Data security

[sparkie7]

I have been out of the loop on this topic for a while. But since I'm moving some of my equipment into a shared open space studio..

what is the best method to secure the data on my drives from being copied?

- there is a password protection feature on mac OS to access the drive. but this can be gotten around by starting up from an external drive then one can clone the internal drives and pick the data out.

- is there some software i can erase and formate the drives with that will be secure and not be bypassed as above?

- is there a hardware security like a USB dongle/stick disk that can be used as a physical key?

i'm all ears..

 

[808?]

Don't connect to your local network or internet.

 

[initialsBB]

Is there is a password protection feature on mac OS to access the drive. but this can be gotten around by starting up from an external drive then one can clone the internal drives and pick the data out.

Apparently FileVault 2 is good, and as it encrypts the data there is almost no chance of anyone being able to crack it. I think it only works on the boot drive though (?) and of course if you lose your master password you're screwed.

 

[sparkie7]

I'm only on OS X 10.6.8, so only have FileVault 1. Do I have to format with any special settings using Disk Utility or can I turn it 'on' and 'off' at will?

Does it slow the whole system down with its encryption? ie. Hard drive and CPU usage, is it noticeable?

Would like to hear from users.. Any other options?

 

[Sirolway]

Another option would be to use TrueCrypt (free) & create an encrypted vault on the shared drive. That would be pretty secure ...

 

[sparkie7]

just found this:

http://reviews.cnet.com/8301-13727_7-57369983-263/filevault-2-easily-decrypted-warns-passware/

"In a statement (PDF) issued this morning, password recovery company Passware has claimed that it can fully decrypt a FileVault-encrypted Mac disk within an hour."

"Passware has been actively tackling various encryption technologies such as BitLocker, TrueCrypt, and FileVault, and says its latest Passware Kit Forensic 11.3 software can extract encryption keys for all of these technologies. In addition to extracting FileVault keys, Passware can also extract passwords from encrypted keychain files and recover log-in passwords for user accounts."

Yipes

 

[Macman45]

I think this is more about sensible practice rather than fiddling with third party apps. The studios I frequent are places I trust, with people who (I'm pretty sure ) would not attempt to steal from me.

Having said that, I adopt a best practice attitude when there. I don't leave my MBP or MBA unattended , I use password protection on the screen. I have yet to be hacked, stolen from or otherwise suffered theft in any way.

Common sense is your best friend in situations like this.

 

[initialsBB]

"In a statement (PDF) issued this morning, password recovery company Passware has claimed that it can fully decrypt a FileVault-encrypted Mac disk within an hour."

The article does not mention the essential prerequisites of the hack which are direct access to the machine in an ON state with a $1000 application. It needs access to the keys stored in RAM, and cannot work via network access. No solution is fail safe, but all reports I have seen on FileVault 2 are positive.

 

[sparkie7]

I use password protection on the screen.

as in loggin out your account?

 

[Macman45]

as in loggin out your account?

Yes, it works for me, just simple sensible things and you should be fine IMO.

 

[sparkie7]

hmm.. yeah.. definitely by-passable

i'm starting to think an encrypted folder or volume is the way to go. can Truecrypt encrypt an entire partition?

 

[nanofrog]

hmm.. yeah.. definitely by-passable

i'm starting to think an encrypted folder or volume is the way to go. can Truecrypt encrypt an entire partition?

Even if it can, keep in mind that software implementations cannot secure the MBR, which leaves a potential "hole" that can allow data to be extracted. So it's a bit more secure.

If you're paranoid, then you'll want to investigate hardware solutions (256bit), as the 40bit variants can be cracked via brute force.

I'm not sure of your specific situation, so take a look at Wiki's Full Disk Encryption page for further information, and see which method is suitable to your usage.

 

[sparkie7]

even if it can, keep in mind that software implementations cannot secure the mbr, which leaves a potential "hole" that can allow data to be extracted. So it's a bit more secure.

mbr?

 

[nanofrog]

mbr?

Master Boot Record.

The MBR launches first (where the beginning of the bootloader is located, which points to the GPT). Once in the GPT, the rest of the boot process is completed and OS X is up and running.

Since you're interested in software encryption tools for OS X, it would be worth checking them out to see if the GPT is actually encrypted/unencrypted, or has holes that can be cracked under certain conditions if it is encrypted.

 

[sparkie7]

thanks. i'm wondering if i should have all my data on a pocket external like my Mini G-Drive. when i'm not in the studio i dismount and take it with me. still need something more portable. maybe a 32GB memory stick?

 

[nanofrog]

thanks. i'm wondering if i should have all my data on a pocket external like my Mini G-Drive. when i'm not in the studio i dismount and take it with me. still need something more portable. maybe a 32GB memory stick?

There are external HDD's that do this as well if you need more capacity and/or speed than a USB stick can provide (uses a USB stick-type device with the external drive).

Addonics offers such products (go for 256bit capable if you go this route).

 

[sparkie7]

thanks Nanofrog. i found this:

http://www.addonics.com/products/cpd256u.php

pity its not firewire. but i like the cipher key, like the hardware dongle i mentioned in my earlier post. now imagine if  had these keys for the Mac Pro, iMacs, MBA's and MBP's.. why not? data is the most important thing, and it should be kept secure

 

[nanofrog]

thanks Nanofrog. i found this:

http://www.addonics.com/products/cpd256u.php

pity its not firewire. but i like the cipher key, like the hardware dongle i mentioned in my earlier post. now imagine if  had these keys for the Mac Pro, iMacs, MBA's and MBP's.. why not? data is the most important thing, and it should be kept secure

What you want exists. For example, Wiebe Tech offers one with USB, eSATA, and FW800 ($199 for the empty enclosure and and your drive of choice).

For another FW800 alternative, take a look at this.

Please realize, this is just entry level (single disk). Scalable solutions exist as well, so if you need it, it actually does exist. Imation would be a place to start if you need something like this (scalable example).

 

[tomllama]

I use PGP to encrypt and protect a disk that houses my financial data. It's not free and it's not all that simple to get set up, but it ensure encryption of the data on the disk.

It's not clear if you want every file encrypted so each time you access it you must supply a password (not what PGP does) or simply want the disk encrypted so that you must supply the public portion of the key to mount and decrypt the disk/data (what PGP does).

 

[sparkie7]

What you want exists. For example, Wiebe Tech offers one with USB, eSATA, and FW800 ($199 for the empty enclosure and and your drive of choice).

For another FW800 alternative, take a look at this.

Please realize, this is just entry level (single disk). Scalable solutions exist as well, so if you need it, it actually does exist. Imation would be a place to start if you need something like this (scalable example).

thanks again Nano. will look at these

none out yet with thunderbolt + key?

----------

I use PGP to encrypt and protect a disk that houses my financial data. It's not free and it's not all that simple to get set up, but it ensure encryption of the data on the disk.

It's not clear if you want every file encrypted so each time you access it you must supply a password (not what PGP does) or simply want the disk encrypted so that you must supply the public portion of the key to mount and decrypt the disk/data (what PGP does).

i need the data to be 110% secure. this includes the system/apps/data - the whole shebang. why isn't there a hardware key that enables/disables an entire mac and its drives+data?

it would get around having to 'encrypt on the fly' etc where it potentially affects performance.

 

[nanofrog]

none out yet with thunderbolt + key?

Not that I'm aware of (or actually expect as TB is still too new ATM).

why isn't there a hardware key that enables/disables an entire mac and its drives+data?

You could look into a biometric device as a means of accessing your computer rather than just password protection, and shift your storage to hardware encrypted enclosures.

The reason for this, is I'm not aware of any HDD's that include the encryption chip directly onto the HDD's drive controller board (no 3rd party device needed). So the encryption chip is installed on a 3rd party device that connects between the disk and the system (bridge device).

Now there are such things as HW encryption HDD controller cards (HDD controller + HW encryption chip that connects between the computer and internal HDD's), but I don't know if any support OS X (the encryption HW doesn't need drivers, but the SATA controller does). Another note, is the controllers I can recall are all IDE (example), not SATA. Might be worth searching though.

Had Apple utilized a TPM slot, you'd have that capability (why TPM was created, as businesses need system level security of this nature), but AFAIK, I don't recall seeing one on any board photos here in MR, nor any mention of one existing.

 

[sparkie7]

Thanks Nanofrog. Never thought of that, are there biometric devices actually available and affordable? If so, know of any/recommendations perhaps. Thank you

 

[nanofrog]

Thanks Nanofrog. Never thought of that, are there biometric devices actually available and affordable? If so, know of any/recommendations perhaps. Thank you

Take a look here (should get you started).

You may need a version with the SDK in order to write your own code though, so this will take some research on your end.

Good luck.

 

[DocNYz]

Apparently FileVault 2 is good, and as it encrypts the data there is almost no chance of anyone being able to crack it. I think it only works on the boot drive though (?) and of course if you lose your master password you're screwed.

Has anyone found to a way to make it encrypt more than just the boot drive? Especially since for those of us that have separate boot drives, user accounts, externals, etc, the boot drive has the least amount of important personal files that need encrypting ...

 

[codymac]

just found this:

http://reviews.cnet.com/8301-13727_7-57369983-263/filevault-2-easily-decrypted-warns-passware/

"In a statement (PDF) issued this morning, password recovery company Passware has claimed that it can fully decrypt a FileVault-encrypted Mac disk within an hour."

"Passware has been actively tackling various encryption technologies such as BitLocker, TrueCrypt, and FileVault, and says its latest Passware Kit Forensic 11.3 software can extract encryption keys for all of these technologies. In addition to extracting FileVault keys, Passware can also extract passwords from encrypted keychain files and recover log-in passwords for user accounts."

Yipes

Read Passware's documentation. Regarding Truecrypt... unless the Passware user has physical access to the machine with the encrypted volume mounted, the software performs a brute-force attack.

http://www.lostpassword.com/hdd-decryption.htm

The best evidence for the security of Truecrypt is Daniel Dantas:

http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/