Re: Self-encrypting hard drives for Macintosh

[Rich Graves <rgraves () CARLETON EDU>]

> Has anyone used the Seagate self-encrypting hard drives in Macintosh computers? 

Only in test/eval, with WinMagic. 

The hardest part is physically replacing the drive. The MacBook designers didn't make it easy. 

You install MacOS (and BootCamp/Windows 7) as usual. The self-encrypting drives always encrypt, but the encryption key 
defaults to unsealed. You then install the WinMagic pre-boot environment, reboot a couple times, and it's done. Nothing 
changes on the disk platters themselves, but the security chip requires some form(s) of external authentication in 
order to release the encryption key. 

This might change in version 5, but as of WinMagic 4 last October, no WinMagic software is installed within the 
BootCamp partition(s). Thus single-logon and phone-home only function when booted in MacOS. To boot into Windows, you 
enter your password at the WinMagic pre-boot prompt and hit F12 (I think) instead of Enter. Weird, but people could get 
used to it. Once the pre-boot environment convinces the self-encrypting drive to unseal, you don't need any software. 

Other considerations: Hard drive spin-down must be disabled in MacOS and Windows power management because it can cause 
the hard drive to re-seal. Both OSes must be configured to hibernate, rather than sleep, but that's been recommended by 
all FDE vendors since cond-boot attacks were published. 

Because of the reduced time to deploy (no wait for encryption!), the reduced time to wipe/recycle (just change the 
key!), and operating system transparency, I like the idea of self-encrypting drives a lot, especially for dual-boot 
Macs and any loaner-pool machine. 
-- 
Rich Graves http://claimid.com/rcgraves 
Carleton.edu Sr UNIX and Security Admin 
CMC135: 507-222-7079 Cell: 952-292-6529