Sophos SafeGuard Disk Encryption for Mac offers full-disk encryption (FDE) for
the Mac, with protection at boot time from unauthorized access. FDE scrambles
the entire contents of a disk drive, rendering it ostensibly unrecoverable
without access to the long encryption key used, or a shorter account passphrase
that unlocks that key.
FDE makes your data secure when someone gains unauthorized
physical access to it while your computer is shut down. If a computer with an
FDE-protected drive is booted and running, the data is still susceptible to
various forms of extraction using forensic tools, even if there's a password
lock enabled in OS X. But when the computer is shut down, it's as close to Fort
Knox as one could hope.
With Lion, you have the option to use the built-in FileVault 2 FDE that
replaces the directory-only encryption provided in the original FileVault
system introduced in OS X 10.3 Panther. FileVault 2 works quite well, is
integrated into system accounts and system boot time, and relies on AppleCare
support as an optional backstop to help with extreme cases in which an account
password fails or is forgotten and a separate emergency recovery key has been
lost.
SafeGuard, compatible with Lion in version 5.5, has to scale a
mountain to convince users to purchase a feature that's otherwise built into
the OS. A third-party encryption tool has to do the job right, but also have
features or options that set it apart from FileVault 2. (SafeGuard provides a
separate installer for Mac OS X 10.5 and 10.6. If you upgrade from Snow Leopard
to Lion, it is vitally important to follow Sophos's instructions. An upcoming
SafeGuard 6.0 release will work on 10.5 through 10.7, however, according to
Sophos.)
Sophos requires that you create unique accounts, separate from Mac OS X, including at least one administrative account.
SafeGuard doesn't quite get there. There are enough rough edges
and confusing bits that don't place it anywhere near the ease with which Apple
enables FileVault 2, which make SafeGuard hard to recommend highly. Sophos
could sand down the interface and documentation friction, while adding a couple
of compelling features. However, SafeGuard is a good choice for anyone who
prefers not to rely on Apple for their encryption needs for whatever reason.
Using
SafeGuard
Sophos relies on its own user accounts set up as User and Admin
categories, which means extra account management instead of using Mac OS X
authentication. This is clearly required because at startup time SafeGuard has
to rely only on what its own system can manage—it can't access Mac OS X or accounts. We
can’t ding the product for that, but it's more complicated than Apple's
integrated ability.
You set up at least one Admin account to start encrypting the
drive with a single click. There's an option to use Fast Mode, which has no
explanation in the program or documentation as to what "fast" means.
I had to query the company, which explained that with Fast Mode disabled, disk
encryption takes a back seat to whatever the user is doing. In Fast Mode,
encryption consumes all available computational power, which might slow down
other activities.
Admin accounts can enable and disable encryption on partitions,
and create and delete regular users. A User can log in at startup. User
accounts can be backed up with a third form of account, Recovery, which are
one-time use logins assigned to specific User accounts, and which are meant to
help in case you forget or lose the password for a User account.
Sophos could provide a more sensible handholding walkthrough
here. It should have the option of an assistant that guides you through
creating an Admin user, and gives you the opportunity to create a regular User
and one or more Recovery accounts. Instead, I had to stumble through the
documentation to figure out the precise relationship.
Any FDE system needs to offer tools to help you when things go
awry, as normal disk utilities won't work. Sophos includes options in its
program's Users tab in a gear pop-up menu, but they're rather hard to parse
there and in longer explanations in the documentation. I sorted it out, but I
don't expect that even an advanced user will find the explanation
straightforward.
Sophos has three recovery options, but it's really two ways to
make bootable media, with a third menu item to export your encryption and
authentication data. You can either create a generic bootable image without
your login bits (which lets you separately attach your authentication data), or
you can create one that's bootable and has the necessary credentials for the
specific computer from which the disk was exported.
What Sophos doesn't explain is that you need to take the disk
image and create a bootable volume from it. This is trivial in Disk Utility.
Drag the disk image into Disk Utility, where it shows up in the bottom of the
list at left. Insert some kind of media, such as a USB thumb drive, that you're
willing to erase one or more partitions of. Select the disk image icon, and
then drag the partition of the drive you're using into the Destination field.
Click Restore. This creates an EFI-formatted bootable drive you can select at
startup time by holding down the Option key. Would that these instructions
(with some screen captures and more detail) were in the manual.
Sophos has its own EFI-based boot process that lets you enter a user or
administrator account to start up Mac OS X. Only the keyboard works; mice and
trackpads are unavailable.
I tested booting from a recovery image and
performing various recovery operations, and they worked just fine. As with the
rest of SafeGuard, the actual function is there masked by an unpolished
interface. You can decrypt a drive quite simply, too. While logged in as an
administrator, click Decrypt.
Limitations
SafeGuard also warns you in the documentation against backing up
certain files in Time Machine, but doesn't provide a tool to exclude those
automatically. SafeGuard
can't encrypt external drives. And it requires the use of the keyboard in
its boot manager, which makes it feel a bit more like using a newer PC BIOS
than a Mac. Ostensibly, they didn't want to include mouse and trackpad drivers.
SafeGuard makes it simple to encrypt or decrypt an entire drive.
The only compelling reason to choose SafeGuard
over FileVault 2 relates to boot-drive partitions. FileVault 2 only works on a
Mac OS X's boot volume in which the Lion Recovery partition is installed and
working. You cannot use a custom partition scheme, and users have reported all
sorts of problems if they've messed with Lion partitions. SafeGuard doesn't
have this problem. You can encrypt any number of partitions on the boot drive,
and a Lion Recovery partition isn't a requirement.
Posts
