Re: Self-encrypting hard drives for Macintosh

["Flynn, Gary - flynngn" <flynngn () JMU EDU>]

Thanks, Rich. Do you know if the drives can be used without an enterprise
management package like WinMagic? Just to get us started in a few select
areas.

The drives are part of our campus standard Dell laptop package for Windows
and we just tested the desktop version thinking we'd make them part of our
standard desktop package too. We'd heard they were supported on Macintosh
but never talked to anyone that had actually made it work. I'd like to see
all storage manufacturers include the feature making all our lives easier
and data more secure.





From:  Rich Graves <rgraves () CARLETON EDU>
Reply-To:  The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
Date:  Fri, 4 Mar 2011 08:10:43 -0600
To:  <SECURITY () LISTSERV EDUCAUSE EDU>
Subject:  Re: [SECURITY] Self-encrypting hard drives for Macintosh

> > > Has anyone used the Seagate self-encrypting hard drives in Macintosh
> > computers? 
>
> Only in test/eval, with WinMagic.
>
> The hardest part is physically replacing the drive. The MacBook designers
> didn't make it easy.
>
> You install MacOS (and BootCamp/Windows 7) as usual. The self-encrypting
> drives always encrypt, but the encryption key defaults to unsealed. You then
> install the WinMagic pre-boot environment, reboot a couple times, and it's
> done. Nothing changes on the disk platters themselves, but the security chip
> requires some form(s) of external authentication in order to release the
> encryption key.
>
> This might change in version 5, but as of WinMagic 4 last October, no WinMagic
> software is installed within the BootCamp partition(s). Thus single-logon and
> phone-home only function when booted in MacOS. To boot into Windows, you enter
> your password at the WinMagic pre-boot prompt and hit F12 (I think) instead of
> Enter. Weird, but people could get used to it. Once the pre-boot environment
> convinces the self-encrypting drive to unseal, you don't need any software.
>
> Other considerations: Hard drive spin-down must be disabled in MacOS and
> Windows power management because it can cause the hard drive to re-seal. Both
> OSes must be configured to hibernate, rather than sleep, but that's been
> recommended by all FDE vendors since cond-boot attacks were published.
>
> Because of the reduced time to deploy (no wait for encryption!), the reduced
> time to wipe/recycle (just change the key!), and operating system
> transparency, I like the idea of self-encrypting drives a lot, especially for
> dual-boot Macs and any loaner-pool machine.
> -- 
> Rich Graves http://claimid.com/rcgraves
> Carleton.edu Sr UNIX and Security Admin
> CMC135: 507-222-7079 Cell: 952-292-6529


-- 
Gary Flynn
Security Engineer
James Madison University

Attachment: smime.p7s
Description: