Educause Security Discussion mailing list archives
Re: Self-encrypting hard drives for Macintosh
From: "Flynn, Gary - flynngn" <flynngn () JMU EDU>
Date: Fri, 4 Mar 2011 14:20:05 +0000
Thanks, Rich. Do you know if the drives can be used without an enterprise management package like WinMagic? Just to get us started in a few select areas. The drives are part of our campus standard Dell laptop package for Windows and we just tested the desktop version thinking we'd make them part of our standard desktop package too. We'd heard they were supported on Macintosh but never talked to anyone that had actually made it work. I'd like to see all storage manufacturers include the feature making all our lives easier and data more secure. From: Rich Graves <rgraves () CARLETON EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Fri, 4 Mar 2011 08:10:43 -0600 To: <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Self-encrypting hard drives for Macintosh
Has anyone used the Seagate self-encrypting hard drives in Macintoshcomputers?Only in test/eval, with WinMagic. The hardest part is physically replacing the drive. The MacBook designers didn't make it easy. You install MacOS (and BootCamp/Windows 7) as usual. The self-encrypting drives always encrypt, but the encryption key defaults to unsealed. You then install the WinMagic pre-boot environment, reboot a couple times, and it's done. Nothing changes on the disk platters themselves, but the security chip requires some form(s) of external authentication in order to release the encryption key. This might change in version 5, but as of WinMagic 4 last October, no WinMagic software is installed within the BootCamp partition(s). Thus single-logon and phone-home only function when booted in MacOS. To boot into Windows, you enter your password at the WinMagic pre-boot prompt and hit F12 (I think) instead of Enter. Weird, but people could get used to it. Once the pre-boot environment convinces the self-encrypting drive to unseal, you don't need any software. Other considerations: Hard drive spin-down must be disabled in MacOS and Windows power management because it can cause the hard drive to re-seal. Both OSes must be configured to hibernate, rather than sleep, but that's been recommended by all FDE vendors since cond-boot attacks were published. Because of the reduced time to deploy (no wait for encryption!), the reduced time to wipe/recycle (just change the key!), and operating system transparency, I like the idea of self-encrypting drives a lot, especially for dual-boot Macs and any loaner-pool machine. -- Rich Graves http://claimid.com/rcgraves Carleton.edu Sr UNIX and Security Admin CMC135: 507-222-7079 Cell: 952-292-6529
-- Gary Flynn Security Engineer James Madison University
Attachment:
smime.p7s
Description:
Current thread:
- Self-encrypting hard drives for Macintosh Flynn, Gary - flynngn (Mar 04)
- Re: Self-encrypting hard drives for Macintosh Rich Graves (Mar 04)
- Re: Self-encrypting hard drives for Macintosh Flynn, Gary - flynngn (Mar 04)
- Re: Self-encrypting hard drives for Macintosh Rich Graves (Mar 04)
- Re: Self-encrypting hard drives for Macintosh Flynn, Gary - flynngn (Mar 04)
- Re: Self-encrypting hard drives for Macintosh Rich Graves (Mar 04)