Thursday, June 19, 2008
Full Disk Encryption for Mac OS X
Last month Checkpoint software released their Pointsec full disk encryption product for the Mac. I believe this is the only FULL disk encryption product available for the Mac. Pointsec for Mac runs on OS X Leopard and Tiger. I've been teaching some classes around the state on how to install and administer Pointsec for PC, and since most of my students are University IT workers, I get a lot of questions about Pointsec for Mac. Up until now, I haven't been able to provide much in the way of answers. I should also mention that the product seems to be called Endpoint Security Full Disk Encryption for Mac.
Over the last week I have had the opportunity to use a Macbook. I actually ordered my own Macbook but it hasn't arrived yet so in the meantime I'm using a loaner. And since I don't need to worry about what kind of damage I do to a loaner computer, I put Pointsec for Mac on right away.
The installation was pretty straightforward. If you've installed Pointsec for PC then installing Pointsec for Mac shouldn't be a problem for you. Just as with Pointsec for PC, you have to create two Pointsec administrator accounts which are necessary if you want to remove Pointsec later. You also have to provide a path for writing your recovery file in case things go really bad on the machine. One thing that is different is the licensing. All the releases of Pointsec for PC that I've had the chance to use have used the same evaluation license key. And even though the key is good for ten licenses, there doesn't seem to be any checking to see if that key has been used elsewhere. I know this because in my classes I have all the students use the same license key and there has never been a problem. With Pointsec for Mac you have to get a license file from Checkpoint and the evaluation key will expire in 30 days. I haven't tried using the same license key on multiple computers since I only have one Macbook.
Once the installation is complete your computer will reboot and you'll be looking at a login screen for Pointsec. This is the Mac version of the Pre-Boot Environment in Pointsec for PC. Log in with one of the admin accounts you created during setup. One of the weird things that I've noticed is that there is a check box for Single Sign On which is disabled. That suggests that there is a way to enable Single Sign On in the management console, but I haven't found anything. So far, the only way to get Single Sign on that I can find is to have your Macbook auto login. That works fine for most people, but if the machine is shared by several people then this is not ideal.
When you get logged into your Mac, you'll see a new Icon in the tool bar. You can click on that icon to get the encryption status or log into Management Console and make changes to your setup. I'll cover the Management Console in a later post.
There are a couple things that I want to mention about the installation. Based on my first impression of the software, it seems to make major changes to the EFI partition, possibly even completely replacing it. If you're using something like rEFIt to dual boot your Mac you will find that it doesn't work anymore. I don't know if there is a way to fix it, but I'm pretty sure that there is no solution that is supported. The other thing I'd like to point out is that even though the software has many of the same features as Pointsec for PC, you can't use a Pointsec for PC installation profile to automate the installation of Pointsec. If you're going to be deploying this software alongside Pointsec for PC then you're going to have to use a separate installation point.