Jamf Nation Community

jonscott · ‎05-10-2012

I've begun a little searching for info on the use of self-encrypting drives in Macs, as we have a looming encryption need coming up. We're looking at the usual FDE products (Sophos, Credant, CheckPoint, others?, Lion + FileVault), but curious about hardware-based too. Is anyone doing this, or has tried?

I found a few discussions on the subject from gov folks, but not much else yet. It also seems there may be concerns with replacing HDDs in certain iMac models, due to heat sensors built in to the drives.

It would be cool to do SED SSDs, but not sure how do-able that is either at the moment. Thanks in advance for anyone's hard won experience!

Jon

rmanly · ‎05-10-2012

The HDD sensors are thermistors that are affixed on or near the rives with tape, sticky-backed foam strips, or occasionally a plastic clip that is glued to the drive back. EDIT: they are easily transferred to a new drive.

As for the rest I have no Idea excepting that I know that this exists and may help you if you decide to go the FileVault2 route.

http://google-opensource.blogspot.com/2012/02/cauliflower-vest-end-to-end-os-x.html

nkalister · ‎05-10-2012

the only OS X encryption package that even claims to be able to work with self-encrypting drives is WinMagic- it's supposed to work with any Opal-compliant drive.
That's the only option, though. And winmagic is pretty . . . . interesting to work with. I wouldn't recommend it.

jonscott · ‎05-11-2012

Thanks for the ideas. It'll be interesting to see where this ends up...

@rmanly, I'm not a certified tech but I had heard the newer iMac models (since mid-2011?) shipped with Apple-specific HDDs (sensor built into the drive somehow) and couldn't be replaced with 3rd-party drives without manually adding an older thermistor like you mentioned. Does anyone know more about this? If true, it seems a pretty crappy way to go, but not necessarily surprising, I guess.
Just found this, by the way: http://gigaom.com/apple/imac-drives-not-meant-to-be-replaced-and-i-hate-it/ :(

As for FileVault2, I haven't tried Cauliflower Vest yet but have been reading a bit. That may help.

It would be nice to have something that's cross-platform too, but I'm not holding my breath...

nkalister · ‎05-11-2012

the only problem with cauliflower vest is that you're putting your decryption keys into a google appengine database, which google could conceivably access. I'm very interested in CV, but I can't go into production with it depending on google's backend. Greg Neagle is working on a stand-alone python server that would replace the google backend, so I'm hoping he gets that out the door soon!

rmanly · ‎05-11-2012

OOOOOOhhhhhh yea. I do remember reading something about that back when it first hit!

I just checked online and Apple still hasn't done a good job of updating this info across the board in GSX. :(

Here is the blurb from the iMac training.

Temperature Sensors for Hard Drives When replacing hard drives in Intel-based iMac computers, transfer hard drive temp sensors from the defective hard drive to the replacement drive. Use the double stick tape included with the replacement drive to attach the sensor.

And here is the new Service Guide text for the newest iMacs.

Note: Unlike previous iMac models, there is no hard drive sensor cable.

FYI here is some more info I found.

http://blog.macsales.com/10206-further-explained-apples-imac-2011-model-hard-drive-restrictions

http://blog.macsales.com/11638-owc-turnkey-program-for-2011-imacs-announced

OWC apparently uses a product developed by a company in Germany to provide the temperature information on the extra pins. OWC doesn't sell it directly and for a while the company that developed it was being cagey about how to get them but apparently there is a way to buy it directly from them now.

Silvio Dima says: Second February 2012 20:44 OWC does not sell the Cbreeze. They ask you to send them your iMac and they'll install a new HDD with a Cbreeze, I think, for you. I can not send them my imac, from Spain. Why do not you sell it online? regards Titian Nemeth says: 7th February 2012 09:34 At this moment we # re looking for solutions, to sell the Cbreeze. Their are a some questions about the rights. We will ask our tech unit for more information. Titian Nemeth says: 9th February 2012 10:34 We've asked our tech unit, under Which prerequisites we can Cbreeze sell. You must be a certified Apple developer. Then you can order with a maximum amount Cbreeze of ten units. Please write an email to social@gravis.de .

http://www.gravis.de/blog/imac-2011-freie-festplattenwahl-dank-gravis-cbreeze/

This is the type of thing Apple does that pisses me off...well this and not updating the BSD, F/OSS tools faster. :P

Luckily I don't repair & upgrade like I used to anymore.

Good luck Jon.

tkimpton · ‎05-12-2012

Hi Jon

I had to look into Encryption and I looked at Win Magic, PGP and Sophos SafeGuard. I went with Sophos Safe Guard and I can get it automatically encrypting and with a login hook I can make sure there are always 5 recovery accounts. Also the recovery account are scoped by an extension attribute and uploaded to the jss so that I can help mobile users on the road stuck on power on authentication.

See here for the script I use in a login hook provided by Frank in Utimaco (now part of Sophos) and tweaked by myself to get it working how I wanted it.

https://jamfnation.jamfsoftware.com/discussion.html?id=4057

Hope this helps anyone in the same problem as I was when I had pressures to get something working :)

jonscott · ‎05-18-2012

Thanks, Tim - that looks quite helpful...
I'm not sure what direction we'll end up taking yet, but Sophos is one of those being considered.

Jamf Nation Community

Off Topic - self encrypting drives