Whole Disk Encryption, and Why Mac OS X 10.6.5 Broke PGP WDE
On 10 November 2010, Apple released Mac OS X 10.6.5, an important update full of bug fixes and security patches. But for users of Symantec’s PGP WDE (Whole Disk Encryption) product, updating their Macs resulted in disastrous consequences as they were completely unable to boot their systems. Reports started appearing in the PGP WDE support forums, and this was quickly confirmed by TidBITS Senior Editor Joe Kissell—not through intrepid investigative reporting, but due to being locked out of his own laptop after trying to upgrade.
This isn’t the first time PGP WDE users have struggled with Mac OS X upgrades, and to understand why, it’s worth taking a moment to talk about how disk encryption works.
And for any of you who are locked out of your PGP WDE-encrypted drive, the good news is that your data is safe, and PGP issued recovery software and instructions on 12 November 2010. Also, for those PGP WDE users who haven’t yet upgraded to Mac OS X 10.6.5, Symantec also posted instructions on that page about how to upgrade safely using the latest version of PGP WDE (10.0.2).
How Full Disk Encryption Works — Disk encryption is the single most important security control for anyone with sensitive data on a laptop. Without it, if your laptop is lost or stolen, anyone with a modicum of knowledge can easily access your data. Circumventing passwords isn’t all that difficult on any operating system, and Mac OS X is no exception.
One option for Mac users is to use Apple’s built-in FileVault technology, which encrypts your home folder. FileVault is extremely secure, but it can make managing backups difficult. For example, if you use FileVault, Time Machine will back up your home folder files only when you log out of your account (unless you are one of the rare few storing your backups on a Mac running Mac OS X Server). FileVault also protects only your home folder, which may not be sufficient for everyone.
Finally, as I documented in “The Ghost in My FileVault” (13 September 2007), like any encryption, FileVault can be persnickety at times and can lock you out of all or some of your data. (Since encryption modifies the file system at a low level, single-bit errors can sometimes lead to much wider corruption).
Another option is called Whole Disk Encryption (WDE) or Full Disk Encryption (FDE). Unlike FileVault, which stores your data in an encrypted disk image, WDE products encrypt nearly the entire contents of your drive at the disk sector level. WDE products are powerful, since they encrypt everything, and by encrypting at such a low level all your backups work normally.
This is so effective that when I’m advising large enterprises on how to protect their mobile workers, I always tell them their most important security control is to deploy WDE on all portable systems (and to encrypt smartphones and iPads, but that’s an article for another day).
Note that Symantec’s PGP WDE is currently one of only two WDE products sold directly to Mac consumers; the other is WinMagic’s SecureDoc, and I know of two additional products for corporate users.
WDE works by integrating with the firmware on your Mac so that when you boot your computer you enter an unencrypted “pre-boot” environment. This is nothing more than a highly secure mini operating system whose sole job is to ask you for your password, and then decrypt and give you access to your normal operating system, which lives in an encrypted disk partition. (Joe Kissell discusses more about how WDE works in “Securing Your Disks with PGP Whole Disk Encryption,” 31 October 2008.)
That’s why, for those of you using PGP WDE, when you turn on your Mac you see the PGP prompt… which looks nothing like Mac OS X. Entering your password there is what enables the pre-boot operating system to recover the protected encryption key that unlocks the rest of your system, and then loads Mac OS X.
Why OS Updates Break WDE — When a minor software update affects only the main operating system, it shouldn’t cause any problems for WDE products. The issue is usually seen with major updates, which may change how the operating system loads or interacts with the firmware that, among other things, enables the hardware of your computer to see storage devices and load the operating system code.
That’s the reason I no longer use PGP WDE, even though I had initially switched to it after my problems with FileVault. When Mac OS X 10.6 was released, PGP (which wasn’t yet owned by Symantec) warned all users that the product was not compatible with the changes in the operating system and the Mac firmware (EFI, the Extensible Firmware Interface). Since I needed to write about 10.6, I had to upgrade, so I decrypted my system and removed PGP WDE. Around the same time I also bought a spiffy new Mac Pro, thus relegating my laptop to a secondary system. Since I wasn’t worried about backing it up, I switched back to FileVault. (PGP eventually provided Snow
Leopard compatibility; see “PGP Whole Disk Encryption and PGP Desktop Professional 10.0,” 14 May 2010.)
In their knowledgebase post, Symantec states that they tested PGP WDE with all development versions of Mac OS X 10.6.5 and there weren’t any problems, but that the shipping version of the update overwrote one of the changes PGP WDE makes to the boot.efi file used to load the operating system. This prevents loading of the pre-boot environment, and thus eliminates password entry.
Joe Kissell solved the problem by booting his laptop from an unencrypted external drive that also had PGP WDE installed, and then decrypting his main drive with that version of PGP. You might have such a setup if part of your backup plan includes a bootable duplicate, as most experts (including Joe) recommend.
Symantec’s solution is a bootable disk containing a version of PGP WDE designed specifically to recover from this problem. Instead of decrypting the drive and removing the security, when the password is entered, it accesses the drive and modifies the files needed to enable PGP WDE to work normally again.
If Symantec’s statement is true, this means Apple modified the release version of the update without giving developers the chance to evaluate the changes and update their products. Apple has done this in the past, which can lead to a variety of frustrating software issues. It’s one of the common criticisms from enterprise users who have to support hundreds or thousands of systems and, often, custom software. If the update was in the development pre-releases, then Symantec is at fault. Either way, this was a completely preventable problem.
Should You Encrypt Your Disk? — I still highly recommend encryption for anyone worried about losing a laptop and thus exposing its information. A whole disk encryption product offers the best security, and easiest backups, but since this software isn’t provided by Apple, there is a greater chance of upgrade issues. You might also encrypt a desktop if you’re worried about theft.
FileVault is also very secure, and if you are comfortable with altering your backup strategy to account for its limitations, it has the added advantage of being free and completely supported by Apple. It also allows you to encrypt only your own files if you share a system with another user.
Either way, keeping current backups is absolutely essential, and I recommend having at least one good backup of important data (especially sentimental items like photos) that you can access even if your encryption breaks. A great option is to use a backup service like CrashPlan that backs up your data to a remote drive or location, and encrypts it in an entirely different way (for more about CrashPlan, see “CrashPlan: Backups Revisited,” 26 February 2007 and “CrashPlan Adds Direct-to-Disk Backups,” 15 December 2008).
Any developer with access to the old 10.6.5 seeds could go back and readily verify the veracity of PGP's claim (that all intermediate seeds were tested). Basically anyone who downloaded a 10.6.5 seed in the last couple weeks of the pre-release test cycle could just install it, add PGP WDE, and see if it works.
WinMagic's SecureDoc for Mac (SDM) does not alter the boot.efi file. I confirmed this after updating to 10.6.5 on a couple Macs, both with and without SDM loaded. The boot.efi file was identical on both Macs. SDM does provide pre-boot authentication but it changes the firmware instead of messing around with the boot.efi file, something I can't believe anyone would be allowed to do.
I'm using CrashPlan. If I encrypt my disk, or portions of it, will CrashPlan see the encrypted portion as a single file and have to back up all of that file when any part of it is changed?
It will work as normal if you encrypt the whole disk - I use CrashPlan + PGP WDE with no issues.
Whole Disk Encryption is transparent to all software, including even the OS, once it's running. As far as all the software above WDE is concerned, the files are unencrypted and on a normal HD. This is why Time Machine is actually more compatible with WDE than with FileVault (not requiring a log out to work).
(Exception: SuperDuper has to ignore a couple of files, which it does automatically, and you'll need PGP and your password to restore from a SuperDuper image.)
Re "portions of it", I have not done partition level encryption, though it should work the same. The other option is individual file encryption and encrypted disk images, which are obviously not transparent.
It really is a tremendous product. I have not noticed any disk slow down, even. (I have no connections to or favors from PGP Corp, by the way.)
Thanks, Ryan. Just the info and advice I needed.
I don't believe this is an issue with PGP not testing updates. Nor do I think this is the result of a last-minute change to the seed by Apple. I believe this has to do with applying beta updates from the downloadable files versus applying the updates via Software Update.
PGP claims to include checks for changes to boot.efi and subsequent repair mechanisms. But when a user upgrades the base OS using Software Update, it is applied after most of the shutdown procedure has been executed, and these checks and fixes are no longer running.
This is why the downloadable combo updater, which is run in a normal user session before shutdown, doesn't fail.
It appears there needs to be a way for Apple to see if boot.efi has been changed by a third party and put on the brakes.
I don't know of a way to test a beta seed from Apple using the Software Update Server process.
PGP for Mac OS X is a complete turd anyway. In the past I spent around 300 euros on some license renewals. It was buggy as hell, I remember random behavior when using PGP keyservers. Things like: it failed to retrieve a key. Deleting and recreating the key server configuration made it work a couple of times, it started failing again...
This kind of glitches is a sign of extremely poor programming practice.
Regarding Time Machine and FileVault, yes, it forces you to logoff from your account in order to make backups possible. But that's a good side-effect. Disk encryption is less effective when you just lock the screen and leave your user logged on. As for the evil maid attack, both systems (FV and PGP WDE) seem to me to be similarly vulnerable.
So, risk? With poorly written software, indeed. And of course the "hacky" approach makes it riskier.
I honestly have to question the sanity of anyone using any Symantec product on a Mac. Has history taught you nothing?
It's not like you don't have file vault built in already!
Obviously the Mac is an afterthought when you are M$'s most trusted virus partner.
Not to defend Symantec, but they just bought PGP very recently, so I'm not sure much can be laid at their feet right at the moment. It's more likely that things were discombobulated by the acquisition, if anything.
> and to encrypt smartphones and iPads,
> but that’s an article for another day
Okay, Rich - I'm waiting... :-)
(PS Thanks for this one.)