Archive for the ‘Encryption’ Category

During the past few months rumors [1] about Apples final release date for OS X 10.7, aka Lion [2] have been going on. One of the latest estimation of arrivals was referring to July 14 th 2011. Time to get your gear together so once the OS is available you can move on as painless as possible.  Normally you would not care much about preparation but recent upgrades in combination with PGP’s whole Disk encryption (WDE) [3], now owned by Symantec, scared Apple’s Pantherinae family a hell out of the Master Boot Record (MBR) [4]. People also looking forward to use Lion’s new built in WDE solution but to get there they have to migrate  somehow without pitfalling into the MBR chopping down.

This migration might become challenging for enterprise deployments when people are using different versions of PGP Desktop full disk encryption (WDE). Key requirements for a successful update/migration consist of, which solution is actually the most secure one (confidentiality), the best process (manageability) in conjunction with the amount of time (achievability) spent.

Facts to be considered for discussing possible solutions:

  • Mac OS X Lion 10.7 pre- requires an up to date OS X Snow Leopard [5] 10.6.8:

Best recommendation for OS X updates in general is to keep the system most up to date before applying a newer version. Before applying OS X 10.7  you are also advised to update to OS X 10.6.8. From the changelog [6] of OS X 10.6.8 “Enhancements to the Mac App Store to get your Mac ready to upgrade to Mac OS X Lion.”

  • OS X 10.7 is yet only announced to be available through the app-store:

Snow Leopard’s first mayor release could be upgraded in iterations through the built in update function or by a download link from a Apple support page. The major release was introduced by providing an Original retail DVD. However OS X Lion will only be available as a download from the Mac App Store. Therefore older versions of OS X which doesn’t support the Mac App Store have first to be upgraded to Mac OS X Snow Leopard 10.6.8.
Update 22/07/2011: See https://marienfeldt.wordpress.com/2011/07/22/backup-os-x-10-7-lion-to-dvd/ for how to create a Lion DVD.

  • A change of the encryption solution demands for the removal of the former  WDE installation:

Removing WDE solutions should consist of first decrypting the encrypted media storage and then secondly fully uninstall the WDE application. This have to be done in exact order otherwise you will end up with an encrypted media which you can’t access any longer. It is also important to make sure the actual application is cleanly removed from your system and no leftovers are available. Having parts of the application left can conflict with the new solution, especially if the conflict appears in your Master Boot Record (MBR) .

  • Removing PGP Desktop’s encryption can be managed by running the decryption in the background but depending on the storage media size it can be very time consuming and weakens data confidentiality throughout the decryption process:

As you can run the decryption for PGP Desktop WDE in the background, the time it takes to get the job done really depends on what other system processes are running in parallel. The storage size of the hard drive is obviously heavily influencing the amount of time spent. Latest MacBook Pro Standard Hard disk 320 GB decryption will take between 8 and 12 hours depending on your run environment. During the decryption process the system weakens the data security in respect of how much of the storage media is still encrypted and therefore protected. Until the decryption is finished and the new WDE encryption is applied with full disk encryption in place the system is not secured any longer.

  • Compatibility between OS X and PGP Desktop WDE :

Not only once but several times problems have been reported by PGP Desktop users on various different OS X platforms. Some of the users could recover their systems some been actually forced into a rebuilt. Sadly this recently happened again with the rollout of OS 10.6.8 with some variants of PGP Desktops lower than 10.1.1. Because of the nature of the compatibility issue it’s impossible to predict which version works with what and therefore time consuming tests are necessary. PGP Desktop older than the supported and reportedly successfull working version, should be upgraded before applying the OS X update. e.g. OS X 10.6.8.

  • Deployment testing is necessary to ensure the impact to users is as low as possible and the involved risks are kept to an acceptable minimum:

Although its hard to cover all aspects of tests some of them are actually happened just by accident and helped to improve the strategy for new test scenarios:

 Test Description  Results  Key requirements
OS X 10.6.7 / PGP WDE 10.1.1: Not really a test for an update/migration –  more an attempt to increase hard disk storage size from 320 GB to 1 TB. Decryption of WDE and attempt to remove PGP Desktop Application. Even after decryption and full removal of PGP the hard disk storage size could not be increased. Enabling verbose mode during boot up showed still pgp copyright messages. The MBR had to be repaired to increase disk size successfully. Confidentiality: Not focusing on.
Manageability: The process is not straight forward
Achieveability: PGP has leftovers after removal which could break a OS X Lion update and/or Lion encryption. Factor time was not a criteria.
OS X 10.6.7 / PGP WDE 10.1.1 -> OS X 10.6.8 upgrade : Actual upgrade test. No PGP decryption and no PGP WDE application removed. OS X 10.6.8 could be applied. Ended up with error “Installation failed”. One test unit reported no problems with this test. Confidentiality: No risk.
Manageability: The process is easy to handle.
Achieveability: The installation was reported as failed. Unreliable upgrade path. The applied 10.6.8 update reported as failed, quite likely break the Lion update.
OS X 10.6.7 / PGP WDE 10.1.1 -> OS X 10.6.8 upgrade : Actual upgrade test. PGP decryption and PGP WDE application removed. OS X 10.6.8 could be applied successfully. Confidentiality: Medium Data exposure risk during process.
Manageability: The process is easy to handle.
Achieveability: Possible option but very time consuming.
OS X 10.6.7 / PGP WDE 10.0.2 -> OS X 10.6.8 upgrade: Actual upgrade test. No PGP decryption and no PGP WDE application removed. Renders PGP Desktops EFI/MBR Authentication useless. Confidentiality: Secure full lost of data in the worst case.
Manageability: The process is easy to apply.
Achieveability: The system needs to be repaired. In the worst case full lost of data and OS.
OS X 10.6.7 / PGP WDE 10.1.0 -> OS X 10.6.8 upgrade : Actual upgrade test. No PGP decryption and no PGP WDE application removed. Renders PGP Desktops EFI/MBR Authentication useless. Confidentiality: Secure full lost of data in the worst case.
Manageability: The process is easy to apply.
Achieveability: The system needs to be repaired. In the worst case full lost of data and OS.
OS X 10.6.8 / PGP WDE 10.1.0 -> OS X Lion beta upgrade : Actual upgrade test. PGP decryption and PGP WDE application removed. Successful update to Lion Confidentiality: Medium Data exposure risk during process.
Manageability: The process is easy to apply.
Achieveability: Possible option but very time consuming.

Conclusions:

  • The OS X 10.6.8 update with PGP WDE < version 10.1.1 will break the OS X update. A recovery procedure [7] is available but not confirmed to be working with all variations of PGP WDE.
  • PGP WDE with decrypted data storage and removed application still keeps some leftover. E.g. copyright notes during bootup (verbose mode). There is a risk that Lion’s disk encryption will not work properly.
  • If PGP WDE is in use, the safest way to update to OS X 10.6.8 and Lion beta is by getting rid of PGP WDE
  • Updating to Lion 10.7 and carrying over PGP WDE is non of an option. The risk is far to high that either the migration fails or any future update will create again software conflicts.
  • The risk of data lost during the update should not be underestimated and a backup is highly recommended.
  • People should consider risk management for data confidentiality when they deal with the decryption.

Update requirements apply for all possible solutions:

  • 2GB RAM, Intel processor that is at least a Core 2 duo, i3, i5, i7, or Xeon.
  • Applied OS X 10.6.8 update

Possible update solutions for Lion preparation:

  1. For OS X 10.6.7 with PGP 10.1.1 -> apply 10.6.8 update
  2. For OS X 10.6.7 with PGP < 10.1.1 -> Decrypt WDE and uninstall PGP Desktop, repair MBR using Snow Leopard Live CD, apply 10.6.8 update. Install PGP Desktop and encrypt hard drive.

Possible solutions for Lion update:

  1. For OS X 10.6.8 -> apply Lion upgrade
  2. For OS X 10.6.8 with PGP WDE, decrypt hard disk, uninstall PGP WDE, repair MBR using Snow Leopard Live CD, apply OS X Lion 10.7
  3. Backup User data. Built a OS X 10.6.8 from scratch, update to Lion, if necessary clone it across your enterprise deployment. Apply individually Lions WDE and recover data from (individual) backups.

Migrated to Lion:

  1. Enable Lion’s Full Disk encryption
  2. Do not send the Encryption key to Apple ;-)

Which ever solution you prefer, I strongly recommend always using  backups. Physical security is very important if your Time Machine backup is not setup for solutions like truecrypt. Lion is supposed to allow Time Machine using an encrypted container. We will have to see if this is also supported through the full restore procedure but it sounds promising.

Appendix:

[1] Lion update rumor
http://www.computerworld.com/s/article/9218158/How_to_prep_your_Mac_for_Lion or http://tinyurl.com/3wsvjt3

[2] OS X Lion 10.7:
https://secure.wikimedia.org/wikipedia/en/wiki/Mac_OS_X_Lion or http://tinyurl.com/6jl8akl

[3] Disk Encryption:
https://secure.wikimedia.org/wikipedia/en/wiki/Disk_encryption or http://tinyurl.com/6xte86a

[4] Master Boot Record:
https://secure.wikimedia.org/wikipedia/en/wiki/Master_boot_record or http://tinyurl.com/6x8ntll

[5] OS X 10.6 Snow Leopard:
https://secure.wikimedia.org/wikipedia/en/wiki/Mac_OS_X_Snow_Leopard or http://tinyurl.com/64u7emm

[6] About the OS X 10.6.8 Update
http://support.apple.com/kb/HT4561 or http://tinyurl.com/6lx43wv

[7] PGP Whole Disk Encryption Recovery
https://supportimg.pgp.com/guides/Tech_Note_PGP_WDE_Recovering_Data_Mac_OS_X.pdf or http://tinyurl.com/26bb4jo