[drhfk]

Does anyone have any information on how PGP Disk compares to Disk Copy's built-in encryption? I have a PB 12" and I would like to encrypt most of my text archives. Is there a "real" difference in terms of added security between Disk Copy's 128 bit AES and PGP Disk's 128 bit CASTS v. 256 bit AES algorithm? Are there reliability issues, i.e., have peopole experienced corruption of images. Can I mount a PGP Disk on a PC? Is there a good source for this kind of information?

[car1son]

My understanding is that AES-128 is pretty good, too ( http://csrc.nist.gov/CryptoToolkit/aes/aesfact.html ) as long as you use a good password. I've only used Disk Copy's encrypted disk image.

Since I keep my Microsoft Entourage mail database on an encrypted disk image, and since Entourage is almost always open when I'm logged in, I was a little concerned about how susceptible the image might be to corruption if there was a system failure. Luckily, OS X doesn't have many system failures. In the case of the one crash I've had with Entourage and the mail database disk image open, there was no corruption of the disk image after the reboot. I refuse to challenge the fates by writing "I've never had a disk image become corrupted," but it's true.

As far as I know, Disk Copy's encrypted images can only be used on another OS X system. Therefore, I do have to keep in mind that in the event of a system failure, my backups can only be used on another OS X system. Obviously PGP Disk would be a big plus in this regard IF if was interchangable. Oddly the PGP FAQ is silent on that.

The other factor you might consider is access speed. Disk Copy's encrypted disk images or are reasonably fast, such that for "normal" documents you won't really notice that they're on encrypted images at all. However, they're not sufficiently fast on my PowerBook 500 to handle a QuickTime movie. You might check on how performant the PGP disk image is.

[moonmonkey]

Originally posted by drhfk:
Does anyone have any information on how PGP Disk compares to Disk Copy's built-in encryption? I have a PB 12" and I would like to encrypt most of my text archives. Is there a "real" difference in terms of added security between Disk Copy's 128 bit AES and PGP Disk's 128 bit CASTS v. 256 bit AES algorithm? Are there reliability issues, i.e., have peopole experienced corruption of images. Can I mount a PGP Disk on a PC? Is there a good source for this kind of information?

I use a diskcopy incrypted image, this is the best way I have found to keep things secure, you should bear in mind that if you add the password to your keychain security is greatly deminished.

You just double click the .img file, enter your password and it mounts on the desktop.

[car1son]

Originally posted by moonmonkey:
if you add the password to your keychain security is greatly deminished.

I'm curious why you feel this way. The keychan is AES-128 encrypted as well. Unless you leave your Mac logged in, or have a poor keychain password or share it with others, it shouldn't be a major risk to keychain the image password. And if you don't keychain the password, you end up having to keep a record of it someplace even less secure, like little scaps of paper. Forgetting the password to an encrypted image is a disaster: the data is unrecoverable without the key. (Leaving the Mac logged in would be just like leaving the encrypted image mounted.)

[mmurray]

Originally posted by car1son:
I'm curious why you feel this way. The keychan is AES-128 encrypted as well. Unless you leave your Mac logged in, or have a poor keychain password or share it with others, it shouldn't be a major risk to keychain the image password. And if you don't keychain the password, you end up having to keep a record of it someplace even less secure, like little scaps of paper. Forgetting the password to an encrypted image is a disaster: the data is unrecoverable without the key. (Leaving the Mac logged in would be just like leaving the encrypted image mounted.)

I think if you put it in the default keychain that opens on login you are restricted to an 8 character password for the keychain ie the login password. So even though you can use a long passphrase on the disk image in reality the protection is your login password. Passphrases are useful if you have stray bits of poetry or prose ratling around in your head something like

wetakeitasself-evidentthatallmenarebornequal

is a nice long passphrase. A pain to type in too often though.

Michael

[car1son]

Originally posted by mmurray:
I think if you put it in the default keychain that opens on login you are restricted to an 8 character password for the keychain ie the login password.

Actually, you can use >8 characters (I do, in fact.) It ends up behaving like this: I can log in as long as I type the first 8 characters correctly; if I type the whole password (which I usually do) then the keychain opens, too. If I don't type the whole thing, then the keychain doesn't open at login (and things start whining at me to open it.)

[shiff]

The pgp disks are interchangable. i have pgp disks on my mac that I have moved over to the pc without a problem. I use nothing but pgp disks and love them. In fact our team in the office use them quite a bit as most things we have are encrypted using that technology.

If you have more questions let me know and i will answer them if I can.

[Millennium]

DiskCopy uses the AES algorithm, which has been endorsed by the NSA. That fact alone is considered by many to be reason enough not to trust it. I would go with PGPDisk myself, if only for that reason, except for things which aren't really all that security-critical in the first place.

Putting passwords in the Keychain actually is a security risk, because even if someone can't actually get at your passwords, if the Keychain is automatically inputting them for you then The Bad Guy doesn't need to get at your passwords anyway. Just getting to your machine will be enough. That's a separate issue entirely from encryption.

My point: don't put anything in the Keychain, or in an encrypted disk image, that you couldn't live with being hacked. For really important stuff, there are better solutions.

[drhfk]

Millenium - What better solutions are there?

[moonmonkey]

Originally posted by car1son:
I'm curious why you feel this way. The keychan is AES-128 encrypted as well. Unless you leave your Mac logged in, or have a poor keychain password or share it with others, it shouldn't be a major risk to keychain the image password. And if you don't keychain the password, you end up having to keep a record of it someplace even less secure, like little scaps of paper. Forgetting the password to an encrypted image is a disaster: the data is unrecoverable without the key. (Leaving the Mac logged in would be just like leaving the encrypted image mounted.)

Its less secure because, when you are browsing the web with safari, you need to pretty much keep you keychain open to browse secure sites, also when you log in your keychain is usualy unlocked.

My keychain is open most of the time when I am at my computer, so the encryted disk is accesable to anyone using my computer before the keychain automaticaly locks. Obviously I could lock it manualy, but if I had 8 pre-release screenshots of OSX 10.3, I would not want to put the password on the keychain, just in case Apple Legal broke into my home when I was on the toilet and double clicked the file.

[mmurray]

Originally posted by drhfk:
Millenium - What better solutions are there?

I am told that steganography is supposed to
better but I don't know anything much about it. It somehow hides your information in another file or on your hard disk in a way thats `random' so you cannot even tell there is an encrypted file hiding there. There are situations where having it known that you have a lot of encrypted stuff is a problem.

If you search steganography on google lots of stuff comes up.

Michael

[mmurray]

Originally posted by car1son:
Actually, you can use >8 characters (I do, in fact.) It ends up behaving like this: I can log in as long as I type the first 8 characters correctly; if I type the whole password (which I usually do) then the keychain opens, too. If I don't type the whole thing, then the keychain doesn't open at login (and things start whining at me to open it.)

Thanks carlson I didn't know it worked like that. I had set up a seperate keychain for my encrypted disk images that wasn't the default one.

Michael

[infowarrior]

so how does one go about making their entire home directory encrypted? or just their Entourage Mail directorY?

thanks!

rick

[car1son]

Originally posted by infowarrior:
so how does one go about making their entire home directory encrypted? or just their Entourage Mail directorY?

Pretty easy to do Entourage.
Make an encrypted disk image large enough to hold twice your Microsoft User Data folder. (Allows for expansion and performing a database compact operation every now and then). Mount your new image. Put an alias in your Documents folder to the Microsoft User Data folder on the encrypted image (alias named Microsoft User Data.)

You may find this image mounts on login (as the Calendar appointment/event notification process, "Microsoft Database Demon", starts at login.)

Remember to back up your .dmg file, just as you would your old mail data.

[car1son]

Originally posted by Millennium:
Putting passwords in the Keychain actually is a security risk, because even if someone can't actually get at your passwords, if the Keychain is automatically inputting them for you then The Bad Guy doesn't need to get at your passwords anyway.

Well, this depends on how pervasively you use encrypted images. I even keep my Entourage database encrypted, as well as almost all my work files. So, when I leave the machine unattended, i can either:
- Unmount all disk images, which means closing open documents from those images, quitting Entourage and turing off its appointment notification. (And remembering to reanable appointments when I get back,etc.)
- or, logout.

I find logging out when I leave the machine to be a simpler and more comprehensive approach. (It's also ingrained from years of practice at work.)

If I only used encrypted images for a few occasionally-accessed files, I might find it more convenient to work the other way.

[car1son]

duplicate post. sorry

[car1son]

Originally posted by infowarrior:
so how does one go about making their entire home directory encrypted?

By the way, I don't think you can encrypt the entire home directory. There's stuff in your Library that gets used during the login itself.

Also, I prefer to have separate encrypted images for different types of data and different projects, to minimize the incremental backup process (if you update ANY file in an encrypted image, since the image is a single file, you need to backup the whole image. Or, you could back up the unencrypted files from the image, which would leave the backup data unprotected but make it easier to recover on a non-OSX system.)

[shiff]

That is why I use pgpdisk. I created a pgpdisk of about 700 megs or bigger if you have a dvd burner and placed all my documents there. For those of you that have never used it, basically it creates a file of whatever size u specified that when you double click on it asks for your passphrase and mounts the disk on your desktop. I place all my documents in there and set pgp disk to unmount after 5 minutes of inactivity so if I leave or something it closes it out.

It makes backups easier as all I have to do is backup that file or burn it to cd or dvd. I cannot verify if you can do this on the free version of pgp as I have a paid version.

[gatorparrots]

http://www.pgp.com/products/freeware.html

PGP Freeware product capabilities:

* Does not include PGP Disk
* Does not include automatic encryption of email file attachments
* Does not provide plug-in integration with Outlook, Outlook Express, or other email applications on any platform
* Does not operate with PGP Admin or other PGP deployment tools

It costs $$ to get those capabilities. Apple's solution (while more cumbersome) is free. With a little sweat & scripting, you can achieve the same results as PGP.

[infowarrior]

the encrpyted directoryt thing was a snap to create and use!

many thanks

rick

[sushiism]

dsik copy encrypted images are fast enough for my Ti800 to play quicktime off, I just thought id add that