Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Encryption for the masses
Kelly Martin, 2006-03-21

File and disk encryption needs to be simple and easy if it's going to be used. This article looks at Apple's FileVault and takes a sneak peak at what's coming in Windows Vista.

A few weeks ago there was a knock at my door, and my new MacBook Pro laptop had arrived. I was very excited, because it's one of the first of the new Intel-based dual core systems available. Yes, it's fast. Fast enough to give me visions of OS X native apps running alongside both Windows Vista and Fedore Core inside two virtual machines. It would make for a nice, highly portable security lab to test all three major operating systems. Today it might be a pipe dream, but the day is coming and it's not that far off. The hardware is available, now Apple users need the software - here's hoping that VMWare is released for Intel-based OS X one day soon.

I'm somewhat paranoid about security, like many of our readers, but I'm generally much more worried about what happens if my new laptop is stolen. Or, someone otherwise gets physical access to my machine. I know many people who've had their laptop stolen from their car, and others who have had a laptop bag mysteriously disappear from under them in the chaos of an airport. With a little power to spare, I thought I'd take some of Apple's built-in security features for a test drive. Part of it was prompted by some early hardware glitches in my new machine, requiring me to send it in for service - but unfortunately, I had just migrated all my sensitive data, which was now at risk. This was a great opportunity to take a second look at FileVault, and disk encryption in general as it makes it way to the masses.

Making encryption easy

I've had the opportunity to use FileVault, Apple's secure encryption technology for a user's files and folders. It uses AES-128 encryption, the U.S. government security standard approved by NIST that is generally believed to be quite secure. FileVault encrypts a user's entire home directory, settings and all data. The end result is transparent to the user. It's not even a new technology at all; it's been available for a number of years (since 2003) and in fact I've used it off-and-on in the past. Part of its appeal today is that it's a mature, reliable technology, and that laptops (regardless of your OS of choice) are now faster with big enough drives that encryption on a large scale will have no noticeable performance impact.

I'll put speculation aside and summarize why I like this technology: it's simple and easy, plus it's fully integrated into the OS - just as full disk volume encryption in Windows Vista will be, when it's made available. This, along with some recent high profile data breaches involving laptops with unencrypted data means large scale data encryption on desktops and laptops warrants another look.

There have been 3rd party options for strong encryption for a long time, and they're quite useful. Some might be considered enterprise-class as well. But I've always been pretty nervous about using 3rd party additions to encrypt large amounts of data found in tens of thousands of files that are used every day. Maybe it's because I have an idea of all the things that can go wrong, and I believe this type of offering needs to be deeply integrated into the OS. If it isn't completely seamless for the user, most people simply won't use the technology. Or they'll have problems.


I did quite a bit of reading up on Apple's FileVault before ever letting it touch my data in such a fundamental way. What first brought me to use it is the fact that it's not a new technology, and it's pretty reliable because it's been integrated with OS X for years. I used it previously on an old Powerbook G4 and it worked fine, but with some disk space issues and a bit of a performance impact on that slower machine, it didn't seem useful for day-to-day use. Laptops are notorious for having small hard drives, and limited free space doesn't mix well with encryption technologies when your data is at stake.

FileVault is surprisingly simple and straightforward. On a working OS X system, you just turn it on and the rest of the process of converting your data is automatic. It took about two hours to encrypt 60 gig of data, and afterward I did not notice any impact on system performance. There are no options for selecting individual files or folders, however - the encryption is either on or off for an entire home directory. But that's fine with me. I'd rather have all my data encrypted anyway, making it much harder for someone to find the really important data buried among all my MP3s, application data, videos and documents. A small encrypted folder, on the other hand, makes it a little easier for someone with physical access to your machine to hone in on the important stuff. Having all your data encrypted in a seamless fashion, and integrated at the OS-level, can be quite comforting indeed - especially if your your laptop is ever stolen. Let's just hope you have a backup.

Making encryption easy to use is the real key (no pun intended). Otherwise, as we've seen with most PKI technologies over the years, it won't get used. In typical Apple fashion, all FileVault settings are configured on a single page, and also include other important options you will want to set as well - such as requiring a password to exit the screensaver, requiring a password when emerging from sleep, and disabling automatic login. There is also the Secure Delete option for wiping files securely, and the ability to encrypt virtual memory as well. Very simple and refined.

Comparable Windows options

Mac users like to note that FileVault has been out since 2003, which helps make it secure and solid. This is true. But in fact, Windows has had file and folder encryption for even longer. Since Windows 2000, NTFS has had the Encrypting File System (EFS) which allows users to selectively encrypt files and folders - thereby providing much more granularity than Apple's FileVault option. EFS was enhanced for Windows XP and 2003, but it's still not an ideal solution. Many people simply don't use it, and there's no option today for automatically encrypting an entire disk volume or home directory.

With Windows Vista now in beta testing, there is some renewed excitement related to EFS in the Windows world, in the form of BitLocker - which will allow an entire disk volume to be encrypted. This is an excellent enhancement, and in fact Microsoft's offering appears to go much further than FileVault in its variety of options, such as the ability to use key pairings instead of just passwords. I just hope they keep it simple for the 95% of the people who need it that way.

Although this new encryption will require a system with a TPM (Trusted Platform Module) chipset, it appears it might only be available in the Enterprise and Ultimate editions of Vista. With these limitations aside, it's now approaching the point where enterprise customers and normal users will be able to encrypt their disk volumes in a very simple way. And in a way that's integrated into the OS, which I feel is quite important. We'll have to see how the final versions of Vista are configured, and what features are added or removed, but at this point it looks like most home users might be out-of-luck.

Story continued on Page 2 

Kelly Martin has been working with networks and security since 1986, and he's editor for SecurityFocus, Symantec's online magazine.
    Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Comments Mode:
Encryption for the masses 2006-03-22
Encryption for the masses 2006-03-22
Scott Ramsdell (3 replies)
Re: Encryption for the masses 2006-03-22
Re: Encryption for the masses 2006-03-23
Anonymous (2 replies)
Re: Encryption for the masses 2006-03-23
J (1 replies)
Re: Re: Encryption for the masses 2006-03-25
Encryption for the masses 2006-03-24
One problem with EFS 2006-03-28
Anonymous (1 replies)
Re: One problem with EFS 2006-03-28
Encryption for the masses 2006-04-16


Privacy Statement
Copyright 2010, SecurityFocus