If you have read my previous review of Apple’s FileVault 2, thank you.
This article is an updated version of my Lion FileVault 2 review to include a comparison of Sophos Disk Encryption for Macs. Enjoy.
History has shown that some things Apple does, Microsoft does later. I don’t want to distract you with the details so when you are done reading this blog posting, fire up your favorite search engine and hunt on ‘Microsoft copies Apple’. Enjoy!
This doesn’t hold true when it comes to Full Disk Encryption (FDE). BitLocker made it’s debut with Vista in January of 2007. A mere 4 and a half years later we have FileVault 2 (FV2) with FDE support for the Apple Mac OS X. Yipee!
Being the data protection junkie I am, as soon as possible, I upgraded to OS X 10.7 Lion to encrypt my MacBook Pro.
Sophos is also able to encrypted Mac computers at the sector level. As a comparitive, I also encrypted the same MacBook Pro using Sophos Disk Encryption (SDE) for Mac version 5.55 on OS X Lion.
This way, from a hardware perspective, everything is equal.
The objective was to give FV2 a test drive, see how it feels as well as share my data findings and opinion when compared to SDE for Mac version 5.55.
Keeping with the Apple theme, I’ve rated my observations with either CRISPY or ROTTEN based on my opinion of the finding. Personally, my favorite apple is a cool crisp Senshu in mid-September. Yum!
MacBook Pro 13-inch
Released: Early 2011
1 Processor: 2.7 GHz Intel Core i7
Total number of cores: 2
Memory: 4 GB 1333 MHz DDR3 both slots used
Storage: 500 GB SATA drive ST9500325ASG 5400 rpm
Format: Mac OS Extended (Journaled)
The Act of Encryption
FV2: Apple has a very useful article (HT4790) on how to get your FileVault 2 FDE on. My advice is to read through the article first before giving it a try to ensure there are no surprises on your system.
I found the article easy to follow and salacious enough to satisfy my technical curiosities. A great example is the first sentence of the article which states that FileVault 2 is using XTS-AES 128-bit encryption.
If you’re a crypto junkie or learning to be one, you can get your fix with this great Wikipedia page on Disk encryption theory where you will learn about cipher block chaining (CBC) and Xor-Encrypt-Xor (XEX).
If acronyms such as XTS and AES make your eyes glaze over, then keep reading because article HT4790 softens up the crypto-speak to be helpful enough for home users or IT pros without a cryptography background.
SDE: Sophos provides the standard Apple Disk Image (.dmg) file which contains a Readme.html and a package (.pkg) file.
The pkg file can be used for a manual installation or can be distributed for large scale deployments using tools such as JAMF’s Casper.
For enterprises, there are several command line (CLI) options available for the deployment. Not in scope of this article. Point being, you can really customize the heck out of your install.
Comparative: I searched for a way to deploy FV2 and SDE in enterprises and came up with JAMF can be used for both, but SDE offers many more options using the CLI.
Options such as adding users to the pre-boot, generating recovery keys and controlling encryption state. CRISPY for SDE.
With my 500 GB SATA drive and minimal usage during initial encryption it took roughly 7 hours at a rate of 1.19 GB/minute. This was nice and CRISPY for FV2. Keep in mind that’s 128 bit crypto.
Under the same usage conditions, SDE took 12 hours and 26 minutes at a rate of 0.67 GB/minute. While SDE’s initial encryption time is longer, the ability to pause and resume the act of encryption as often as you like makes up for it.
As you can see, with twice the key strength the initial encryption times will take longer, but with twice the protection.
I performed a couple additional tests in the area of the encryption resiliency.
About 5 minutes after the initial encryption process began I restarted the MacBook Pro. I did the same thing during the decryption process for both technologies.
I was very happy to see my MacBook Pro come back to life and not turn into a half-encrypted Franken-brick. CRISPY to both FV2 and SDE.
Another cool feature I find with very few encryption products is the ability to manually or script a pause, resume and/or revert the initial encryption process.
FV2: I was happy to see that after enabling FV2, I was also able to revert/disable FV2 in mid-encryption, but only once.
SDE: SDE has the same ability to begin encryption and while partially through, then decrypt. Where SDE comes ahead is you can stop decryption before completion and even go back and forth again as often as you like.
While I still don’t have a use case to turn it on and off multiple times, it goes to show that there was a lot of thought in SDE’s design.
Comparative: In the event when someone decides to jump into the FDE pool and forgot to backup with Time Machine beforehand having an exit strategy is a relief.
It’s always good to backup before you encrypt your drive, you can never be to cautious.
I give them both a CRISPY for being able to back out of initial encryption, but SDE gets a double-byte CRUNCH for adding the extra features to pause and resume.
Performance is generally a top priority for the majority of Mac users. When your time is spent manipulating images, recording/editing audio, compiling iOS apps and/or rendering video, speed and available resources counts.
That’s generally why you got a Mac to begin with.
Updated: After having completed this article I’ve decrypted my drive because the performance hit was too great to bare. I found whenever launching and using GIMP and even when using Finder, I got the rainbow wheel of patience.
A big thanks to AnandTech who put in a great effort to analyze performance with FileVault 2 enabled on an SSD (Solid State Drive). After analyzing various I/O intensive operations, including but not limited to, random read/writes and sequential read/writes at varying file access sizes, they wrote, “Overall the hit on pure I/O performance is in the 20 – 30% range.” ROTTEN
This level of analysis is still pending with SDE. If AnandTech desires to execute the same performance analysis on SDE, please contact me directly for assistance.
I decided to do some tests of my own around boot times. After all, apart of the pleasure I get with my MacBook Pro is how well it performs when opening and closing the lid.
It’s important to keep in mind that when you add drive encryption, for best protection you want to shut down. No more sleep mode for me.
*Boot times were recorded using an iPhone 3Gs Clock app with stopwatch feature. Keeping things level on the Apple technology playing field.
Hopefully making the data easier to read, I used a matrix.
FileVault 2 Boot Times Matrix
|FV2 State||Encryption State||Boot type||Time to (in seconds)|
FV2 State means if FileVault 2 was enabled or not
POA means Power-On Authentication
Time To POA means the time it took to get to POA for authentication
Time To Login means the time elapsed after POA to get to a Mac OS X login prompt
Time to Usable means until Mac OS X 10.7 was usable. To keep things fair, I used a script that Automator launched at boot. When the called application presented a password prompt Mac OS was considered to be usable.
Total = POA + Login + Usable
Increase means the time added to the overall boot process
The average of three boot attempts is the value presented in each matrix. As you can see, the average boot time with no encryption took just under 59 seconds. This number is subtracted from the Total boot times recorded to get the Increase in boot times.
After initial encryption completes, the overall boot time increase for FV2 is 34.93 seconds.
Some people may argue this with me, but considering that Apple controls the operating system and the source code this is pretty ROTTEN
Sophos Disk Encryption for Mac Boot Times Matrix
|SDE State||Encryption State||Boot type||Time to (in seconds)|
Performing the same tests, under the same conditions, after initial encryption completes the overall boot time increase for SDE is 18.53 seconds.
If boot times are a top concern for your organization, this is going to definitely be CRISPY for you.
Comparative Boot Times Matrix
|Technology||Encryption State||Time to (in seconds)|
The net result is that when a MacBook Pro released early 2011 starts from a cold boot with encryption, you should expect to see SDE perform 16.4 seconds faster than FV2.
Keep in mind that different models with different drive speeds, processor speeds and RAM will yield different results.
Recovery is a hugely important capability with *any* encryption solution. It’s a horrible feeling when your data looks like it’s lost.
It’s even worse when you could have avoided it if using encryption and you lost your recovery key.
FV2: During the FV2 activation process, you will be presented with a recovery key. That key can either be stored with Apple or with yourself.
If stored with Apple, you will be asked to answer three security questions to encrypt the recovery key. Apple is quite clear that if you forget your answers, they are not responsible for recovering your key.
I actually like this feature for non-technical home users that are good at remembering their security question and answers. CRISPY
If you choose to not store the recovery key with Apple, then put that 24 character, alpha-numeric string someplace safe and not on the same computer you encrypted.
Perhaps in the cloud?
Let’s say for some reason in the future you need to change that recovery key, Apple provides that capability.
In order to change the recovery key you will need to fully decrypt your drive and fully encrypt your drive again. We already know that it takes 7 hours for encryption, to change the recovery key it will take roughly 14 hours. ROTTEN
For more information on OS X Lion Recovery, Apple wrote a really detailed and understandable article HT4718. In the event you only have one computer, my advice is to print it out today and file it.
You never know.
SDE: Password recovery keys are generated with SDE either in the GUI or the CLI and doesn’t require changing the encryption state.
This is especially handy for small to medium organizations or large enterprises that want to automate generating the recovery centrally.
In the event of boot failure, SDE has a pre-boot environment that can be used to authenticate to and used to recover encrypted data. CRISPY
Comparative: As critical as data and password recovery is for encrypted disks, Apple still has much growth in this area.
SDE provides a few methods for data and password recovery which is essential in the event one method isn’t successful.
Let’s face it. I can’t think of anyone who would volunteer to tell the CEO of their company that the encryption is the reason the family vacation photos are lost forever.
It’s one thing to say your encrypted, it’s another to prove it.
FV2: As of this posting I couldn’t find a method for centralized reporting without scripting.
If someone out there really needs reporting, I found a command
diskutil cs list which will provide status of the CoreStorage logical volume groups.
Grepping the command and redirecting the output to text file and massaging the output to meet your needs is plausible. The raw output on my MacBook Pro looked like this:
David-Schwartzbergs-MacBook-Pro:~ IluvNakeSec$ diskutil cs list
CoreStorage logical volume groups (1 found)
+-- Logical Volume Group 31D7AED9-6AE4-44B2-80A5-2CBE0E7AA4E6
Name: Macintosh HD
Free Space: 0 B (0 B)
+- Logical Volume Family A88A8F6F-AABC-4ADA-853E-7F1FC3F3D71D
Encryption Status: Unlocked
Encryption Type: AES-XTS
Encryption Context: Present
Conversion Status: Complete
Has Encrypted Extents: Yes
Conversion Direction: -none-
+-> Logical Volume 34FB0CAC-800D-4222-9030-178AE32765B3
Size (Total): 498929332224 B (498.9 GB)
Size (Converted): -none-
Revertible: Yes (unlock and decryption required)
LV Name: Macintosh HD
Volume Name: Macintosh HD
Content Hint: Apple_HFS
The bolded line above which reads, “unlock and decryption required” is the indicator that FV2 is enabled.
While I like using command line and grepping, it goes against Apple’s history of technology being easy and just working. ROTTEN
SDE: While out of the box, SDE isn’t much better when it comes to reporting.
It’s better because the
sgadmin command will yield the encryption status.
Volume info :
| Index | Name | UUID | State | Encrypted | Capacity |
| 0 | Macintosh HD | 5BE8216E-AF64-40B0-AA89-09FE5069EFC3 | Partially encrypted | 58.30 % | 300.1 GB |
| 1 | Data | D761FC9C-FB4C-42F2-9C7C-0BCCAC523013 | Encrypted | 100.00 % | 199.5 GB |
If CLI gets you down and you really want something more 21st Century. JAMF’s Recon Suite will provide reports in different formats including PDF.
When I last checked, Recon does support reporting for FileVault (notice the ‘2’ is missing). If you decide to use FV2 with Recon, I couldn’t find anything on their Support site so please contact JAMF directly to confirm supportability.
Comparative: Both SDE and FV2 fair about the same in the reporting category. The extra nudge forward goes to SDE for having better CLI options to provide encryption status without the need to grep the heck out of ASCII scrolling across Terminal.
I was also able to find logs (Yes LOGS!) of when SDE started and completed initial encryption (
/var/logs/secure.log is your friend).
In an effort to reduce the length of this review (yeah I know, too late) I put down some additional thoughts covering other categories.
Security – A company called Passware has a product named Passware Kit Forensics v11 (cost $995) which analyzes a Mac’s live memory via FireWire even if the computer is locked or sleeping. It can even extract passwords in the Mac’s keychain password store; regardless of strength and with FV2 enabled. ROTTEN
As noted above, the defense is to turn off the computer when not in use, which Naked Security recommends.
Software Updates such as security updates and patches to Mac OS X are supported by both encryption solutions which is always CRISPY.
BootCamp support for FileVault 2 is available but according to a forum posting at Notebook Review there are some steps necessary before encryption on the Windows partition.
There are additional conversations happening on the BootCamp + FV2 topic in the Apple Support Communities.
SDE supports BootCamp, see article 112825 for details on setting it up.
Network User support for FileVault 2 is currently not available. In order to get a network user to access a locked FV2 drive, a local user needs to login first to unlock the disk. This is explained in Apple article HT4652.
Non-boot volumes can only be encrypted using the
diskutil cs 'disk' -password 'password' command with FV2. The only documentation I found for additional internal volumes pointed to using Terminal.
SDE is able to encrypt additional volumes from the GUI or the CLI during deployment.
Updated: Thanks to a reader who reminded me about making a mention of how to add multiple users to the FV2 pre-boot authentication. User Provisioning is a big part of deploying any encryption solution.
FileVault 2 leverages the native user accounts to the operating system, which is cool.
Nonetheless, in order to add multiple users to the FV2 pre-boot authentication, the user needs to physically be there to enter their password. If they are not present during initial setup, then another user who can unlock the drive needs to later add that tardy user when present, assuming they can also change the FV2 settings in System Preferences. ROTTEN
SDE pre-boot users (one or more) can be added in the GUI or via the CLI during deployment without the user’s attendance as a requirement.
In summary, Apple has joined the ranks of Microsoft by providing native operating system full disk encryption to the consumer market.
Congratulations for your hard work and efforts!
OS X 10.7 Lion FileVault 2 has some great features such as initial encryption speed, easy key recovery method for home users, ability to reboot during encryption or decryption process and you can change your mind if you started encrypting before your Time Machine backup or just chicken out.
FileVault 2 clearly falls into the shadows of Apple’s position of not catering to the corporate marketplace.
Which is fine because that is Apple’s choice and the majority of their customers love them for that philosophy.
For home users and small business owners with the need for encryption, paying $29.99 to upgrade to OS X 10.7 Lion is a steal.
Any organization looking at FV2 with the need for central management, network user support, central deployment, centralized reporting, high performance and strong security I heed a word of caution.
There are third party commercial alternatives which will meet your needs such as Sophos Disk Encryption.
For an interactive review of FileVault 2 between Chester Wisniewski and myself, plug into the Chet Chat 69 podcast.
Until next time, keep it safe and secure online.
There was interesting news that week, especially the capture of Topiary from Lulz Security. Chet went through the news headlines and then moved on to interview me on my initial impressions of Mac OS X 10.7 Lion’s FileVault 2.
FileVault 2 is partition level encryption which replaces the previous version of file level encryption. My advice it to listen to the podcast first, and if the interview strikes a chord with you, then read my blog posting here at DSPN for more details.
Until next time, stay safe and secure online.
On July 5th, I posted a blog titled “Can simple Google searches reveal your secrets?” at Naked Security touching on how security information is available on public servers which are getting crawled by Google. This is not a jab at Google, but more of an awareness blog of how good security solutions can be compromised with bad security practices.
My recommendation is to revisit your security practices with a new pair of eyes. Hopefully you will gain from it.
I hope you enjoy the blog posting and please comment either here at DSPN or Naked Security. If you make a reasonable comment which invokes the need for me to reply, I will make every attempt to engage you in a conversation.
Until next time, keep it safe and secure online.
Sophos is a Platinum Sponser at the SC Magazine Congress in Toronto, Canada. I’ll be attending and looking forward to speaking with people on June 14th and 15th during the SC Congress in Toronto, Canada. Come by the booth to talk security or attend our session on “Where’s your data?”
For my impressions of the conference, please see my guest blog posting at Sophos Naked Security.
When I first heard about Thessa’s birthday party in Germany grew to a head count of 1,500 it reminded me that I forgot to go. Her birthday party was actually not intended to be so large and only 10% of the positive respondents to her Facebook event crashed the party. It’s apparent that this was evidence of poor privacy settings. Both parties are at fault here, Facebook for having too loose of default settings and Thessa for not changing those settings. Wait, she’s a teenager, so should she be exempt from fault? It might be a gray area for some, but not me. At what age does the hall pass go away when it comes to being safe and secure online?
The coming of age in this information privacy era is up to the individual. Once that individual is able to go online and read at a level to understand that there are privacy settings is when the hall pass goes away. Smaller children using a computer at home still need to rely on their parents to protect them and educate them about better online etiquette and safe computing. The parents should be changing the less fun sections of their favorite social media web sites to protect their children. In case you are having trouble getting through the techno-babble and computerese, I provided some basic steps on how to be safer online with Facebook.
Keep in mind that these instructions may change the next time Facebook relaunches their interface.
|1.||In the upper right hand corner of Facebook there is the Account drop-down menu you see here. After the menu appears, click on the ‘Privacy Settings’ menu option.|
|2.||The ‘Privacy Settings’ menu option will take you to a page to choose your privacy settings. As you can see in my example, the dots are almost all to the right. To achieve this, click the ‘Customize settings’ link that you see in the red triangle.|
|3.||The ‘Customize settings’ link will take you to a page that is much longer than shown here. There is the important part where you will need to go through each setting to restrict who can see what information about you. Please do this with your children, of any age, to protect them.|
As far as Thessa, when I heard she fled her own party. I wondered if she was heading to the Hamburg-Bramfeld Costco to get more chips. Those chaps look hungry.
From the hhs.gov website:
“As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches. Additionally, this new format includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary. The following breaches have been reported to the Secretary:”
While searching for statistics on data breaches, I stumbled upon the U.S Department of Health and Human Services web page for Breaches Affecting 500 or More Individuals. As of this posting there are 288 recorded incidents of unprotected health information leaking since September 9th, 2009. I like how the HHS offers to save the entire data set of information in CSV and XML formats for personal consumption. For example, this gives you the ability to sum the total of ‘Individuals Affected’ column to put things in perspective.
In an effort to keep things straight in my head, it made sense to create a timeline of the Sony data breaches (and near data breaches) which were reported either by Sony or by the individuals themselves. This chronology is primarily the attacks which resulted in data loss pieced together by different news sources and not any of the other events in the timeline, such as PSN coming back online. If you find something that’s in need of being updated, please send me an email through this blog.
Hopefully Sony will get their security straightened out in time before the next attack occurs.
|Sony Business Unit||
||Sony PlayStation Network/Qriocity||
||Sony Online Entertainment||
||Sony Electronics, Inc.||
Sony Electronics, Inc.
||Sony PlayStation Network/Qriocity||
||Sony Music Indonesia Defaced||k4L0ng666||
||Sony BMG Greece||b4d_vipera|
|9||May 23rd||Sony Music Japan||LulzSec|
|10||May 24th||Sony Ericson
|11||June 2nd||Sony Pictures||
|12||June 3rd||Sony Europe||
|13||June 5th||Sony Pictures Russia||
|14||June 6th||Sony CED Network||LulzSec||
|15||June 6th||Sony BMG Music NA||LulzSec||
|16||June 8th||Sony BMG Music Portugal||
|17||June 8th||The Sony Marketing Co.||
|18||June 19th||Sony Pictures France||