitions. But when in the process and how am I supposed to generate it? And what to do with it so that system remains bootable from syslinux? wiki.archlinux.org/index.php/Disk_Encryption is very rich in theoretical information, but I found nothing about the encrypting process itself.
  4. As I mentioned, the SSD contains also a small Windows partition for duel boot. Do I need to take some extra steps to ensure it runs, or will it work as long as the Arch boot work?
  Does anyone know answers to (any of) those questions?

  @Lockheed SSD do not interpret the disk table as far as I know, therefore it does not make a distinction between "unpartitioned space" and "partitioned, but unwritten space". The involved layers for a LUKS-encrypted partition is:
  +------------+-------------------+------------------------------------+
  | ext4 | /dev/mapper/Arch | mount with "discard" (default) |
  +------------+-------------------+------------------------------------+
  | LUKS | /dev/sda1 | cryptsetup --allow-discard option |
  +------------+-------------------+------------------------------------+
  | phsyical | | disk needs TRIM support |
  +------------+-------------------+------------------------------------+
  When a filesystem is mounted, you can use fstrim / to TRIM free space. To TRIM a whole drive (e.g. just before reinstalling when you have a backup on a secondary disk), you can use blkdiscard /dev/sda.
  (2) "block device" likely refers to the model where data is read/written in blocks rather than per byte ("character device" such as /dev/null). Encryption is also done per block, not per byte. If you write a file of 1 byte, then the encryption would still touch the whole block size which is more than 1 byte (typically a power of 2, e.g. 512 kiB).
  (3) with LUKS you can have multiple key slots. Knowing one of them does not give any knowledge over the other key slots. Keep all keys secret, only one is needed to access your data... By the way, while I used a key file to migrate my old data to the new encrypted partition, I already had a passphrase in a key slot. The keyfile was just occupying another key slot. At boot, the keyfile would be used to unlock the device, but in case of emergency I could use the passphrase instead.
  (4) if you are not going to need it, then just wipe it completely (possibly after making a backup, just in case.). If you ever need Windows, use it in a virtual machine. As ball said, LUKS is incompatible with MSWIN.

• External Disk Encryption

  Just formatted a new external 2TB drive
  Plan to copy content to it from several smaller older drives.
  I've just enabled disk encryption.
  I assume it will only start to encrypt stuff as I add it and not encrypt the whole empty drive ?
  AC

  Decided it was a bad idea and that it was probably trying to encrypt the whole disk as there was steady stream of disk activity listed in Activity Monitor.
  Ejected the disk which I could not then access without repairing, and eventually repartitoned unencrypted.
  Looks like I'll revert to using encrypted sparsebundles which are quick, expandable and will also give a degree of backwards compatibility.
  AC

• HP Protecttools - Disk Encryption - How do I recover a hardrive that no longer boots

  I have an HP Laptop that has the HP Protecttools Disk encryption enabled, but will not boot. I need to pull information off of the drive for the employee who owns the laptop and I am unable to becasue of the encryption. I know you can use the key that is generated during the encryption process to unencrypt the drive at the first login screen, however because the drive is not booting I do not get that screen. Is there any utility I can run from a CD/DVD to unencrypt the drive from a command line using the encryption key?

  Hello Charon.  I understand you need to decrypt a drive for a computer that cannot boot.
  What problem is causing the drive to be unable to boot?
  Which notebook are you working with?  Please use this document to locate the product number and use that to identify the notebook.
  Since HP Protect Tool is generally used in an Enterprise environment you may also want to post your question to HP's Business Boards.  Here is a direct link.
  I hope you have a great day!
  Please click the white star under my name to give me Kudos as a way to say "Thanks!"
  Click the "Accept as Solution" button if I resolve your issue.

• Bit locker security issues (easy to crack) disk encryption?

  Bit locker security issues (easy to crack) disk encryption?
  Problem 1: When the PC run I think its too easy to get  malicious users (with usb pendrive) or spyware to get the encryption key (fast and easy)
  youtube.com/watch?v=0npTlOq6q_0
  Problem2:not resistant with bruteforce attacks
  youtube.com/watch?v=zvaJxnvbGic
  Problem 3: not resistant with boot hacking
  Im using DriveCrypt plus pack and searched security issues in bit locker.The bit locker allow you the bruteforce/dic attack easy.I think  It would be much safer 1. (I think the keys stored somewhere that is easily read) 2. Do not just be enough password
  need a password+file combination to decrypt the disk. DriveCrypt plus pack use a file+password combination if you know the password but you wont have the file you can not decrypt the disk (protect with bruteforce attack).On system boot protected bruteforce
  attak you can crash the (boot).If the boot system crash you can not decrypt the disk just the password you need the file+password combination plus to decrypt it. I am not a programmer but I see the BitLocker ( easy security catches to crack the disk encryption).Im
  tested DriveCrypt and I can not get the key that easy (Problem 1). I have not tested it in greater depth just trying to (catches to crack software encryption).

  Where is your question, sir?
  If the question were "is it easy to crack", the answer is "no". Your videos make use of several assumptions and ingredients and permissions that a normal attacker does not have.
  "Problem 3" is not clear, please describe what scenario you are talking about.

• Cisco Agent Desktop / Supervisor Desktop Issue with Full Disk Encryption

  Has anyone had any issues related to running Cisco Agent Desktop or Cisco Supervisor Desktop on a machine running full disk encryption?  Our desktop team installed full disk encryption software from Check Point, and it seams to be causing some issues with call monitoring, screen pops via workflow and connectivity to the UCCX server.  It's not effecting every machine (that we know of), but the fix for us right now is to provide a desktop without the encryption software.  I'm just wondering if this is related to us, or if there is any supporting documentation out there? 
  Any help is apprecicated.

  CAD for IPCCX v4 does not support windows 7. See compatibility matrix:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_compatibility/matrix/crscomtx.pdf
  In my experience if you already have CAD installed and you upgrade the OS (without a fresh rebuild) CAD will work - but it is NOT supported. You should test this though.
  You will not be able to install the older version of CAD on windows 7, the installer will give you errors.
  Brian
  please rate helpful posts