Full disk encryption coming in Lion?

Discussion in 'Mac OS X Lion (10.7)' started by Jethryn Freyman, Dec 27, 2010.

  1. macrumors 68020

    Jethryn Freyman

    Joined:
    Aug 9, 2007
    Location:
    Australia
    #1
    From here:

    http://www.tuaw.com/2010/11/15/why-10-6-5-and-symantecs-pgp-whole-disk-encryption-didnt-get-a/

    ... and the full email with headers:

     
  2. macrumors 65816

    Joined:
    Jan 9, 2007
    #2
    Now THAT would be a feature that'd get me excited over lion.
     
  3. thread starter macrumors 68020

    Jethryn Freyman

    Joined:
    Aug 9, 2007
    Location:
    Australia
    #3
    Yes, I hate having to rely on PGP. It's a good product but I'd rather something more Apple-like, for example, the 10.6.5 update just broke PGP because it changed the boot.efi file that PGP used, this problem rendered Macs using PGP unbootable. Having a nice shiny Apple solution would hopefully be a way of avoiding problems like this in the future.
     
  4. macrumors 6502a

    jayhawk11

    Joined:
    Oct 19, 2007
    #4
  5. Jethryn Freyman, Feb 28, 2011
    Last edited by a moderator: Mar 1, 2011

    thread starter macrumors 68020

    Jethryn Freyman

    Joined:
    Aug 9, 2007
    Location:
    Australia
    #5
    HAH! Confirmed!

    http://macosrumors.com/2011/02/27/full-system-encryption-macosx-lion/

    Anybody know any of the technical details?

    I'm assuming it will use 256 bit AES. I'd also like to have the ability to NOT set a "safety net" password, and to use a separate password for booting and for login (beware keyloggers!)
    ---

    OK, apparently it uses 128 bit AES in the XTS mode of operation. Not sure why they used 128 bit when every other product uses 256 bit though. It's not like the performance hit from moving to full 256 bit encryption is significant, given the fact that you're all ready encryption the whole disk.

    Overall, good on Apple for doing it, I'll use it, at least now I won't have to worry about compatibility problems with PGP.
     
  6. macrumors 601

    Mr. Retrofire

    Joined:
    Mar 2, 2010
    Location:
    www.emiliana.cl
    #6
    AES-256 has more rounds, and is therefore slower than AES-128, even in hardware implementations, such as AES-NI. In mobile applications AES-256 needs more battery power than AES-128. AES-128 is also stronger than AES-256 and AES-192. And btw, a strong key (a passphrase) is equally important.
     
  7. macrumors 65816

    frunkis54

    Joined:
    Apr 2, 2009
    #7
    I know were gonna see topic after topic about people forgeting their password and are locked out of their computer. trying to figure a work around:eek:
     
  8. macrumors 601

    Mr. Retrofire

    Joined:
    Mar 2, 2010
    Location:
    www.emiliana.cl
    #8
    Save the recovery key on a USB-drive! Problem solved.
     
  9. macrumors 65816

    frunkis54

    Joined:
    Apr 2, 2009
    #9
    yes i understand that..

    but i guarantee maybe a few months after release there will be multiple people trying to find workarounds because they don't remember the passwerd or the recovery key.
     
  10. macrumors 68000

    Joined:
    Jan 27, 2007
    #10
    No need. Lion Full Disk Encryption provides you with a recovery token and allows you to send it to Apple for safe keeping.
     
  11. macrumors 65816

    frunkis54

    Joined:
    Apr 2, 2009
    #11
    really?

    i didn't see anything like that all i saw was before you turn it on it pretty much says do not lose either code or your screwed.
     
  12. Moderator

    Nermal

    Staff Member

    Joined:
    Dec 7, 2002
    Location:
    Whakatane, New Zealand
    #12
    It's true. Apparently you need to set up some security questions with Apple and they'll only give you the token back if you get them all right.
     
  13. macrumors 65816

    frunkis54

    Joined:
    Apr 2, 2009
    #13
    my bad i stopped where it shows the key if only i would have hit continue i would have saw that :)
     
  14. macrumors regular

    Joined:
    Oct 21, 2007
    #14
    Hmm...so I am going to encrypt that which I don't want others to see and send the key off to a third-party...


     
  15. Moderator

    Nermal

    Staff Member

    Joined:
    Dec 7, 2002
    Location:
    Whakatane, New Zealand
    #15
    Then don't send the key. Are you seriously complaining about having an option? :eek:
     
  16. walshlink, Mar 2, 2011
    Last edited: Mar 2, 2011

    macrumors regular

    Joined:
    Oct 21, 2007
    #16
    No...that was a comment. Actually it was more of a rhetorical question with a dash of sarcasm.

    I don't like people who misconstrue comments (or rhetorical questions) for complaints...NOW I am complaining.

     
  17. thread starter macrumors 68020

    Jethryn Freyman

    Joined:
    Aug 9, 2007
    Location:
    Australia
    #17
    I think it's good that Apple has at least made full disk encryption ACCESSIBLE to Mac users and easy to use, just like Time Machine did for backups. Yes, it comes at a cost (i.e. using the user account password as the encryption password), but I guess this was their trade off between security and actually getting people to use it.

    I don't see why Apple couldn't at least have it as an OPTION to set your own password, though.

    Let's see what the final release of Lion brings.
     
  18. macrumors member

    Joined:
    Dec 17, 2009
    Location:
    in a bit register, everywhere
    #18
    I'd hope that this was a optional item.

    I fully disk encrypt my linux laptop disks with a passphrase and generate a filekey but never give it to a unknown-third party.
     
  19. thread starter macrumors 68020

    Jethryn Freyman

    Joined:
    Aug 9, 2007
    Location:
    Australia
    #19
    Yep, you get the option to choose if you want it sent to Apple.
     
  20. macrumors 68030

    MattInOz

    Joined:
    Jan 19, 2006
    Location:
    Sydney
    #20
    Which User password and what if you have multiple users?
    So could you create an Admin user when you first configure the machine.
    Enable Disk encryption in that user, then once it's up and running import your Main user profile which could then have a different password.
     
  21. macrumors 6502a

    Joined:
    Feb 27, 2011
    Location:
    UK
    #21
    Like MattInOz I too would like to know how this works on a mac with mutliple user accounts. Also, is the use of a guest account impossible with whole disk encryption? Have apple completely scrapped per-account encryption or have they left it as an option?
     
  22. macrumors newbie

    Joined:
    Aug 31, 2007
    #22
    Further, does data pushed to Time Machine / Time Capsule remain encrypted (even optionally?) or will you have to choose between having automated, continuous backups or having your data secure?

    Given Apple's market share (by no means negligible) and user demographic (much of the top 10% of users when ranked by $$ spent), it seems like they'd be in a perfect position to provide the first widespread use of real data security for the general public. I sure hope they follow up their initial release with complete, full-featured selection of cryptographic features.

    They could also anoint a few multi-factor authentication solution vendors (or provide their own). It seems like there's a great opportunity to bring real, powerful encryption to the consumer, making it something you expect from the average joe and not simply an indicator that you're a very persistent geek. Seems like something Apple's well-suited for while being a great marketing differentiator when it comes to selling people on your particular 'cloud' services / storage - powerful, pervasive, open and tested encryption would make MobileMe much more attractive to me.
     
  23. macrumors regular

    Joined:
    Feb 13, 2011
    #23
    If a court subpoenaed Apple to decrypt someone's hard disk drive do you think Apple would be able to do it, bypassing the user's password?
     
  24. thread starter macrumors 68020

    Jethryn Freyman

    Joined:
    Aug 9, 2007
    Location:
    Australia
    #24
    I don't have Lion, but I've been following this pretty close.

    I think there is an option to allow other user accounts (i.e. their passwords) to also decrypt the disk. That's what I hear, not sure how it works, might be wrong...

    Doubt it, disk encryption requests a password on booting, from there it's basically transparent.

    Haven't seen per-account encryption in any screenshots.

    You can now encrypt whole disks with Disk Utility. And when choosing a Time Machine disk, you have the option to encrypt it.

    Definitely, just like they did with Time Machine.

    This is my hope too, specifically, them allowing to use whatever password you like for encryption, rather than doing it with your login password. Full disk encryption passwords are supposed to be LONG and complex, do you really want to be typing that in all the time when you're logged in just to authorise an app's installation? Also it makes it more vulnerable to keyloggers running on the OS and so forth,

    No, the encryption algorithm (AES) is totally secure when paired with a strong password. Of course, if you check the option to send the recovery key to Apple, it could probably be subpoenaed.
     
  25. macrumors newbie

    Joined:
    Jul 23, 2011
    #25
    Also, I wouldn't trust Apple to not have another way in.
     

Share This Page