- Encrypting in general
- You are protecting privacy of the information.
- All kinds of tools to simply hide files and folders. Basically running ‘chflags hidden <path to file or folder>’
- Encrypted container - Adam uses; but if you use time machine it will see the one (possibly big) file as changed and backup entire thing again. This was issue with old filevault v1 full drive encryption. It was really just home folder for each user. File was open at time and time machine would hate it.
- Knox, Agilebits
- Full disc - George uses
- Cross platform may or may not be an issue.
- Security vs convenience
- Why do it?
- Just your data? Or are you custodian for others?
- Do you handle medical information (HIPAA) ?
- Do you handle US Federally funded research (FISMA) ?
- If you attend or work for an EDU, search google: encryption site:stanford.edu
- Or call your information security group
- Risks of doing it?
- Loss of encryption key
- Even if personal home machine, you need to escrow the key/password for your loved ones
- Disk/Container level corruption could render all of encrypted volume unreadable
- Crossing country borders
- Might be illegal in your home country
- If you use full disk you will not be able to locate your stolen laptop. Such phone home apps and mechanisms don’t usually work before signing in.
- BACKUP BACKUP BACKUP
- Non Apple products: (If you are on 10.6 or older)
- Truecrypt - $FREE
- Free and open source but well established and maintained
- Cross platform
- Hidden volumes
- password vs key support. Key can be a trigger file
- PGP (Symantec - Drive Encryption) - $110 USD
- Commercial, enterprise management
- Otherwise generally been getting worse year after year
- Cross platform maintenance getting worse
- George doesn’t consider this suitable for one off home users of OSX
- McAfee Endpoint Encryption - approx $80 USD
- Commercial, enterprise management
- George has no experience with this product
- Filevault 2 (OSX 10.7, 10.8) - $FREE in the OS
- Full disc encryption - a core storage volume
- Internal drive, time machine drive and normal use external drives
- George does it on work and personal
- Adam does not do FDE but sticks with encrypted disc image containers
- Key escrow
- Three security questions, screen shot and put in your 1password
- Screen shot and putting in your 1password
- Note for external drive these are independent passwords and are not your escrowed key with apple. So you need to record these somewhere safe.
- Takes a good bit of time for encrypt or decrypt but fine once done.
- For most users no one will notice appreciable performance issue
- The frustrating issues (mostly gui)
- No progress indicator?!? really?
- On positive side I have not had any issues with resumption.
- diskutil cs list
- In one test I did not see a status till it had gotten a minute or two into the process and into the core storage system type
- Don’t care about decrypting, just want to nuke the drive?
- *** warning terminal and dangerous ***
- diskutil list
- diskutil eraseDisk HFS+ New disk2
- The buggy gui issues
- Had a disk that had previously been encrypted, would show on right click “Encrypting...” grayed out. But cs list showed nothing needing to be done. I had to use the eraseDisk to nuke the drive and start over.
- When decrypting/encypting and right click: state is confused
Example: When encrypting and right click: I see “Decrypting....” When the drive came back on change from old partition type to core storage type.
+-> Logical Volume Family 2B1DE245-1D97-4492-AABD-AF120C1F8592
Encryption Status: Unlocked
Encryption Type: AES-XTS
Conversion Status: Converting
Conversion Direction: forward
Has Encrypted Extents: Yes
Fully Secure: No
Passphrase Required: Yes
+-> Logical Volume 64D3EA23-6E58-4C87-8FD9-FF46BE1502C3
Size (Total): 3320795136 B (3.3 GB)
Size (Converted): 379584512 B (379.6 MB)
Revertible: Yes (unlock and decryption required)
LV Name: New
Volume Name: New
Content Hint: Apple_HFSX
- In disk utility, holding option then clicking File. Options won’t become selectable after File is clicked, have to do alt-File at same time. But the options like turn off encryption do not seem to work.
- www.apple.com/feedback or a radar bug report if a developer account