Check Point Full Disk Encryption Software For Macs Released

[Wolfpup]

Truecrypt (free) allows creation of a shadow volume or a regular encrypted volume, but is really nothing more than (IMO) a re-implementation of the an encrypted disk image from Disk Utility.. albeit with a dizzying array of crypto algorithms.

But it doesn't support full-disk.

Are you sure Truecrypt doesn't support full disk encryption on OS X yet?

I've been using Truecrypt 5 for several months on Windows, and it's fantastic. I haven't had a single issue with it, and it's completely seamless. WAY more transparent (and secure) than file vault, and I can't notice any performance penalty at all for using it, and this is on an old single core Pentium 4 (Northwood 2.4GHz/533Mhz). Their code is REALLY efficient IMO.

It's also open source which is a plus, and it's free (although they accept donations!)

IMO once Truecrypt gets full disk encryption for OS X that's going to be the way to go. The only thing it has to do is run a single driver that's handling the encryption/decryption on the fly, and it's a really small file (that like I said, has no noticeable performance impact even on an old slow system).

Actually...technically there is one issue I have with it, but it's extremely minor (and wouldn't affect the OS X version). The pre-boot loader requires a PS/2 keyboard, which means I have to switch on the compatibility mode or whatever for my USB keyboard in the BIOS. Doesn't really affect anything, but it would be nice if they added direct support for USB keyboards (which a Mac version would HAVE to have).

GREAT program. Check out Steve Gibson's podcast on it (www.grc.com) from a month or two back. He had been using a closed source program until Truecrypt 5 came out. He's even more impressed with Truecrypt than he was with the closed source program (which he had raved about until then). It's REALLY well thought out, goes out of it's way both to be secure, and to prevent you from messing up your drive.

 

[ArthurDaley]

whole disk encryption seems to have to many problems, particularly on OS X as there is no backup and imaging solutions that would work with it.

so I've forgot about WDE on the Mac.

But even the container (virtual encrypted drive) thing is crap on the Mac because of the built in insistence of apps to place the files in the home folder.

Encryption seems to be a big failing point on the Mac.

 

[yellow]

Are you sure Truecrypt doesn't support full disk encryption on OS X yet?

They don't have a bootloader, so their full disk encryption amounts to nothing more then encrypting a non-boot volume (which I had troubles with) or the equivalent of an encrypted disk image, already built into OS X.

 

[Wolfpup]

whole disk encryption seems to have to many problems, particularly on OS X as there is no backup and imaging solutions that would work with it.

Once Truecrypt gets whole disc encryption going it shouldn't be an issue. It's seamless on Windows (even working with a hibernation file), and won't interfere with Time Machine at all (Time Machine won't even know it's there). From my experience the file vault thing is a much bigger pain than Truecrypt's whole disk encryption in every way (security, system resources, weirdness, etc.). In a way that's kind of ironic because whole disc encryption seems like it would be harder to pull off!

They don't have a bootloader, so their full disk encryption amounts to nothing more then encrypting a non-boot volume (which I had troubles with) or the equivalent of an encrypted disk image, already built into OS X.

Thanks for the info! Assuming they get it working the way it does on Windows, it's going to be the way to go. Really seamless. Really, really, REALLY neat for a laptop especially.

 

[ArthurDaley]

Really seamless. Really, really, REALLY neat for a laptop especially.

And how do you plan to do proper backups and disk imaging?

 

[Wolfpup]

And how do you plan to do proper backups and disk imaging?

I don't do disk imaging so I don't know if it would somehow affect it or not. It would have to be done from a functional OS running the driver (in other words, if it's done from inside OS X, it's not going to affect it at all).

Encryption isn't going to effect backups at all. The program doing the backups won't know or care that the drive is encrypted.

 

[ArthurDaley]

If you secure your machine via encryption does it not seem a bit odd then to then have unencrypted backups/images?

On the PC, imaging/backup software will give you passwords and/or encryption.

I bought Super Duper but it does not appear to have any form of password or encryption support. Before coming to the Mac I thought it was normal that backup/imaging software supports compression/encryption.

 

[Wolfpup]

If you secure your machine via encryption does it not seem a bit odd then to then have unencrypted backups/images?

On the PC, imaging/backup software will give you passwords and/or encryption.

I bought Super Duper but it does not appear to have any form of password or encryption support. Before coming to the Mac I thought it was normal that backup/imaging software supports compression/encryption.

It depends what you want the encryption for, how you do backups, etc. Someone might have the backups in a more secure location, so not care about encryption.

Or (in my case) I have Truecrypt encrypt my backup drive too, so it's never unencrypted while on disk. There's different ways to handle that depending on what your needs are. I probably would never use encryption built in to a backup program, since it's probably not as good as Truecrypt in a variety of ways, and would be redundant (at best). Personally I just let Truecrypt do it's thing.

 

[ArthurDaley]

If you don't mind me asking - what are you gaining using True Crypt - I've just moved over to the Mac and it seems to have build in capabilities to create encrypted volumes - and sparse ones that grow with size.

One thing that has made me cautious of encrypted containers is that I had a virtual volume on the PC with 20,000 photos. Something went wrong with the file handle for the encrypted container itself, chkdsk ran and began deleting the photos saying they were corrupt. It had removed 2000 before I managed to stop it. And trust it to happen in one of the few periods in my life where I had zero time to do backups for months.

So from my experience containers have danger. I read similar for the filevault, something goes wrong with it and everything is lost. But yet again, I'd rather have my photos in an encrypted container as i don't fancy ten years of personal (not that personal) photos being in someone else's hands.

The bigger concern are scanned bank instructions with signatures etc. and OS X seems a pain because unlike the PC it does not seem capable of being trained not to use home folders and seems to like to scatter personal details everywhere on disk.

WDE seems good but then I recall there was problems with master boot records getting corrupted etc.

 

[Wolfpup]

If you don't mind me asking - what are you gaining using True Crypt - I've just moved over to the Mac and it seems to have build in capabilities to create encrypted volumes - and sparse ones that grow with size.

One thing that has made me cautious of encrypted containers is that I had a virtual volume on the PC with 20,000 photos. Something went wrong with the file handle for the encrypted container itself, chkdsk ran and began deleting the photos saying they were corrupt. It had removed 2000 before I managed to stop it. And trust it to happen in one of the few periods in my life where I had zero time to do backups for months.

So from my experience containers have danger. I read similar for the filevault, something goes wrong with it and everything is lost. But yet again, I'd rather have my photos in an encrypted container as i don't fancy ten years of personal (not that personal) photos being in someone else's hands.

Yeah, Filevault is just a file that OS X mounts as your home directory. It's not completely secure for reasons people have mentioned, and it's just kind of a pain, and has performance issues, and personally I wouldn't really trust it.

Right now Truecrypt doesn't handle whole drive encryption on OS X (from what someone on this thread told me), but assuming they add that so it's like the PC version, it's a much better solution than something like file vault. Basically nothing's going to go wrong with it, and it even forces you to generate an emergency disc in case some other program mucks up your boot sector or boot loader or whatever. The only way you're going to lose data is if you forget your password. It's totally seamless (unlike filevault) and just not flaky at all. It's also much more secure as NOTHING is getting written unencrypted, and every part of it is really well thought out in terms of security-almost absurdly so. Check that podcast if you want a ton of info on it.

The bigger concern are scanned bank instructions with signatures etc. and OS X seems a pain because unlike the PC it does not seem capable of being trained not to use home folders and seems to like to scatter personal details everywhere on disk.

WDE seems good but then I recall there was problems with master boot records getting corrupted etc.

Yeah, programs throwing random temp files all over the place is one of the reasons filevault isn't completely secure.

Boot records would basically only get corrupted if some program is misbehaving and writing to the first track on the disk that shouldn't be-but even still there's no risk because at worst Truecrypt's emergency disc will let you fix the master boot record, or even do an emergency unencrypt from the disc (along with other options). There was an issue discovered with the first release of Truecrypt 5 when used with Adobe/Macromedia products. It turns out that Adobe/Macromedia was hiding DRM related "activation" info in the first track on the disk. It shouldn't have been-I mean that's incorrect behavior (Adobe just thinks it's an obscure place to hide it). Basically Truecrypt's bootloader would wipe out the Adobe info (which isn't supposed to be there), and then Adobe's "activation" would wipe out the Truecrypt boot loader. Truecrypt was able to rewrite their loader to take up less space so Adobe's DRM garbage would fit there too-they released an update almost immediately after it was found.

At any rate, that issue was fixed (and it was really an Adobe problem)-I have Adobe products on my system and have no issues. And at worst, you'd just boot from the emergency CD to repair the boot sector or decrypt the drive-and I forgot to mention that not only does Truecrypt force you to build a repair disc, they even check it before allowing encryption to continue. The whole program's just insanely well thought out like that. Steve Gibson's...well he's Steve Gibson, and like I said, HE'S blown away by it and switched to it from commercial products that he used to use.

I forget I even have it on this system anymore (aside from every once in a while I remember, and it's like "ha ha, good luck getting data off that" )

Hopefully they'll be able to do a Mac version with feature parity. The Mac version I think was only released at all with version 5, so it may yet be coming.

Besides whole disk encryption, it's got a bunch of other features, but that's the main thing I use (it's does allow you to create an encrypted file container sort of like OS X has built in, but personally I'd trust True Crypt to do it more, if I had any use for that).

 

[Don't panic]

If you don't mind me asking - what are you gaining using True Crypt - I've just moved over to the Mac and it seems to have build in capabilities to create encrypted volumes - and sparse ones that grow with size.

One thing that has made me cautious of encrypted containers is that I had a virtual volume on the PC with 20,000 photos. Something went wrong with the file handle for the encrypted container itself, chkdsk ran and began deleting the photos saying they were corrupt. It had removed 2000 before I managed to stop it. And trust it to happen in one of the few periods in my life where I had zero time to do backups for months.

So from my experience containers have danger. I read similar for the filevault, something goes wrong with it and everything is lost. But yet again, I'd rather have my photos in an encrypted container as i don't fancy ten years of personal (not that personal) photos being in someone else's hands.

The bigger concern are scanned bank instructions with signatures etc. and OS X seems a pain because unlike the PC it does not seem capable of being trained not to use home folders and seems to like to scatter personal details everywhere on disk.

WDE seems good but then I recall there was problems with master boot records getting corrupted etc.

this just happened to me (or something related) the boot.efi file cannot be found and the machine won't boot.
any suggestion on what to do?
is it possible to get rid of checkpoint endpoint altogether?

 

[yellow]

Kinda doubtful. There may be recovery discs/apps that are available from the manufacturer to allow a decryption of an encrypted volume, but if there isn't.. you're SOL.

 

[applesupergeek]

The problem with all encryptions is having to re-enter the password, when how often and how is the crux to me. Unless there's an intuitive way for this I am out.
I am planning to use file vault but I don't like having to input the password everytime (not the master one). A fingerprint reader should solve this, make it happen apple, please.

Full Disk Encryption works at the hard drive sector level, after the PBA passcode is entered at boot, the drive is fully unlocked. Because it works at the sector level it should not theoretically even be noticeable by the OS. Only when the drive is locked (i.e. mac shutdown) does the security/encryption come into effect.

That being said, despite what the Apple rep may say, none of these features are already in 'Leopard'. Leopard's file-vault is a piece of **** and causes all types of problems for users (e.g. time machine). It relies on a totally different type of implementation, essentially it just wraps the home user account in a encrypted container that is 'mounted' when you login. This limits a lot of functionality in OSX and for me and a lot of other people has been the cause of quite a few problems.

It will be interesting to see how effective Pointsec's implementation of WDE is. PGP offers WDE but not on the active boot partition, lol, which is just silly... what's the point then? Anyhow, eager to see this in action but if I recall Pointsec does not sell individual licenses to private individuals (at least not for the windows version I dont think..)?? .

What problems are you experiencing with it because I am planning to install it on my pbook 12" and I don't want to take a perfomance hit.

 

[Wolfpup]

I'm not sure if TrueCrypt can do full disk encryption under OS X or not. If it can, and it works, it's a fantastic program. I love it under Windows XP, but at least as of last year it's not REALLY compatible with 64-bit NT 6. Maybe it is now though... I hope, but I hate risking my data to try.

But XP it's rock solid, and I'd trust it more even than Microsoft or Apple's encryption (and heck, you could technically use both!)

 

[yellow]

I don't believe TC supports full-disk encryption yet. They've made excellent headway in supporting HFS+ though.

 

[infotechproximi]

Check Point Full Disk Encryption Software For Macs Released

hey,
"Enterprises and organisations have to secure 100 percent of their laptops and desktops to be fully protected," said Bob Egner vice president of product management at Check Point. "Check Point recognises that Mac OS has an important and growing place in the enterprise and is proud to offer enterprise customers endpoint solutions that cover all platforms and work in mixed environments."
____________________________________________________
Used Auto Parts | Used Car Parts

 

[mmulin]

hey,
"Enterprises and organisations have to secure 100 percent of their laptops and desktops to be fully protected," said Bob Egner vice president of product management at Check Point. "Check Point recognises that Mac OS has an important and growing place in the enterprise and is proud to offer enterprise customers endpoint solutions that cover all platforms and work in mixed environments."
____________________________________________________
Used Auto Parts | Used Car Parts

So, he better first gets his Checkpoint Client working for MacOSX 10.6 which we already waiting for over a year. While busy with that, he should make sure that the client actually is up-to-date with their Windows products - unlike the 10.5 version! And while he is doing that, he can also make sure it is a good MacOS citizen and not a badly ported resource hog - unlike the 10.5 version! ... want me to go on? This company only exists to make sure Windows keeps a stronghold in cooperate culture by sweet-talking clueless & afraid IT managers while steeling their budget money at the same visit. Conversely, it also seems to be a member of an association to lower expectation in customer support. Check out their dead forums.

Cheers