Check Point Full Disk Encryption Software For Macs Released

[MacRumors]

Check Point has released a version of Check Point Full Disk Encryption for the Mac (via MacDailyNews). With the release, Check Point is the industry’s first full-disk encryption solution with pre-boot authentication to support the Mac OS.

"Enterprises and organizations have to secure 100 percent of their laptops and desktops to be fully protected," said Bob Egner vice president of product management at Check Point. "Check Point recognizes that Mac OS has an important and growing place in the enterprise and is proud to offer enterprise customers endpoint solutions that cover all platforms and work in mixed environments."

"We're delighted that Mac users in industries like government and healthcare who value high-quality encryption technologies have a strong solution that supports Leopard, the world's most advanced operating system," said Ron Okamoto, Apple's vice president of Worldwide Developer Relations. "Leopard is Apple's most secure OS release ever, and Check Point's encryption solution nicely complements features already present in Mac OS X."

Check Point supports Mac OS 10.4.5 Tiger through Mac OS 10.5.x Leopard in addition to Windows and Linux. Pricing starts at $120 for 1-99 users.

Many large corporations and governments have been deploying full-disk encryption solutions on portable computers, especially after high-profile laptop thefts. The lack of full-disk encryption has been cited as one reason why more enterprises are not adopting Macs.

See Also: PGP Full Disk Encryption In Development (via CNet)

Article Link

 

[Doctor Q]

How does full-disk encryption work? How transparent to the user is it?

Is it compatible with all software, including disk utility programs, search tools, virus scanners, etc? When you back up your files, are they encrypted too (there are pros and cons either way)? Will it break when the next O.S. upgrade comes out? What's the risk that a glitch will cause you to lose access to the whole disk?

 

[Particular]

Full Disk Encryption works at the hard drive sector level, after the PBA passcode is entered at boot, the drive is fully unlocked. Because it works at the sector level it should not theoretically even be noticeable by the OS. Only when the drive is locked (i.e. mac shutdown) does the security/encryption come into effect.

That being said, despite what the Apple rep may say, none of these features are already in 'Leopard'. Leopard's file-vault is a piece of **** and causes all types of problems for users (e.g. time machine). It relies on a totally different type of implementation, essentially it just wraps the home user account in a encrypted container that is 'mounted' when you login. This limits a lot of functionality in OSX and for me and a lot of other people has been the cause of quite a few problems.

It will be interesting to see how effective Pointsec's implementation of WDE is. PGP offers WDE but not on the active boot partition, lol, which is just silly... what's the point then? Anyhow, eager to see this in action but if I recall Pointsec does not sell individual licenses to private individuals (at least not for the windows version I dont think..)?? .

 

[longofest]

How does full-disk encryption work? How transparent to the user is it?

Is it compatible with all software, including disk utility programs, search tools, virus scanners, etc? When you back up your files, are they encrypted too (there are pros and cons either way)? Will it break when the next O.S. upgrade comes out? What's the risk that a glitch will cause you to lose access to the whole disk?

Here's the wikipedia page on Full Disk Encryption. To put it in mac terms, its FileVault but for your entire hard disk. This means you have to enter a key in order to

I believe a kernel extension provides real-time encryption/decryption of the file system. This may be done via the CPU, or sometimes it can use the TPM module. I'm not sure what Check Point uses. Don't know about effects on disk utilities, and I'd imagine that OS updates would need to be verified for impacts before being applied, but that's true of any software. A well-organized enterprise has a division that tests updates before distributing it to the rest of the enterprise.

Full Disk Encryption works at the hard drive sector level, after the PBA passcode is entered at boot, the drive is fully unlocked. Because it works at the sector level it should not theoretically even be noticeable by the OS. Only when the drive is locked (i.e. mac shutdown) does the security/encryption come into effect.

Are you sure that's true? I'm under the impression it is accomplished via realtime encryption.

 

[yellow]

I think Q's questions were more in the rhetorical vein..

But anyway, I'm encouraged by this and am quite interested to test it out, as soon as someone coughs up the cash around here.

They say their product integrates with AD.. I wonder if they include the Mac product in that?

 

[MarkW19]

Could this be used as an alternative to FileVault, for just an individual consumer (and work in the same transparent way as FV)?

 

[yellow]

Could this be used as an alternative to FileVault, for just an individual consumer (and work in the same transparent way as FV)?

I believe that's the point.. the problem with FV is that it only encrypts the user's home drive but a user isn't restricted form saving data anywhere they want. FV is a nice start, but really not adequate for most security requirements at the enterprise level.

This software does a full disk encryption with a bootloader, meaning when you start up your Mac, you have to enter a valid username/password (or valid key/ID via physical token) to decrypt the entire drive and then have it boot into OS X.

EDIT: I don't want to register for the datasheet.. if anyone does, can they post it here as an attachment (assuming it's not too large)? I'm curious what cryptos they support.

 

[MarkW19]

I believe that's the point.. the problem with FV is that it only encrypts the user's home drive but a user isn't restricted form saving data anywhere they want. FV is a nice start, but really not adequate for most security requirements at the enterprise level.

This software does a full disk encryption with a bootloader, meaning when you start up your Mac, you have to enter a valid username/password (or valid key/ID via physical token) to decrypt the entire drive and then have it boot into OS X.

EDIT: I don't want to register for the datasheet.. if anyone does, can they post it here as an attachment (assuming it's not too large)? I'm curious what cryptos they support.

Cool. I've had problems with FV too.

Just onto Checkpoint support - apparently they don't do a single-user version, lowest is 25 user. Hmm. Wonder if there are any other options out there?

 

[yellow]

Nothing for full disk.

Truecrypt (free) allows creation of a shadow volume or a regular encrypted volume, but is really nothing more than (IMO) a re-implementation of the an encrypted disk image from Disk Utility.. albeit with a dizzying array of crypto algorithms.

But it doesn't support full-disk.

And PGP is working on it.


Regardless, I'm happy to see this out. IMO, this shows that there will be progress in Mac OS X moving into the enterprise level.

 

[MarkW19]

Nothing for full disk.

Truecrypt (free) allows creation of a shadow volume or a regular encrypted volume, but is really nothing more than (IMO) a re-implementation of the an encrypted disk image from Disk Utility.. albeit with a dizzying array of crypto algorithms.

But it doesn't support full-disk.

And PGP is working on it.


Regardless, I'm happy to see this out. IMO, this shows that there will be progress in Mac OS X moving into the enterprise level.

Cool, thanks. I'll keep an eye on PGP too.

I'd be willing to pay £60 ($120) to get my disk properly encrypted, even if it meant 24 licences go to waste!

 

[yellow]

I think it's $120 PER SEAT, up to 99 users, and then the price drops to $90 per seat, up to 4999 user.

Kinda pricy.. but then, I expect they're hoping that institutions will pay if they need and want it.. and they have no competition currently.

 

[33scottie33]

I like the idea of FDE, but not sure I want to implement it yet. Currently, I'm using Undercover to protect and track my MAC in case it's stolen. With FDE, no tracking programs would run until you authenticate.

If I were a large business, I would not care. I would just replace the stolen MAC, but since I'm small, I'd rather use FV with Undercover, to increase my chances of getting my Mac back.

 

[voodooatl]

AES 256bit, its much faster than file vault. One of the points to remember is that is is also designed to be managed centrally unlike some personal products.

 

[yellow]

If I were a large business, I would not care. I would just replace the stolen MAC

Well, it's not a physical theft deterrant.. it's a physcial data protection.
The real use is in protecting data, be it state secrets, intellectual property, or HIPAA protected info..

 

[voodooatl]

Sometimes the data is worth far more than the laptop, just ask companies like TJMaxx

 

[33scottie33]

Well, it's not a physical theft deterrant.. it's a physcial data protection.
The real use is in protecting data, be it state secrets, intellectual property, or HIPAA protected info..

IMO, TDE is somewhat of a joke. I worked on a project to secure 2K laptops with TDE for the government. Really all they wanted was to be able to tell upper management that the drive was encrypted when it was stolen to avoid bad press.

Actually, if a thief really wanted to unencrypt the drive, all he would have to do is use some good social engineering to get the master password. FV and Undercover work the best because you encrypt what you need to encrypt and have a very high chance of getting the laptop recovered. With FDE, you have a sense of security, but really cannot be sure.

At the end of the day, I would rather be able to say that the FV protected laptop was recovered in two weeks. Instead of saying that the FDE protected latop was stolen and we will never know for sure if it was compromised.

Sometimes the data is worth far more than the laptop, just ask companies like TJMaxx

Again, FV protects the data that needs to be protected. Your emails, documents, etc.

 

[Queso]

PointSec for Mac! Another reason used to keep Macs out of the enterprise market has just disappeared. One of my clients is going to love this. They have PointSec on all their Windows machines, are pretty much a Checkpoint shop for their security stuff, and have a sizeable pocket of Mac users that need securing.

It also appears from the Checkpoint website as if your purchased seat licenses can be used on any platform. They are going to jump at this

 

[voodooatl]

FV is slow, and how do you know the users put sensitive data in he right location? No, its far better to encrypt the whole desk and be done with it.

Also if you solution has a master key you need a new solution, please don't assume there is a master key.

 

[Lumi]

This is a good start, but what I'm waiting for is a hardware based solution for this like a Stonewood Flagstone, the problem with software encryption is that it requires an overhead on the CPU, which is not good if you happen to run VM's or other highly disk intensive applications like me.

Most of these FDE products virtualise the disk from the operating system, the operating system effectively thinks it's sitting in a VM, with the Encryption software acting as the "Host", if you get more disk activity created by the OS, then the amount of work the hosting encryption software is doing increases. Move this process into hardware and the OS is not affected, a chip takes over from the encryption / decryption and the OS thinks that the encrypted disk is just another normal disk.

The reason these hardware products will not work AFAIAA is that they work with BIOS and the Mac uses EFI, at some point these disks will start to support EFI, but probably not until Windows starts using EFI instead of BIOS... At the moment, the market is not there for these hardware companies to create EFI versions of their products.

 

[Diode]

Just a note that is $199 per user for 1-99 users ... not $199 for 99 licenses.

 

[33scottie33]

FV is slow, and how do you know the users put sensitive data in he right location? No, its far better to encrypt the whole desk and be done with it.

Also if you solution has a master key you need a new solution, please don't assume there is a master key.

I can tell that you have never implemented this in an enterprise environment.

The Admin(s) have to give each user access to unencrypt their own laptop. So at a minimum, two users are assigned to each laptop. In a large environment, there are multiple Admins managing FDE. So, if you social engineer the password.

Although FV is slow, the chance of disk corruption is far less than FDE. I'm sure that the majority that have had to work with FDE in the real world are not big fans of it. At least not with Macs. For very sensitive data, you not only want want encryption, but you want the laptop back in you possession as soon as possible.

 

[yellow]

The Admin(s) have to give each user access to unencrypt their own laptop. So at a minimum, two users are assigned to each laptop. In a large environment, there are multiple Admins managing FDE. So, if you social engineer the password.

I'm not user you can accurately use this as an aregument against FDE, as FV is subject to the same limitations. However, if this FDE is any good, it should allow for key distribution that would make social engineering a much more difficult process.

 

[voodooatl]

Yes social engineering should be difficult as two admin accounts are required. I have deployed to many many large enterprises BTW.

Actually FDE is done with a filter driver, providing encryption on the fly. The device isn't abstracted from the OS. In fact it looks like a disk to anything running in the OS after the user has authenticated. FDE can make loosing a laptop like loosing cash, not like loosing our wallet. I have used it on windows in a large enterprise and appreciated not loosing my customers credit card data when a user actually check their laptop at an airport (it never made it to the destination)

 

[ArthurDaley]

New H/drive from Hitachi (Travelstar 7K320)

So far I've not found a good encryption solution for the Mac.

So I'm rather excited about a new drive coming onto the market; 7200 speed, 320 gig, low power and encrypted at the hardware level.

See: http://gizmodo.com/387878/hitachis-25+inch-hdd-does-7200rpm-speeds-with-5400rpm-power

From a quick scan of the Hitachi site the model number we want is: HTS723280L9SA61

I see the BDE (hardware encrypted) model runs at 1.5 Gb/s whereas the same version without encryption runs at 3.0 Gb/s. I wonder if we can notice that difference in any significant way?

 

[jf8]

Most of these FDE products virtualise the disk from the operating system, the operating system effectively thinks it's sitting in a VM, with the Encryption software acting as the "Host", if you get more disk activity created by the OS, then the amount of work the hosting encryption software is doing increases. Move this process into hardware and the OS is not affected, a chip takes over from the encryption / decryption and the OS thinks that the encrypted disk is just another normal disk.

The OS is not virtualized in any way. On a Windows system, the pre-boot authentication software will load the encryption key (which is encrypted with the user's password) and provide BIOS hard drive emulation. Then, control will be handed over to the Windows bootloader, which will load the kernel & drivers through the BIOS. One of these drivers will be the encryption driver - something sort of like a filter sitting between the filesystem drivers and the hardware drivers. All HD reads/writes will go through this driver before touching the drive; the OS itself is not virtualized in any way. The BIOS hard drive emulation is only used before Windows starts the kernel (which happens shortly after the Windows boot progress screen loads.)

In my experience, the impact on system performance is negligible once the initial encryption is performed, using PGP.

Actually, if a thief really wanted to unencrypt the drive, all he would have to do is use some good social engineering to get the master password. FV and Undercover work the best because you encrypt what you need to encrypt and have a very high chance of getting the laptop recovered. With FDE, you have a sense of security, but really cannot be sure.

These are problems of a bad implementation of full-disk encryption. A decent implementation will have no master password whatsoever. Without the end user's password, only system-specific recovery passwords can be generated. Unless your support staff would hand these out every time some random guy calls in and asks for one, this problem does would not exist.

The Admin(s) have to give each user access to unencrypt their own laptop. So at a minimum, two users are assigned to each laptop. In a large environment, there are multiple Admins managing FDE. So, if you social engineer the password.

Enterprise hard disk encryption software is smarter. In an enterprise environment with a registration server set up, PGP allows end users to self-register (no admin intervention necessary). Only one user is able to use the laptop. The encryption key is stored in encrypted form on the server. In event of an issue (if the OS won't boot or the user forgot his/her password), a recovery code can be generated by administrators by following a process that will create audit records.

PGP also does not give any user information at its login screen - there is only a password prompt. So, if a laptop was stolen, the thief would need to identify the user some other way to even figure out who to try to social engineer.

Although FV is slow, the chance of disk corruption is far less than FDE. I'm sure that the majority that have had to work with FDE in the real world are not big fans of it. At least not with Macs. For very sensitive data, you not only want want encryption, but you want the laptop back in you possession as soon as possible.

What exactly is the risk of disk corruption by using FDE?