# 256 Bit Whole Disk Encryption



## jaredbkt (Oct 31, 2006)

My office requires that by the end of the year everyone install disk encryption software that is 256 Bit. I am having trouble finding that for the Mac. Does anyone have some good suggestions?

PGP does't support boot volumes so that won't work.

Thanks for any help!


Jared


----------



## ScottW (Oct 31, 2006)

Jared, 

Did they tell you the exact requirements? Do you need the whole disk and all contents to be encrypted, or just the ability to have virtual disk images that you can store data on that are mountable?

Depending on the requirements, will vary greatly your options. If you could provide some insight and what Mac you have, that would help too.

Thanks.


----------



## jaredbkt (Oct 31, 2006)

Thanks for your help. This is from the memo:

* 256 bit encryption
* must prevent unauthorized access to the mast boot record or to the Windows and Novell network logins
* must provide a secure delete function for all unused space on the HD
* 100% of all data files must be encrypted
* partial hard drive or file level encryption is not acceptable

As you can see they want heavy duty stuff. I work in financial services so it's understandable.

Any ideas?


----------



## ScottW (Oct 31, 2006)

Well, I suppose if I had re-read your subject line, you mentioned WHOLE disk encryption. In that case, I'd skip the software method (slow) and go with hardware (fast). Replace your hard drive with an encrypted drive.

This place sells encrypted drives, external, internal 3.5 and 2.5 with a variety of encryption options, whether it be password only or require a usb key, satisfying the "something you have" part of a 2-factor authentication required for best practice.

I also saw a blurb in the last day or so about Seagate offering an encrypted disk as well, but I know nothing about it. Plausible deniability.

Scott


----------



## ScottW (Oct 31, 2006)

FileVault would probably satisfy them as well - as long as you store all your data files in your home directory. The bad thing about what they are requesting is really kinda silly. Meaning, they don't know what they are requesting.

"100% of All data files". Every file stores data. What type of data files. I assume, business data, but what about other data files.

"Secure Delete Function". What level of Secure Delete? BTW - Mac OS X support this as well, in varying degrees of security levels from weakest to strongest.

"Windows" logins would be stored in your Keychain file on your Mac, so that would be encrypted.

Then there is the last one, "partial hard drive or file level encryption is not acceptable". Then why do I need secure delete if the entire drive is encrypted? Why do I need to be concerned that 100% of all data files are encrypted, when the whole disk is?

Based on the last * you have..., aside from the first *, everything else is mute. Tell them to fork over money for encrypted drives. IT support just went out the window BTW.


----------



## jaredbkt (Oct 31, 2006)

I know it's retarded. Out IT guy at the office said that the "home office" doesn't know what they're asking for. As you can imagine, I am the only Mac user in the office. Even the Windows users have to fork over $100 for the software the company is recommending but I have to do some extra leg work.

I'm on a MacBook so a software solution would be best. I would love to use File Vault but they want 256 and FV is only 128.


----------



## ScottW (Nov 1, 2006)

One viable option could be to partition your drive. Setup the minimum amount you need for booting, then use PGP Whole Disk Encrypt to encrypt the other partition. But, in all honesty, that is what Filevault would accomplish.

Hmmmmm.... there are no solutions BTW for the Mac... aside from replacing your internal drive with an encrypted drive, but 256bit is a little silly. RocSafe only supports up to 192 if necessary.

What I can tell you, is what the Home Office wants to accomplish is this. They want to ensure that if a laptop is stolen, that the information, no matter what state the computer was found in, that nothing can be extracted from it.

FileVault will accomplish this goal, assuming you store your data files in your home directory pertaining to the business.

Honestly, I would push back. Say, you know, I have a Mac with all these wonderful encryption built into the operating system. It would accomplish the same thing. I will erase my free space religiously. Life will be grand. I bet they will think "OMG - He has a Mac?" and will either be hard nosed about it or go, "Okay".


----------



## g/re/p (Nov 1, 2006)

If the computers are owned and maintained by the company, it should be
their responsibility to implement the new requirements.


----------



## jaredbkt (Nov 1, 2006)

Good point but they are not. Everyone owns their own machine. They are not company computers, so to say.


----------



## g/re/p (Nov 1, 2006)

Ok - then my next step would be to research the subject in depth
and use any applicable information i could find to show the "home
office" that they are clueless and that it is impossible to do exactly
as they require - i.e. they will need to lower the standards somewhat.


----------



## Jonsun (Feb 6, 2007)

File vault is NOT sufficent in my opinion.  There is no way to guarantee that all sensitive files will only reside in the user's folder.  Any poorly written app couls write some data elsewhere on the disk.  Whole disk encryption ensures that any data on th system is protected from unintential recovery in the event of a system loss.  

Additionally, some people may want to use BootCamp to allow running Windows XP.  While there are a plethora of whole disk encryption options for Windows, these can't be used on an Intel Mac.

I've contacted Win Magic (makers of SecureDoc for Windows) and they've indicated they are looking at releasing a product for Macs.  a key to products like SecureDoc is that they can be cetrally managed with recovery keys, so an IT staff can support users: key to this working in a business environment.  Should anyone hear of anything sooner, please post it here.

thanks.


----------



## ScottW (Feb 6, 2007)

Your right. However, software solutions slow down your overall experience. The best bet is to get a Rocport drive, which has encryption had the hardware level. Install one of those in your systems and your off. The level of encryption may not be that high, but it does support two-factor authentication (something you have, something you know) and quite honestly, no one is going to be able to get your data off.

Scott


----------



## Jonsun (Feb 6, 2007)

I have a query with Rocstor to ensure they work with MacBooks and to get an idea of tghe cost.  However, it's not a solution that can be easily centrally managed (as far as I can tell.)  

I've run SecureDoc on Windows XP on a Celeron M laptop and, even running VMware, it's still a very usable system.  While on the fly encryption will definitely have an impact on performance, it's still a desirable feature, at least in some cases, and is something that I hope gets addressed for Mac.


----------



## ScottW (Feb 6, 2007)

TrueCrypt I have liked on Windows and Linux. It is free and offers the full range of options. It would be nice if they would come out with a Mac version, then you'd have everything.

PGP offer whole disk encryption and is a nice cross-platform solution. If you where to partition your drive, you could put the boot/startup stuff on the boot partition, and then encrypt the other partition in whole and put your applications and home directories on that. But, not 100% like using other available software solutions or hardware solutions as you mention.


----------

