+ Post New Thread
Results 1 to 11 of 11
Mac Thread, Mac OS X 10.7 - Encryption with bootcamp in Technical; Hi, I am reinstalling Mac OS X on my laptop. I am just wondering how the full disk Encryption works ...
  1. #1

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,822
    Thank Post
    873
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444

    Mac OS X 10.7 - Encryption with bootcamp

    Hi,

    I am reinstalling Mac OS X on my laptop. I am just wondering how the full disk Encryption works on Lion & Bootcamp? I plan to upgrade when 10.7 comes out. I cant decide to do a bootcamp install or just create a virtual machine so i know the Windows site will be encrypted.

    Thanks

  2. #2


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,757
    Thank Post
    221
    Thanked 2,629 Times in 1,938 Posts
    Rep Power
    779
    The following website explains the encryption process in Lion really well...

    http://macosrumors.com/2011/02/27/fu...n-macosx-lion/

    The second from last screenshot implies the NTFS formatted BootCamp partition would remain unencrypted due to FileVault only supporting HFS-based file-systems. Therefore, you are probably better off setting up Windows in a VM.

    FileVault has been overhauled in OS X 10.7 and now encrypts the whole disk instead of just the home directory. Everything is secured in the background while you work using XTS-AES 128 data encryption at the disk level. FileVault can also encrypt external drives and provides the ability to wipe all the data from your Mac. Users that enable drive encryption will only be able to access the drive’s contents with their login password or a recovery key provided by the system. The latter apparently can be stored on Apple’s servers just in case you lose it. (Source)
    Another option would be to replace the drive in your laptop with an SSD which does FDE.

    SandForce introduced full disk encryption starting in 2010 with its SF-1200/SF-1500 controllers. On SandForce drives all data written to NAND is stored in an encrypted form. This encryption only protects you if someone manages to desolder the NAND from your SSD and probes it directly. If you want your drive to remain for your eyes only you'll need to set an ATA password, which on PCs is forced by setting a BIOS password. Do this on a SandForce drive and try to move it to another machine and you'll be faced with an unreadable drive. Your data is already encrypted at line speed and it's only accessible via the ATA password you set.

    Intel's SSD 320 enables a similar encryption engine. By default all writes the controller commits to NAND are encrypted using AES-128. The encryption process happens in realtime and doesn't pose a bottleneck to the SSD's performance.

    The 320 ships with a 128-bit AES key from the factory, however a new key is randomly generated every time you secure erase the drive. To further secure the drive the BIOS/ATA password method I described above works as well.

    A side effect of having all data encrypted on the NAND is that secure erases happen much quicker. You can secure erase a SF drive in under 3 seconds as the controller just throws away the encryption key and generates a new one. Intel's SSD 320 takes a bit longer but it's still very quick at roughly 30 seconds to complete a secure erase on a 300GB drive. Intel is likely also just deleting the encryption key and generating a new one. Without the encryption key, the data stored in the NAND array is meaningless. (Source)

  3. Thanks to Arthur from:

    FN-GM (10th April 2011)

  4. #3

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,060
    Thank Post
    853
    Thanked 2,674 Times in 2,269 Posts
    Blog Entries
    9
    Rep Power
    768
    If the bootcamp setup still uses the Windows 7 system partition you should still be able to use bitlocker to encrypt it seporatly.

  5. Thanks to SYNACK from:

    FN-GM (10th April 2011)

  6. #4

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,707
    Thank Post
    3,243
    Thanked 1,048 Times in 970 Posts
    Rep Power
    364
    when is it expected to launch and aprox how much will it cost to upgrade to Lion ??

  7. #5


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,757
    Thank Post
    221
    Thanked 2,629 Times in 1,938 Posts
    Rep Power
    779
    Quote Originally Posted by SYNACK View Post
    If the bootcamp setup still uses the Windows 7 system partition you should still be able to use bitlocker to encrypt it separately.
    I was going to suggest BitLocker, but Mac's do not have a TPM chip from what I can tell so you would have to use a USB flash drive to store the startup key.

    Quote Originally Posted by mac_shinobi View Post
    When is it expected to launch and approx how much will it cost to upgrade to Lion?
    My guess would be June and £79 / $129.

  8. #6

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,822
    Thank Post
    873
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444
    Quote Originally Posted by Arthur View Post
    I was going to suggest BitLocker, but Mac's do not have a TPM chip from what I can tell so you would have to use a USB flash drive to store the startup key.
    I would rather not use a USB to be honest, if i forget it when i am about out and about i will be stuck. Can you set BitLocker to ask for a boot password like truecrypt does?

    Another point is i have just setup my Mac OS side and if i want to use truecypt the drive will not be setup properly. Can you think of a way around this without deleting my mac instal please?

    Thanks

  9. #7


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,757
    Thank Post
    221
    Thanked 2,629 Times in 1,938 Posts
    Rep Power
    779
    Quote Originally Posted by FN-GM View Post
    I would rather not use a USB to be honest, if I forget it when I am about out and about I will be stuck.
    I agree about the additional hassle, although I suppose you could get one of those tiny USB flash drives which can be attached to a keyring? e.g. Super Talent Pico C, LaCie MosKeyto etc.

    Quote Originally Posted by FN-GM View Post
    Can you set BitLocker to ask for a boot password like truecrypt does?
    Unfortunately not. It's either flash drive or TPM.

    Quote Originally Posted by FN-GM View Post
    Another point is I have just setup my Mac OS side and if I want to use TrueCrypt the drive will not be setup properly. Can you think of a way around this without deleting my Mac install please?
    According to the TrueCrypt docs, full disk encryption is only supported on Windows OSs. There are alternatives such as PGP Whole Disk Encryption for the Mac, but considering how close Lion is to being released I would wait for the upgraded FileVault personally.

  10. #8

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,822
    Thank Post
    873
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444
    According to the TrueCrypt docs, full disk encryption is only supported on Windows OSs. There are alternatives such as PGP Whole Disk Encryption for the Mac, but considering how close Lion is to being released I would wait for the upgraded FileVault personally.
    Sorry i should have worded that better.

    I was talking about using TrueCrypt for the Windows Partition only. But that would mean rearranging my partitions. How can i do this without loosing the data please? I plan to use Lion to encrypt the Mac side.

    Thanks

  11. #9


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,757
    Thank Post
    221
    Thanked 2,629 Times in 1,938 Posts
    Rep Power
    779
    Quote Originally Posted by FN-GM View Post
    How can I do this without loosing the data please?
    Due to the way TrueCrypt works, encrypting the Windows partition is a time consuming process because it involves deleting every partition on your HDD. Since you mentioned you wish to keep your existing Mac OS X install you would need to use a program such as Carbon Copy Copy to create a bootable backup on an external HDD. The instructions below are for XP, but Windows 7 should be more or less the same.

    Unfortunately encrypting Windows' boot partition doesn't work with Bootcamp, because truecrypt expects the Windows partition to be the first on the hard disk. Bootcamp however wants the Windows partition to be the last one on the disk.
    The solution is simply based on the fact that you don't need Bootcamp at all to run Windows on any Intel Mac. There's an easy way to avoid Bootcamp if you know what to do. I won't elaborate into great detail about the particular steps as they are rather mundane.

    What you want to do is put your existing (or a fresh one) Windows on the first partition of your hard disk and place everything else behind it. You can as well have a triple boot with Windows first, Linux as second choice and Mac OS as third. So we are rebuilding our partition layout and once XP is running off the first partition, we let TrueCrypt do the rest.

    The only thing you need is an external hard disk (for storing the backups), a Windows XP CD (for re-partitioning) and -- if you want a Linux as well -- a bootable Linux Distribution CD/DVD.

    Here's the bullet list:

    • If you still need Mac OS on the internal harddisk: back up your Mac OS as a bootable copy on the external harddisk (with Carbon Copy Cloner, SuperDuper or whatever pleases you)
    • Back up your Windows with WinClone on the external disk
    • Boot off the Windows CD
    • Delete every partition on the disk with the windows installer
    • Create a new partition large enough for your windows installation
    • Leave some of the disk free after the windows partition if you still want Mac OS
    • Let the installer format the partition
    • In case you don't have a Windows installation yet, let the installer do its work until he's finished
    • Reboot and start Mac OS off the external disk
    • If you already had a windows installation: restore the Windows Backup onto the new partition
    • Create a Mac OS partition. You have to do this by command line via diskutil
    • Restore Mac OS on this partition

    We're almost done. But as the partition scheme has changed, XP's boot.ini doesn't reflect the actual partition numbering. Let's fix this:

    • Boot off the Windows CD again, go into rescue mode
    • Execute "fixboot"
    (Source)
    PGP WDE is easier to setup and doesn't involve any data loss on the Mac side, but you wouldn't be able to use Lion's FileVault then.

    1. Partition the disk using Boot Camp Utility.
    2. Install PGP Desktop (don't encrypt the drive).
    3. Use Boot Camp Utility to install Windows.
    4. Install PGP Desktop in Windows (don't encrypt the drive)
    5. Reboot into Mac OS and encrypt the drive there - both OS X and Windows partitions should now be encrypted.
    Last edited by Arthur; 10th April 2011 at 03:06 PM. Reason: Spelling

  12. #10

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,822
    Thank Post
    873
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444
    Thanks, Can you use the image facility in Disk Utility please?

    Sorry about the daft question i am not a mac expert.

    Thanks

  13. #11


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,757
    Thank Post
    221
    Thanked 2,629 Times in 1,938 Posts
    Rep Power
    779
    Disk Utility is fine. There are actually two different ways you can run it: from within OS X itself or by booting from your installation DVD and running Disk Utility from the Utilities menu.

  14. Thanks to Arthur from:

    FN-GM (10th April 2011)

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 6
    Last Post: 27th October 2010, 09:56 PM
  2. Bootcamp
    By gopher_1999 in forum Mac
    Replies: 1
    Last Post: 16th October 2010, 01:23 PM
  3. Replies: 13
    Last Post: 15th April 2010, 02:40 PM
  4. Mac on CC3 - bootcamp/virtualisation?
    By Nozza in forum Network and Classroom Management
    Replies: 3
    Last Post: 22nd July 2009, 10:04 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •