0
0

[–] jammi ago  (edited ago)

iOS devices (iPhone, iPad) does it automatically since iOS 8. OS X has had that feature standard for a very long time; just go to System Preferences ➔ Security & Privacy ➔ FileVault ➔ Turn On FileVault...

0
0

[–] e0steven ago 

Note that older versions of FileVault (legacy now) only encrypt the user's volume, not the whole disk

0
1

[–] jammi 0 points 1 point (+1|-0) ago  (edited ago)

That was like more than a decade ago, which is in OS X adoption time like someone mentioned some Windows 3.1 or 95 limitation in Windows context. But yeah, the first version of FileVault encrypted the home directory as an encrypted disk image volume.

0
0

[–] kekonn ago 

The best known solutions for this are BitLocker and TrueCrypt's total volume/drive encryption.

0
0

[–] zeitsieben ago 

At my work, directors use Symantec Full Disk Encryption. The OS itself is encrypted, but not the bootloader so, theoretically, you can at least read what's going on under the table (I have no idea how one would do that). There's a master key in the administration system, so if someone knows it, they have the keys to the kingdom and can modify every single computer that uses it that's inserted in the domain.

The laptops run VERY slowly; 5400RPM hard drives are virtually unusable if you want to do anything (I'm talking about 7+ minutes boot time). Trust me, you need an SSD to run that. Also, they're prone to bootloader corruption, and if that happens, we decrypt it with the master key and a software called BartPE. After decrypting, the OS always corrupted itself somehow and I don't know if that's intended (well, must be), so you have to use that program to copy whatever data you have in the hard drive to a external storage. It's a necessary evil to us.

0
0

[–] e0steven ago 

Or maybe the Symantec product is crap? Their antivirus is horrendous

0
0

[–] zeitsieben ago  (edited ago)

Well, I wouldn't say that. Their antivirus provides us with a centralized administration console which the security guys can put all kinds of rules. I'm pretty sure there are better solutions out there, or ones that do the same thing/have more functions that cost less than it. In the corporate world, you essentially need to put the blame on someone if things go awry and as far as I know, their support was top notch and the new vulnerabilities that appear on our networks are dealt swiftly due to the policies updates.

0
0

[–] examors ago 

Yes, I do exactly this, using Linux with dm-crypt. I don't even notice the performance hit, but I don't do anything requiring heavy disk access.

0
0

[–] e0steven ago 

Yes another good alternative for Linux. On Windows I recommend TrueCrypt or Bitlocker

0
0

[–] e0steven ago 

Alright as someone who actually uses whole disk encryption and has for years for HIPAA, here is my experience.

I've used TrueCrypt for a long long time, it's been vetted and found to be essentially unbreakable if you use a strong pass phrase. It will do exactly as you envision, it prompts you every time you boot and the disk itself will not work without that key. Next up we have, on newer machines BitLocker. We have, again, whole disk encryption and this time the key is actually kept for us. If the drive is removed it won't be mountable. You can read much more of how BitLocker works by googling it. Finally there is speed, ok there is a speed cost. However even on a very low spec laptop is was virtually unnoticeable. So in short, rock on your encryption.

As always please please please please make sure you keep your keys safe, both from people stealing them and just from loss. This encryption means your data is basically totally lost without that key. TrueCrypt will make you, or at least prompt you, to make a recovery disk. BitLocker will print you a copy of your key. Keep them safe.

[–] [deleted] ago 

[Deleted]

0
1

[–] e0steven 0 points 1 point (+1|-0) ago 

First off cool your mom let's you use her super secure laptop lol. Secondly it's probably not the whole disk crypto. It's probably overzealous antivirus.

[–] [deleted] ago 

[Deleted]

0
1

[–] MrMongoose 0 points 1 point (+1|-0) ago 

You can use hardware encryption, where a device sits between the computer and the drive and does all of the encryption on the fly. The drive is unreadable without the encryption device/key. However, AFAIK, all those systems use hardware keys and not passwords.

0
0

[–] Craftkorb ago 

Aaand there's the trust issue. Why should I trust that device that it does the job correctly? Without unintentional or maliciously introduced crypto bugs bogging security?

0
0

[–] MrMongoose ago 

Well, you can always apply whatever additional software encryption you want underneath it. It's just one more layer of security.

0
1

[–] ffs 0 points 1 point (+1|-0) ago 

Because it's hopefully open source and audited.

0
0

[–] ImSureImPerfect [S] ago 

Hm. I'll have to read more about that. I'm fascinated by the idea.

If you install hardware encryption, the hardware key is...what...a physical, literal key of some sort? A piece of tech you slot in?

0
1

[–] MrMongoose 0 points 1 point (+1|-0) ago 

Yep. Usually a small dongle. There may be other variations, though. Search for the Addonics Saturn series - that's what I ended up with.

0
1

[–] e0steven 0 points 1 point (+1|-0) ago 

AFAIK hardly anyone uses these devices. If you need small portable enterprise encrypted USB check out Iron Key. I've been using encryption for years across all different health systems, never once saw something like that.

0
1

[–] Ninbyo 0 points 1 point (+1|-0) ago 

It's usually a card or device you plug in. Your phone's SIM card for example. A physical key might be used to prevent you from messing with the hardware in addition to it.

2
1

[–] xyzzy 2 points 1 point (+3|-2) ago 

Full disk encryption is possible, but very bad for the performance.

Technically not everything is encrypted, the bootloader which asks for your passphrase and decrypts the filesystem is not.

0
0

[–] brojobbro ago 

Full disk encryption is possible, but very bad for the performance.

No it's not. Not even a little. It takes longer for me to type in the password than it does to decrypt it. As for performance of my computer once its decrypted, I can't tell a difference.

[–] [deleted] ago 

[Deleted]

0
0

[–] ImSureImPerfect [S] ago 

So the bootloader is a potential vulnerable spot then? Interesting.

When you say bad for performance, do you mean it's not encrypted well enough? Or that it slows down the PC? What kind of bad are we looking at?

0
0

[–] NinjaKitteh ago 

You could have your /boot on a USB-stick, that way you can be sure it has not been tampered with.

0
2

[–] Fuckery 0 points 2 points (+2|-0) ago 

Even with perfect full disk encryption there is this. For absolutely perfect protection, you are going to have to rig a thermite charge with a battery backup and auto ignition criteria.

0
2

[–] xyzzy 0 points 2 points (+2|-0) ago 

So the bootloader is a potential vulnerable spot then?

I wouldn't say it's vulnerable, but readable.

When you say bad for performance, do you mean it's not encrypted well enough? Or that it slows down the PC? What kind of bad are we looking at?

It slows down. Since every file read from disk has to be decrypted and only part of them remain cached in the RAM. So reading from disk is slow and uses CPU power.

0
4

[–] e0steven 0 points 4 points (+4|-0) ago 

I don't think that is the case at all and I doubt you've ever actually used it.

0
1

[–] qiezidaifu 0 points 1 point (+1|-0) ago 

Well then state why that's not the case, no need for chirping.

0
6

[–] Craftkorb 0 points 6 points (+6|-0) ago 

but very bad for the performance.

I call bullshit. I have a Lenovo Thinkpad X201, which has a i5 520M as CPU and thus supports AES extension. A SSD is used as storage. Not the fastest one ever, still: 150MiB/s reading without encryption, ~125MiB/s with full disk encryption. I don't notice a thing whatever I do with it.

load more comments ▼ (4 remaining)