Re: Mac encryption?

["Basgen, Brian" <bbasgen () PIMA EDU>]

 The Mac version of Checkpoint's product is also feature limited compared to the PC version. That said, it is a capable 
product with a good feature set (e.g. still allows single sign on, which is a major feature). 

 FWIW, while the Checkpoint product works reasonably well for us, the management interface of the software is rather 
clumsy. 

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike 
Lococo
Sent: Friday, November 13, 2009 9:17 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Mac encryption?

Harvard Townsend wrote:
> We're using PGP Whole Disk Encryption for Macs and Windows and have been 
> very satisfied, except they do not yet support Snow Leopard. The do 
> support Windows 7, though.

We're evaluating PGP as well, and while it works ok I thought it worth 
mentioning that PGP on the Mac seems like a bit of a second class 
citizen when compared to PGP on Windows, at least when you're using it 
in conjuction with a managed PGP server.  For example:

* If you use Guarded Key Mode, the Mac client cannot automatically 
download the GKM keys during enrollment of a new machine (the windows 
client can).  Instead you have to manually load the keys from some other 
source.
* Mac clients fail to complete the "Key Reconstruction" process using 
the 5 recovery questions.  They give an error which falsely claims that 
the questions were answered incorrectly.  If you forget your passphrase 
or your keyfiles become lost/corrupted, you'll have to recover them from 
a PC and manually transfer them to your mac.
* You can't change or update your 5 Key Reconstruction questions on a 
Mac.  If you want to update your security questions, you must do so from 
a PC.
* The Whole Disk Encryption boot prompt for Mac clients does not display 
the site-specific "additional text" often used to point folks to the 
helpdesk in the event of problems.
* Finally, as others have noted Snow Leopard support has lagged Windows 
7 support considerably.  Whereas it seems like PGP fairly consistently 
tries to release PGP compatibility updates in advance of retail 
availability of Windows OS updates, you're likely to be stuck holding 
your Mac clients back pending the availability of a compatibility update.

I haven't used Checkpoint and can't speak to whether they do any better, 
but while PGP is certainly fuctional on a Mac, it is fairly rough around 
the edges.  I find this to be in stark contrast to the Windows version 
which I've found to be quite solid and bug-free.

Thanks,
Mike Lococo