Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

BitLocker equivalent for Mac OS X...TrueCrypt?

Crunch

Crunch

macrumors 6502a
Original poster
Jun 26, 2008
701
76
Crazy L.A.
Hey all,

I'm used to be able to lock down all of my hard drives with Windows 7's BitLocker drive encryption system. I know that there is TrueCrypt as well, but I actually liked BitLocker better.

What do you guys use for OS X? TrueCrypt also supports OS X, which is great, but I find the UI a bit disorganized. Is there anything else we can use for our Mac's to encrypt and password-protect our data, including everything from individual files to the entire hard drive?

Thanks a lot! :)
 
Crunch said:
Hey all,

I'm used to be able to lock down all of my hard drives with Windows 7's BitLocker drive encryption system. I know that there is TrueCrypt as well, but I actually liked BitLocker better.

What do you guys use for OS X? TrueCrypt also supports OS X, which is great, but I find the UI a bit disorganized. Is there anything else we can use for our Mac's to encrypt and password-protect our data, including everything from individual files to the entire hard drive?

Thanks a lot! :)
Click to expand...

FileVault. It doesn't let you encrypt the whole drive, only the user folder. However, on a Mac, most, if not all important data is in this folder. It readily supports OS X as it is built-in.
 
PGP Whole Disk Encryption is the only product I know that would encrypt the whole system drive of Mac OS X.
 
FileVault and PGP whole disk are probably your two best options. FileVault as noted is only for your home folder which has all of your data leaving the OS untouched.

PGP encrypts the entire drive - I'm not sure how this would work with bootcamp though.
 
I use PGP (no bootcamp) and love it. Once the disk is encrypted, there's little thought to it. The only difference is you have enter the pre-boot passcode to boot the computer.

Here's a KB article from PGP concerning bootcamp: https://pgp.custhelp.com/app/answers/detail/a_id/1697/~/using-boot-camp-with-pgp-wde


WinMagic's SecureDoc will also encrypt a Mac system partition. I tried this for about 2 months when PGP was bought by Symantec. I hated it. Unlike PGP, SecureDoc puts the laptop in hibernation mode and requires the boot password to wake up. Also, any USB/firewire disk that you encrypt uses the same passcode. Some may like that (meaning you don't have to enter the passcode for the external disk), but I prefer PGP's method where you can use different passcodes for different disks and that you must enter a passcode.

A third is PointSec/Checkpoint. I never tried this one.

I don't like filevault. Time Machine won't backup a filevault user directory unless you log in as a user that doesn't have filevault - the filevaulted directory will then be backed up in it's encrypted form. PGP works with Time Machine with no problems.

The last time I used filevault was in 10.4, so it could be different now, but it would want to do maintenance (shrink the image files a necessary) and it seems like it would always take forever. It would do this when you logged out and you were stuck in limbo while it was running (no shut down, no sleep - means you can't safely move it/put it in a bag and leave).

But filevault is free. The commercial products are expensive mainly because they are geared to business needs and businesses have no problems overpaying for software.
 
Hey, thanks for all the replies! Great stuff. Alright, it looks like I should have been more specific. OS X's own FileVault won't do me much good for the encryption scenario that I need, but it's definitely good to know that it's there! I also like to use Time Machine, although SuperDuper and CCC seem more useful for the way I back up. I like Time Machine for the geek factor (I know, :rolleyes: I know lol) because let's face it, "entering" the Time Machine is something to behold and I only ever do so for its cool graphics. ;)

It sounds like that PGP might just work best for me, because I want to lock down the entire content of several individual hard drives that I have, but not the system drive. If they all have to have the same password, that's no problem either. In fact, when I had them all "BitLocked" down in Windows 7, I actually used the same password for all of them. ;)

I also don't mind, and actually like the idea, of having to enter a pre-boot password each time for one of the encryption solutions mentioned here. I think that was PGP, too. I do have a BootCamp partition, but any limitation as to that won't get in the way either, because I also don't need it encrypted. For some or all of the stated reasons, TrueCrypt might still be a contender, too.

Just FYI, for those who want encryption of everything including the system drive in BootCamp/Windows 7, just boot into BootCamp directly and set up BitLocker (in Control Panel). It works great, although if you encrypt the system drive, be prepared for a slight loss in performance, but from an encryption standpoint, it is rock solid. I haven't tried it out on a Mac just yet but I don't see why it shouldn't work.

One more thing about FileVault: If I decide to use PGP, I can probably still use FileVault for the system drive, right? Maybe by that time, Time Machine's graphics will have become less important. lol...:apple:
 
PGP and CCC/SuperDuper! work fine together. You simply exclude PGPWDE01 and PGPWDE02 from the backup (these are files in the root directory of the drive).

All three WDE programs require a pre-boot password. The difference is that with PGP, if you close the laptop and open it, you do not have to enter the PGP password, just your normal Mac OS password if you set that up for the screen saver. With Winmagic's SecureDoc, you have to enter the pre-boot password every time you open the laptop; not just at boot. And since it's in hibernation rather that simply sleeping, it takes longer for it to wake with SecureDoc.

I have no idea how pointsec/checkpoint handles this.


Just for clarification, with external disks they (PGP and SecureDoc) work like this:

PGP - you can use your PGP keys, a standard password, or a combination of both. This allows you to share the drive without giving away your keys. Also, if it is a backup drive that contains your PGP keys, you don't want to USE your keys to lock it (recommendation from PGP). You can enable/disable the memory caching of your password - this will allow you control whether or not you need to enter your password every time you plug in an encrypted drive or just once. And there are time limits you can set - for example, cache the password for 5 minutes, then require it again after that the next time it is needed. This does NOT mean you have to enter the password every 5 minutes with a drive already unlocked. This applies only to pluggin in a drive. PGP gives you a number of options.

SecureDoc - you enter your password at the pre-boot prompt and that's it. From then on it is stored in cache (or at least the decipher key) and any drives you plug in that were encrypted on that system auto-mount with no prompt using your passcode/keys. You have no options to change this behavior. You can share the disk with other SecureDoc users by adding their keys to the encrypted drive.


One thing SecureDoc has over all the others - it's the only Mac OS WDE program that works directly with hardware encryption on Seagate drives that have hardware encryption. They apparently encrypt/decrypt much faster than typical software based encryption.

I know this is long, but I hope I've clarified some things.
 
SecureDoc does allow for different passcodes. An end user can use one passcode to encrypt their hard drive and another passcode to encrypt a USB thumb drive. SecureDoc makes use of a key file which is like a key chain with one or more encryption keys. This means that it is possible to encrypt a computer with one encryption key in the key file and encrypt a removable drive with a different encryption key. This allows you to have your computer encrypted with a unique encryption key and a separate encryption key to encrypt removable drive. So, you could have a usb drive that is encrypted which others can gain access to without giving them access to the encryption key that protects your individual computer. This would be useful in a scenario where a department wants to have a shared USB pen drive for internal use.

Another popular functionality (which is currently available in SecureDoc for Mac) is to protect the USB pen drive with password only. While the protection level is diminished the advantage is no shared encryption key is required. So, attaching the USB pen drive which is password protected would prompt for a password. The computer’s hard drive then would be protected by key file and the USB can be protected by password only.
 
lewis82 said:
FileVault. It doesn't let you encrypt the whole drive, only the user folder. However, on a Mac, most, if not all important data is in this folder. It readily supports OS X as it is built-in.
Click to expand...

basically all your data except applications, but you can create an application folder in your home folder and run them from there no problem.

Gravedrinker said:
How save is FileVault compared to TrueCrypt? Any information on that?
Click to expand...

its AES 256, just like truecrypt.

I use .sparsebundles for my sensitive data on external drives.
 
mulo said:
basically all your data except applications, but you can create an application folder in your home folder and run them from there no problem.



its AES 256, just like truecrypt.

I use .sparsebundles for my sensitive data on external drives.
Click to expand...

SecureDoc...sounds interesting. Does it and/or Apple's FileVault take several hours to encrypt the entire hard drive? Will it hurt system performance at all? If so, how bad is it? I mainly care about encrypting my external drives but ideally, I'd like to encrypt my main (internal) hard drive as well.

Thanks very much! :apple:
 
Crunch said:
SecureDoc...sounds interesting. Does it and/or Apple's FileVault take several hours to encrypt the entire hard drive? Will it hurt system performance at all? If so, how bad is it? I mainly care about encrypting my external drives but ideally, I'd like to encrypt my main (internal) hard drive as well.

Thanks very much! :apple:
Click to expand...

filevault doesn't encrypt your entire boot disk, just your home folder.
I've been able to transfer from my encrypted filevault, to my encrypted external at 70MB/s so really i'm running just a tad slower then my HDD's maximum performance.
 
Crunch said:
....Just FYI, for those who want encryption of everything including the system drive in BootCamp/Windows 7, just boot into BootCamp directly and set up BitLocker (in Control Panel). It works great, although if you encrypt the system drive, be prepared for a slight loss in performance, but from an encryption standpoint, it is rock solid. I haven't tried it out on a Mac just yet but I don't see why it shouldn't work.
....
Click to expand...

Hi Crunch,

I'm trying to bitlock the windows 7 partition of my new macbook air (i use bootcamp). but i can't get it to work. since the macbook air doesn't have a tpm you need to use a USB drive but when i try to turn encryption on and reboot it seems like the macbook isn't seeing the USB drive.

any suggestions? thanks
 
chfranco said:
Hi Crunch,

I'm trying to bitlock the windows 7 partition of my new macbook air (i use bootcamp). but i can't get it to work. since the macbook air doesn't have a tpm you need to use a USB drive but when i try to turn encryption on and reboot it seems like the macbook isn't seeing the USB drive.

any suggestions? thanks
Click to expand...

Unfortunately, a TPM (Trusted Platform Module) v1.2 or higher is one requirement for BitLocker to work. I don't know of any Mac's that have a TPM installed.

Wish I had better news. :rolleyes:
 
Crunch said:
Unfortunately, a TPM (Trusted Platform Module) v1.2 or higher is one requirement for BitLocker to work. I don't know of any Mac's that have a TPM installed.

Wish I had better news. :rolleyes:
Click to expand...

Sorry for digging up old threads, but I found this via google and wanted to add in for anyone else that finds this post that you CAN use BitLocker WITHOUT TPM. You instead need a external harddrive or thumb drive attached during boot. You can get a very small and slim USB drive and leave it always plugged in if you have a laptop. Here is a link on how to enable BitLocker without TPM.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back