I like to lock down the computers I work with. Having worked in IT security for 10 years that has become almost a second nature to me. So when I had a Linux laptop as my main workstation I installed full disk encryption using loop-AES and migrated to dm-crypt when it became available. Then I moved jobs and received a brand new Windows XP laptop, without any encryption software on it. So I installed Ubuntu with dm-crypt. (I later switched back to Debian because – at the time at least – I found Ubuntu was missing a lot of the security tools I needed.) Unfortunately my new employer had many internal systems based on Microsoft Sharepoint that worked a lot better with Internet Explorer than they did with Firefox. So I started using Windows XP with TrueCrypt. TrueCrypt did not support full disk encryption at the time, but I learned that both the hard drive and laptop BIOS supported an ATA password. I figured if I put all my data on a TrueCrypt drive, and the OS (which might include some cached sensitive data) would not be easily accessible without a password that would have to do.
Fast forward a few years and I am now a contractor/freelance consultant. Being very busy working for clients, setting up my company, doing acquisition, I wanted a fast laptop that just worked. Although I love to tinker, with Linux I was doing it a little too much before I got it right. After a cost/benefit analysis I decided on an Apple MacBook Pro. I absolutely love my MacBook and OS X. It’s very intuitive but it’s still Unix under the hood, so you can open a terminal any time you like. However, I was quite surprised to learn that security wise I was taking a step back.
There is no full disk encryption in OS X. Of course there is FileVault that encrypts a user’s home directory, which is nice but just not enough. To make matters worse, MacBooks don’t have a BIOS but instead use the Extensible Firmware Interface (EFI). In itself this is not so bad, as the EFI seems to be a modern replacement for a BIOS. However, it seems the Apple implementation is lacking basic security features. There is no boot password. Instead there is a firmware password that prevents changes to EFI and various things like booting from alternate media such as a DVD. It does not require the password to be entered for the normal boot from HDD though. And even if it would, my data would not be protected much since EFI does not support an ATA password either. Simply attaching the hard disk from a MacBook to another computer would reveal all the data anyway.
To summarize:
- No full disk encryption built into OS X 10.6
- No boot password possible on MacBooks / EFI
- No ATA password support on MacBooks / EFI
I might one day buy a commercial OS X full disk encryption solution like Sophos SafeGuard or Pointsec, but in 2010 I really expect basic data loss prevention to come out of the box for mobile devices. Maybe OS X 10.7 will bring us more security.