[pcryan5]

I am interested in what folks are using to secure their local data. As FileVault seems to have a lot of detractors I've been playing around with this idea from Macworld Encrypt files for safety | Utilities | Macworld and a Lexar drive Lexar® JumpDrive® SAFE S3000 | Lexar. Both work well enough yet I am looking for a more seamless solution. Any suggestions?

With thanks
~P

[turtle777]

My recommendation: Tao Effect :: Espionage :: Secure Folder Encryption for Mac OS X

The programmer is a member of 'NN .

If you want a free, less automated solution, try TrueCrypt - Free Open-Source On-The-Fly Disk Encryption

-t

[ghporter]

It's important to first determine what sort of security you need for local data. Are you trying to protect your data from an external threat poking through the Internet into your computer? Are you trying to protect it from a housemate? Those two situations call for quite different approaches.

To protect data from external network threats, the easiest way is to simply not store it on the computer. Offline storage, whether an external hard drive or optical media, is perfect for protecting data from external threats because it is attached only when you want to use it.

On the other hand, protecting data from a person who has physical access to the hardware calls for strong encryption. Both Tao Effect's Espionage and TrueCrypt use solid, well vetted algorithms for their encryption systems-either would be more than adequate for this approach.

[pcryan5]

Originally Posted by ghporter 

It's important to first determine what sort of security you need for local data..

Thank you both for your replies. I wish to use this laptop for work data that is sensitive and cannot be stored outside of Canada.

So I am trying to protect myself from hackers or thieves if my laptop is stolen.

~P

[turtle777]

Go with Espionage.

-t

[ghporter]

Originally Posted by turtle777 

Go with Espionage.

-t

Seconded.

Extra advice: store your password/key/secret number/whatever securely. Depending on its format, you could have it written or saved on a USB thumb drive, but whatever it is you store it on, store that IN something really secure. Business information is really worth taking the time and going to the effort to protect yourself with secure OFFSITE storage-safe deposit boxes are perfect for this, but locked up somewhere-anywhere away from where you live is essential.

[turtle777]

Store it in your brain, Seriously.

If you write down your password somewhere, you might as well not have one.

-t

[tightsocks]

Do Apple's encrypted disk images (which the Espionage app uses) still protect the key with 3DES?
3DES is known to have an effective security equivalent to 112 or 80 bits depending on the implementation used.
What good is encrypting the data with 128 or 256 bit AES if the key can be discovered by breaking the weaker 3DES !

[turtle777]

Originally Posted by tightsocks 

Do Apple's encrypted disk images (which the Espionage app uses) still protect the key with 3DES?

Good question, I don't know.

Originally Posted by tightsocks 

3DES is known to have an effective security equivalent to 112 or 80 bits depending on the implementation used.
What good is encrypting the data with 128 or 256 bit AES if the key can be discovered by breaking the weaker 3DES !

I found a reference pertaining to FileVault being 112 bit, but not the 80 bit:
http://crypto.nsa.org/vilefault/23C3-VileFault.pdf

For me personally, 112bit is plenty for now.

-t

[P]

Originally Posted by tightsocks 

Do Apple's encrypted disk images (which the Espionage app uses) still protect the key with 3DES?

As of 2007 (Tiger) it was. I'm trying to find any reference to if the file format changed, but I'm failing so far. There is no way to make a disk image in SL that is compatible with older versions, so most likely the file format has not changed. There is a possibility that the key format is different if you pick 256-bit AES, as that format was added with Leopard and after a presentation had shown the weaknesses of the old scheme, and it is beyond moronic to use slow 256-bit encryption and encrypt the keys with 3DES.

Originally Posted by tightsocks 

3DES is known to have an effective security equivalent to 112 or 80 bits depending on the implementation used.

Technically, 3DES is known to have an effective security of AT LEAST 112 bits when using proper key selection (or ~80 bits if you pick symmetric keys, but let's hope that Apple didn't do that). Research indicates that the effective strength is probably higher (I've seen 129 bits mentioned)

Originally Posted by tightsocks 

What good is encrypting the data with 128 or 256 bit AES if the key can be discovered by breaking the weaker 3DES !

Excellent question, but note that 3DES isn't necessarily weaker than 128-bit AES in practice. AES was developed because 3DES was slow - not because it was insecure. 3DES is older and has been received extensive testing over time, and while 192 and 256-bit AES should be stronger, 128-bit AES is probably of comparable strength to 3DES. It's still stupid to do it this way, because you double your attack surface (you're vulnerable to a flaw in either AES or 3DES) but it's probably not a huge risk for AES-128.

[tightsocks]

Originally Posted by pcryan5 

Thank you both for your replies. I wish to use this laptop for work data that is sensitive and cannot be stored outside of Canada.

So I am trying to protect myself from hackers or thieves if my laptop is stolen.

~P

Full disk encryption - to protect the entire volume on the laptop.
Only PGP offers this functionality on MacOS X.

For Win the free TrueCrypt can do FDE.

Rumor has it that Lion will have built-in FDE. Which actually could be a bad thing - if it ends of killing off the PGP FDE offering, while providing a potentially flawed crypto implementation.

Whatever option you choose be sure to use a password of at least 12 random characters.

[tightsocks]

Originally Posted by P 

There is no way to make a disk image in SL that is compatible with older versions, so most likely the file format has not changed.

Am I misreading this, or did you mean, 'there is no way to make an image in SL that is NOT compatible with older versions?'

[Johnno117]

Hi All,
New to the forums, but have been on MacNN for >10 yrs.
First off, having a copy of your pass-word/-phrase is the weak link, but it's so easy to forget if you don't use if for a month - just remember that.
Me, I'd use PGP or Espionage (I like the built-in backup options of Espionage), and I'd keep my backup in a good quality, fire-proof safe that is securely bolted to a concrete pad. I'd also keep my pass-word/-phrase in that safe, but etched into a piece of copper or stainless steel. Even if everything else in the safe is destroyed, the etched metal will be retrievable (and you still have your laptop).
If your information is very important, then replicate your backup (HD and etched metal) somewhere else, say a safety deposit box in a bank or another secure safe at work?
Why can't the data be stored outside Canada? If it is securely stored, it doesn't matter where it is! I ask because I have a lot of clients using JungleDisk secure backup on Amazon S3 servers - cheap storage accessible from everywhere, and if you store the data encrypted, it is never unencrypted except on your computer (i.e. in transit and stored) and Amazon does not have access to your password.
Just remember to have a secure copy of your pass-word/-phase and that someone else (trusted) knows how to access this in case you are no longer available.
Let us know what you decide.
Happy New Year to all by the way.
John Williams - SaferData

[ghporter]

Originally Posted by turtle777 

Store it in your brain, Seriously.

If you write down your password somewhere, you might as well not have one.

-t

A password that's something you can remember will not be strong enough to really protect against a brute-force attack. Having your password LOCKED UP PHYSICALLY, on the other hand, gives you access to the strongest types of passwords-very long, very complex, and utterly random.

I have my WiFi protected by 63-character WPA2 passwords. They are stored on a thumb drive that is locked up in a secure location, with a backup in another secure location offsite. I can't mis-type the password when entering it because I just copy and paste it, but I lock the thumb drive up as soon as I'm done with it, so it's secure.

[turtle777]

You guys are going for the complete overkill.

I have a 17 digits password (upper and lower caps, numbers, special characters).
I can type it in my sleep. I dare you to brute-force crack it.

-t

[pcryan5]

Originally Posted by Johnno117 

Why can't the data be stored outside Canada?

The industry I work in does not allow data to be stored in the USA owing to the Patriot Act which grants the US gov't the right request access to any data. To keep things simple our policy is "no data outside Canada". Simple eh?

[Doc Juansinn]

Hmm... a few interesting things going on here that I feel like adding to. I'm not specifically addressing these comments to the original poster, but simply as reality reminders for those who might want to store private/secret/illegal data on their laptop and, perhaps, travel with it.

A laptop isn't the most secure device to use for top-secret data. (Sorry, but it does sound a bit like "This must not fall in the hands of the enemy!) The first and most important defense will be physical custody of the laptop.

Secondly, if the contents of the laptop must not be seen by the U.S. government, then the laptop should never be brought into the U.S.A. The customs authorities have a right to inspect the contents of any device being brought across the border. If you have password protected anything, and refuse to supply the password(s), the device can be taken from you and sent off for a very through examination. I would imagine this being true for most countries.

Perhaps one of those briefcases with the built-in handcuff...

Hey, GH! 63-characters for your wi-fi? Really? Isn't something like brjóstsjúkdómur good enough?

[ghporter]

Originally Posted by turtle777 

You guys are going for the complete overkill.

I have a 17 digits password (upper and lower caps, numbers, special characters).
I can type it in my sleep. I dare you to brute-force crack it.

-t

Overkill is a good thing in security. 63 characters is not just "about 4 times as complex," it's many orders of magnitude as complex as a 17 character password. I sort of believe in the steamroller school of bug extermination when it comes to security. Occupational hazard when you're a corporate-level computer security officer (with an organization that really takes security seriously).

In any case, while a memorized password has many advantages, it is still subject to loss through forgetfulness, and unfortunately the possibility that your data may be needed when you are not available to provide the password. A securely stored password -that is accessible to well trusted individuals in case you're incapacitated- can't be forgotten.

[P]

Originally Posted by tightsocks 

Am I misreading this, or did you mean, 'there is no way to make an image in SL that is NOT compatible with older versions?'

No, I mean this: If Disk Utility changed the file format for encrypted disk images in 10.5, there ought to be a way to create files in the old format for compatibility reasons. There doesn't seem to be one (except if the new format is used automatically if you select AES-256), which is an indication that the format did not change, ie that the keys are still encrypted with 3DES.

[tightsocks]

Anyone have any hands on experience with PGP FDE on the Mac?
What is the backup/cloning scenario?

[BobinBob]

You can use Disk Utility for creating password protected images. Then you can send them or copy to your USb Flash Drive. You can look at this two posts about encryption with Disk Utility:

1.Encryption without 3d party apps

2.FileVault

[turtle777]

Originally Posted by tightsocks 

Anyone have any hands on experience with PGP FDE on the Mac?
What is the backup/cloning scenario?

I'm staying away from PGP.

It seems [from what I read in news] like it keeps breaking after OS X updates, it's not ver confidence inspiring.

-t

[Cold Warrior]

Originally Posted by turtle777 

My recommendation: Tao Effect :: Espionage :: Secure Folder Encryption for Mac OS X

The programmer is a member of 'NN .

If you want a free, less automated solution, try TrueCrypt - Free Open-Source On-The-Fly Disk Encryption

-t

Do you know if he's going to put this in the App Store? I'm hesitant to buy right now, but believe it's probably the best solution out there without going to full-disk encryption.

[pcryan5]

FWIW - Checkpoint sells full disk encryption (Full Disk Encryption | Check Point Software that is compatible with OSX.

Our company uses it for our Win devices. I'll try it out (after backing up my laptop 5 times..) and report back.

As far as bringing this device into the USA - I'll pass on that owing to the right of customs to demand our passwords. (FYI - this is medical info - nothing nefarious.)

P

[Cold Warrior]

I'm leery of software-based FDE. Would rather buy an SSD or HDD with it running in hardware.

[Waragainstsleep]

I looked into this recently for a government contractor. The only sufficiently certified FDE for Mac is actually Endpoint from Checkpoint. PGPs is not as highly certified. Plus I have very little faith in Symantec (who own PGP) at all these days but especially not for Macs ever since the debacle of Norton Systemworks doing more harm than good before they discontinued it.

Endpoint gives you a password prompt before you boot your machine.

[turtle777]

Originally Posted by Cold Warrior 

Do you know if he's going to put this in the App Store? I'm hesitant to buy right now, but believe it's probably the best solution out there without going to full-disk encryption.

No, I don't.

But why don't you shot itistoday a PM and ask him. He's the programmer of Espionage.

-t

[Mojo]

GoSecure goSecure - Secure, Easy-To-Use Mac Encryption Solution It has 128-bit and 256-bit AES options. $19.99.

I have been using it for a number of years after my previous favorite encryption program was not upgraded to work with Leopard. GoSecure is easy to use and I like being able to encrypt individual files and folders on the fly.

[turtle777]

Originally Posted by Mojo 

GoSecure goSecure - Secure, Easy-To-Use Mac Encryption Solution It has 128-bit and 256-bit AES options. $19.99.

Doesn't it essentially just create a encrypted DMG file ?

It looks far less sophisticated than Espionage.

-t

[Mojo]

Espionage actually creates an encrypted DMG. But unlike Disk Utility it merges the disk image and mount point into a "folder." This allows the user to perform actions that cannot be done with a regular DMG.

From what I have seen, GoSecure appears to use the same process, because the same kinds of operations are possible using GoSecure. One feature that GoSecure has that Espionage apparently does not have is the option to automatically securely delete data (7 and 35-pass wipe) after it is encrypted.

Why do you think that it is less sophisticated than Espionage? The only function Espionage has that GoSecure does not is "encryption-less protection" which is of dubious value. I would not pay an additional $20 for that feature...

The value of programs like Espionage and GoSecure is the ability to quickly and easily encrypt small amounts of data. Protocols that encrypt the entire boot disk and volumes are fine but slower and can be intimidating to non-techies. I have used these kinds of programs but it is simply more convenient to encrypt files and folders as needed. The encrypted data can then be easily transferred to other computers.

[turtle777]

Originally Posted by Mojo 

One feature that GoSecure has that Espionage apparently does not have is the option to automatically securely delete data (7 and 35-pass wipe) after it is encrypted.

That's nice and fine, but useless voodoo :-)

See here: http://forums.macnn.com/82/applicati...e/#post3783460

-t

[Mojo]

[QUOTE=turtle777;4043489]That's nice and fine, but useless voodoo :-)

I was merely noting a feature that is unique to GoSecure...

How many passes to use is obviously debatable. At least GoSecure offers the user a choice. Having the option to automatically wipe an encrypted file is a nice bit of added security, but it isn't essential IMO.

[CharlesS]

Originally Posted by Cold Warrior 

Do you know if he's going to put this in the App Store? I'm hesitant to buy right now, but believe it's probably the best solution out there without going to full-disk encryption.

It appears to require your administrator password to do its thing. That is one of the many things which are banned from the App Store, so I think it's safe to assume that this app will not appear there.

[turtle777]

Good point, Charles.

Apple really needs to rethink this policy or come up with some other solution.

-t

[tightsocks]

Originally Posted by pcryan5 

FWIW - Checkpoint sells full disk encryption (Full Disk Encryption | Check Point Software that is compatible with OSX.

Checkpoint is licensed for enterprise only.
No go for SOHO users.

[CharlesS]

Originally Posted by turtle777 

Good point, Charles.

Apple really needs to rethink this policy or come up with some other solution.

-t

The other solution is to use Kagi, eSellerate, or one of the various other third-party app stores which have been around for years/decades and which, contrary to popular belief around here, do handle things like VAT just fine.

[pcryan5]

Originally Posted by Mojo 

Why do you think that it is less sophisticated than Espionage?

I am interested in knowing as well.

As an aside - Macworld gives Espionage 3.5 stars and Knox 4 stars. Yet when you read the reviews - Espionage clearly seems to be the better more comprehensive product. I understand subjectively - which I guess is what accounts for this apparent (in my encryption novice eyes) discrepancy.

[Cold Warrior]

Originally Posted by CharlesS 

It appears to require your administrator password to do its thing. That is one of the many things which are banned from the App Store, so I think it's safe to assume that this app will not appear there.

Originally Posted by turtle777 

Good point, Charles.

Apple really needs to rethink this policy or come up with some other solution.

-t

Does it rely on the admin password or just the user's keychain/login password? For most Mac users, those are the same, but for non-priviledged users, they are different. I'm running Espionage now, installed it a few days ago (just a drag-drop really), and don't recall it needing admin privs.

[CharlesS]

It prompts for the admin password, sets up a launch daemon, the full 9 yards.

[pcryan5]

Originally Posted by Cold Warrior 

I'm running Espionage now

I am as well. Very pleased with Turtle's recommendation. Have my data, Devonthink, OmniFocus and Office 2011 data all encrypted easily. No noticeable performance hit.



~P

[pcryan5]

Originally Posted by pcryan5 

I am as well. Very pleased with Turtle's recommendation. Have my data, Devonthink, OmniFocus and Office 2011 data all encrypted easily. No noticeable performance hit.
~P

I spoke too soon perhaps. The one change in "performance" is since I encrypted my MS Outlook 2011 Data I've had to rebuild my mailbox 4 times. It's automated so it's not that big a deal other then delay. I'm going to stick with it and puzzle this one out.

[besson3c]

Turtle always seems to know about all of the various software solutions and offerings available for the Mac! Hip hip hooray for Turtle777!