Encrypting Mac Laptops to Comply With Government Directives

© 2007 Lawrence I. Charters

Washington Apple Pi Journal, Vol. 29, no. 1, January-February 2007, pp. 8-9.

In response to the (temporary) loss of 26.5 million names and associated personally identifiable information (PII) last year, on June 23, 2006, the Executive Office of the President, Office of Management and Budget (“OMB”), issued a memorandum, M-06-16. This recommended that all executive departments and agencies encrypt all data on mobile computers and other devices unless the data was determined to be non-sensitive. Unfortunately, the OMB suggestion also suggests that the Deputy Secretary (in other words, a subcabinet political appointee) personally declare that a given device does not carry PII.

The idea of a senior political appointee personally sorting through the tens of thousands of laptops, keychain drives, external hard drives, USB mice with flash storage, and other mobile data devices, looking for PII, has a certain appeal — matching form and function to talent and ability. Sadly, that’s not going to happen; political appointees are too busy looking for more prestigious jobs.

Instead, in addition to introducing the silly-looking abbreviation PII into the technical vocabulary of security professionals, the edict essentially requires that all government laptops be encrypted, as it is easier to issue blanket requirements than it is to exercise proper personnel oversight and leadership. Many cabinet agencies extended this requirement to contractor machines as well. The memorandum triggered a massive purchasing spree at the end of the federal fiscal year 2006 and the start of the fiscal year 2007, as thousands of agencies and contractors attempted to encrypt hundreds of thousands of laptops, in the process probably destroying more data than they protected.

Windows Security for Macs?

Of course, most of this effort was focused on the Windows world, since the infamous lost laptop was running Windows and, in fact, most government laptops run Windows. Virtually all of the solutions purchased work with Windows only. So what is a Mac user supposed to do?

From the beginning, Macs really were not an issue. Mac OS X is far harder to break into than Windows, and Macs tend to be used more for creative functions (web design, Java programming, photography) and scientific purposes (gene processing, hazmat identification, astronomy) than personnel matters. And, of course, there is FileVault.

FileVault is one of those technologies that Apple built into Mac OS X, but doesn’t really talk about. It isn’t as sexy as iPhoto or iTunes, or as useful as Safari or Mail. FileVault, from a user’s point of view, does absolutely nothing, so it gets ignored. Yet FileVault, included with every copy of Mac OS X 10.3 and 10.4, is just the ticket for complying with the OMB M-06-16 memorandum. You don’t need to go out and buy anything extra; it is right there, waiting to be used. So how do you use it?

But First, A Word of Warning

If you are not a government laptop user, or a user of a government contractor laptop, you probably don’t need to read the rest of this article. Encryption, you see, is inherently bad. Stated another way, “encryption” means “scramble your data.” What you strive to save to your hard drive and protect from scrambling is secondary when you encrypt things; encryption strives to deliberately scramble what is saved to the hard drive. The trick, of course, is scrambling it in such a way that you can unscramble it.

Unless you do something silly, such as do your taxes on a laptop (a prime opportunity for identity theft if there ever was one), do not encrypt a Mac laptop. Password protect it with non-trivial passwords, do security updates, and take all the normal and standard security measures, but don’t encrypt the laptop. Don’t put personal or difficult to recover information on a laptop, either; compared to desktop machines, laptops are too fragile, too theft-able, too likely to disappear. Stick personal, sensitive, or unique data on desktop computers, and use laptops as portable extensions of a desktop workstation.

Encryption inherently makes life more difficult. Looking specifically at encryption on a Mac:

  • FileVault encrypts all files in the user’s home directory, which poses problems for automated backup. As Mac OS X is a POSIX operating system, this means that the operating system sees the encrypted files as a single large object. Accordingly, the mere act of logging in changes the timestamp on the user “object” and, since it is all one encrypted mass, simply logging in will cause all user files to be backed up. This will impose an immediate extra load on network backup services;
  • While modern computers are fast enough that FileVault’s encryption and decryption are not normally detectable by the user, this is not true of certain tasks. It is not recommended that sound and video recordings be stored in FileVault-encrypted directories, nor is it recommended that process control data be stored in encrypted directories;
  • FileVault is incompatible with data recovery utilities. Computer hard drives should be verified and found to be in perfect health before they are encrypted, and users should be reminded that computers are not archives;
  • Data recovery is also difficult if the user forgets their password. FileVault does have a “master password” facility that may be of use if that password is known. Accordingly, the “master password” should be closely held and stored in a secure place;
  • Data recovery is also difficult if the password is changed “behind Mac OS X’s back.” When a user logs in to Mac OS X, Open Directory handles the login. Open Directory may pass this information on to a directory service for confirmation, such as an LDAP service or a Windows Domain controller; the result comes back to Open Directory which then passes the information on to the encrypted data store. If a user changes a network login password on a desktop machine, they may find themselves locked out of their laptop if it shares the same login name and password since the authorization returned does not match that used to encrypt the data store.
  • Similarly, if a network manager changes the login password from a central console, the password will not match that of the encrypted data store;
  • Encryption requires free disk space. As a general rule, the computer must have twice as much free disk space as the total amount of data to be encrypted. During the encryption process, Mac OS X copies all user files to an encrypted disk store, and then erases the original user files. While FileVault will not proceed without enough free disk space, freeing up room on a full drive may require considerable effort, and it cannot be automated.

In short, don’t encrypt a laptop unless you must. You are far better off storing sensitive information anywhere but a laptop. This is what OMB should have recommended. But it didn’t.

Now, getting back to the government’s encryption effort…

Recommended FileVault Preparation

Start with Mac OS X 10.4. While FileVault is included in Mac OS X 10.3, it is recommended that you upgrade to Mac OS X 10.4 before encrypting anything. There is extensive anecdotal evidence that FileVault is more stable and dependable under Mac OS X 10.4, so use that as your starting point. You should also ensure that Mac OS X 10.4 is fully updated; keep on making trips to System Preferences > Software Updates and installing updates until nothing more is offered.

Start with a healthy disk drive. You also need to ensure that your hard drive is in good working order. Launch Disk Utility (in the Utilities folder) and use the Disk First Aid tab to Verify the hard drive. If any problems are found, correct them; don’t even think about trying to encrypt a hard drive that has errors.

Disk Utility Disk First Aid – Bad

This is bad. Encryption essentially scrambles everything in an organized manner, and if your disk is already scrambled in a disorganized manner, don’t even think of encrypting your drive; repair the disk first.
This is bad. Encryption essentially scrambles everything in an organized manner, and if your disk is already scrambled in a disorganized manner, don’t even think of encrypting your drive; repair the disk first.

Disk Utility Disk First Aid – Good

This is good. If Disk First Aid doesn't give your drive a spotless clean bill of health, do not even think of encrypting anything.
This is good. If Disk First Aid doesn’t give your drive a spotless clean bill of health, do not even think of encrypting anything.

Start with adequate room on the drive. From the Finder, select your user directory (it looks like a house, and is named with your log-in name). From the Finder menu, select Get Info. A window will appear that shows, among other things, the size of the directory. Depending on the amount of information the user has on the computer, this could take several minutes; the phrase “calculating size” will appear while the computer is conducting inventory. Then, from any Finder window, note the available space left on the drive. If you don’t have twice as much free space as space used by your user directory, you won’t be able to encrypt your disk; you will need to archive data to free up space.

Remove miscellaneous files. FileVault encrypts everything, even garbage, so it is a good idea to get rid of various cache files first.

  • Visit http://www.titanium.free.fr/ and download Maintenance (it is free).
  • Install Maintenance on the Desktop and launch it. You will be asked for an administrative password.
  • There are three panels in the Maintenance menu. Uncheck everything in the top panel and the bottom panel, but leave everything in the middle panel checked. Then select Execute.
  • It can take quite a while for Maintenance to clean out cached files, so be patient. When it is done, you must reboot.

Enabling FileVault

Make sure the computer is plugged into power and can be left alone for an extended period of time. Encryption can take minutes or hours, depending on a number of factors.

Log in to the computer, select System Preferences, and select Security.

Security preference pane
Mac OS X 10.4 Security preference pane

Set the Master Password. The Master Password should be a lengthy (at least 12 characters) password that you never use for any other purpose. Once you’ve entered it, write it down on a piece of paper, seal it in an envelope, and put it in a safe or another secure area. The Master Password is used for the recovery of your encrypted information in case you ever manage to forget your log-in password.

Turn on FileVault. You will be prompted for your normal user password (not the Master Password).

FileVault will display a warning that it is about to be turned on. Note the checkbox for Secure Erase. Check this box if the computer has sensitive data that must be erased; otherwise, leave it unchecked. By checking this box, the encryption process will be extended by at least eight times the normal span of time.

FileVault warning. Make sure you read and understand everything in the warning prompt before turning on FileVault. Otherwise, this will be the last time you ever see anything on your computer.
Make sure you read and understand everything in the warning prompt before turning on FileVault. Otherwise, this will be the last time you ever see anything on your computer.

If you did not properly calculate the amount of space required, FileVault will stop and ask you to free up space.

FileVault will complain if there is not enough space. Note the rather fanciful calculation of requiring another 4 terabytes of space; in reality, this laptop needed another five gigabytes of space.
FileVault will complain if there is not enough space. Note the rather fanciful calculation of requiring another 4 terabytes of space; in reality, this laptop needed another five gigabytes of space.

Once encryption is started, a progress bar is displayed along with an estimate of the time the process might take.

Progress bar showing estimated time remaining to encrypt the user directory. The laptop must be plugged in with adequate power for the entire process; a loss of power would be Very Bad.
Progress bar showing estimated time remaining to encrypt the user directory. The laptop must be plugged in with adequate power for the entire process; a loss of power would be Very Bad.

If you accidentally touch a key, you might stop the process, which will delay the job. Make sure the machine can be left alone, plugged into power, for several hours (in some cases).

If you accidentally touch a key, you might stop the process, which will delay the job. Make sure the machine can be left alone, plugged into power, for several hours (in some cases).

Once the encryption process is finished, the machine will be left at a login screen. Have the user log into the machine and confirm it is encrypted. The login process will take a few extra seconds (as will log out) once the machine is encrypted.

Routine Use with FileVault

Aside from taking slightly longer to log in and out, using a Mac with FileVault is transparent; a user is unlikely to notice a difference. One exception to this rule: video editing. If you use a laptop for video capture, you may have trouble saving a video stream to an encrypted disk drive.

If the user deletes a large volume of information, they may see an offer that FileVault can reclaim the extra space. Be sure and answer this question, and do not interfere with the process; killing power instead of answering the question can be bad. Very bad.

If you see this question, answer it. Don't try and kill the power or something similarly silly, or you may never see your data again.
If you see this question, answer it. Don’t try and kill the power or something similarly silly, or you may never see your data again.