Cryptography, Encryption, OS X

Apple OS X 10.7 Lion upgrade with PGP Desktop encryption

During the past few months rumors [1] about Apples final release date for OS X 10.7, aka Lion [2] have been going on. One of the latest estimation of arrivals was referring to July 14 th 2011. Time to get your gear together so once the OS is available you can move on as painless as possible.  Normally you would not care much about preparation but recent upgrades in combination with PGP’s whole Disk encryption (WDE) [3], now owned by Symantec, scared Apple’s Pantherinae family a hell out of the Master Boot Record (MBR) [4]. People also looking forward to use Lion’s new built in WDE solution but to get there they have to migrate  somehow without pitfalling into the MBR chopping down.

This migration might become challenging for enterprise deployments when people are using different versions of PGP Desktop full disk encryption (WDE). Key requirements for a successful update/migration consist of, which solution is actually the most secure one (confidentiality), the best process (manageability) in conjunction with the amount of time (achievability) spent.

Facts to be considered for discussing possible solutions:

  • Mac OS X Lion 10.7 pre- requires an up to date OS X Snow Leopard [5] 10.6.8:

Best recommendation for OS X updates in general is to keep the system most up to date before applying a newer version. Before applying OS X 10.7  you are also advised to update to OS X 10.6.8. From the changelog [6] of OS X 10.6.8 “Enhancements to the Mac App Store to get your Mac ready to upgrade to Mac OS X Lion.”

  • OS X 10.7 is yet only announced to be available through the app-store:

Snow Leopard’s first mayor release could be upgraded in iterations through the built in update function or by a download link from a Apple support page. The major release was introduced by providing an Original retail DVD. However OS X Lion will only be available as a download from the Mac App Store. Therefore older versions of OS X which doesn’t support the Mac App Store have first to be upgraded to Mac OS X Snow Leopard 10.6.8.
Update 22/07/2011: See https://marienfeldt.wordpress.com/2011/07/22/backup-os-x-10-7-lion-to-dvd/ for how to create a Lion DVD.

  • A change of the encryption solution demands for the removal of the former  WDE installation:

Removing WDE solutions should consist of first decrypting the encrypted media storage and then secondly fully uninstall the WDE application. This have to be done in exact order otherwise you will end up with an encrypted media which you can’t access any longer. It is also important to make sure the actual application is cleanly removed from your system and no leftovers are available. Having parts of the application left can conflict with the new solution, especially if the conflict appears in your Master Boot Record (MBR) .

  • Removing PGP Desktop’s encryption can be managed by running the decryption in the background but depending on the storage media size it can be very time consuming and weakens data confidentiality throughout the decryption process:

As you can run the decryption for PGP Desktop WDE in the background, the time it takes to get the job done really depends on what other system processes are running in parallel. The storage size of the hard drive is obviously heavily influencing the amount of time spent. Latest MacBook Pro Standard Hard disk 320 GB decryption will take between 8 and 12 hours depending on your run environment. During the decryption process the system weakens the data security in respect of how much of the storage media is still encrypted and therefore protected. Until the decryption is finished and the new WDE encryption is applied with full disk encryption in place the system is not secured any longer.

  • Compatibility between OS X and PGP Desktop WDE :

Not only once but several times problems have been reported by PGP Desktop users on various different OS X platforms. Some of the users could recover their systems some been actually forced into a rebuilt. Sadly this recently happened again with the rollout of OS 10.6.8 with some variants of PGP Desktops lower than 10.1.1. Because of the nature of the compatibility issue it’s impossible to predict which version works with what and therefore time consuming tests are necessary. PGP Desktop older than the supported and reportedly successfull working version, should be upgraded before applying the OS X update. e.g. OS X 10.6.8.

  • Deployment testing is necessary to ensure the impact to users is as low as possible and the involved risks are kept to an acceptable minimum:

Although its hard to cover all aspects of tests some of them are actually happened just by accident and helped to improve the strategy for new test scenarios:

 Test Description  Results  Key requirements
OS X 10.6.7 / PGP WDE 10.1.1: Not really a test for an update/migration –  more an attempt to increase hard disk storage size from 320 GB to 1 TB. Decryption of WDE and attempt to remove PGP Desktop Application. Even after decryption and full removal of PGP the hard disk storage size could not be increased. Enabling verbose mode during boot up showed still pgp copyright messages. The MBR had to be repaired to increase disk size successfully. Confidentiality: Not focusing on.
Manageability: The process is not straight forward
Achieveability: PGP has leftovers after removal which could break a OS X Lion update and/or Lion encryption. Factor time was not a criteria.
OS X 10.6.7 / PGP WDE 10.1.1 -> OS X 10.6.8 upgrade : Actual upgrade test. No PGP decryption and no PGP WDE application removed. OS X 10.6.8 could be applied. Ended up with error “Installation failed”. One test unit reported no problems with this test. Confidentiality: No risk.
Manageability: The process is easy to handle.
Achieveability: The installation was reported as failed. Unreliable upgrade path. The applied 10.6.8 update reported as failed, quite likely break the Lion update.
OS X 10.6.7 / PGP WDE 10.1.1 -> OS X 10.6.8 upgrade : Actual upgrade test. PGP decryption and PGP WDE application removed. OS X 10.6.8 could be applied successfully. Confidentiality: Medium Data exposure risk during process.
Manageability: The process is easy to handle.
Achieveability: Possible option but very time consuming.
OS X 10.6.7 / PGP WDE 10.0.2 -> OS X 10.6.8 upgrade: Actual upgrade test. No PGP decryption and no PGP WDE application removed. Renders PGP Desktops EFI/MBR Authentication useless. Confidentiality: Secure full lost of data in the worst case.
Manageability: The process is easy to apply.
Achieveability: The system needs to be repaired. In the worst case full lost of data and OS.
OS X 10.6.7 / PGP WDE 10.1.0 -> OS X 10.6.8 upgrade : Actual upgrade test. No PGP decryption and no PGP WDE application removed. Renders PGP Desktops EFI/MBR Authentication useless. Confidentiality: Secure full lost of data in the worst case.
Manageability: The process is easy to apply.
Achieveability: The system needs to be repaired. In the worst case full lost of data and OS.
OS X 10.6.8 / PGP WDE 10.1.0 -> OS X Lion beta upgrade : Actual upgrade test. PGP decryption and PGP WDE application removed. Successful update to Lion Confidentiality: Medium Data exposure risk during process.
Manageability: The process is easy to apply.
Achieveability: Possible option but very time consuming.

Conclusions:

  • The OS X 10.6.8 update with PGP WDE < version 10.1.1 will break the OS X update. A recovery procedure [7] is available but not confirmed to be working with all variations of PGP WDE.
  • PGP WDE with decrypted data storage and removed application still keeps some leftover. E.g. copyright notes during bootup (verbose mode). There is a risk that Lion’s disk encryption will not work properly.
  • If PGP WDE is in use, the safest way to update to OS X 10.6.8 and Lion beta is by getting rid of PGP WDE
  • Updating to Lion 10.7 and carrying over PGP WDE is non of an option. The risk is far to high that either the migration fails or any future update will create again software conflicts.
  • The risk of data lost during the update should not be underestimated and a backup is highly recommended.
  • People should consider risk management for data confidentiality when they deal with the decryption.

Update requirements apply for all possible solutions:

  • 2GB RAM, Intel processor that is at least a Core 2 duo, i3, i5, i7, or Xeon.
  • Applied OS X 10.6.8 update

Possible update solutions for Lion preparation:

  1. For OS X 10.6.7 with PGP 10.1.1 -> apply 10.6.8 update
  2. For OS X 10.6.7 with PGP < 10.1.1 -> Decrypt WDE and uninstall PGP Desktop, repair MBR using Snow Leopard Live CD, apply 10.6.8 update. Install PGP Desktop and encrypt hard drive.

Possible solutions for Lion update:

  1. For OS X 10.6.8 -> apply Lion upgrade
  2. For OS X 10.6.8 with PGP WDE, decrypt hard disk, uninstall PGP WDE, repair MBR using Snow Leopard Live CD, apply OS X Lion 10.7
  3. Backup User data. Built a OS X 10.6.8 from scratch, update to Lion, if necessary clone it across your enterprise deployment. Apply individually Lions WDE and recover data from (individual) backups.

Migrated to Lion:

  1. Enable Lion’s Full Disk encryption
  2. Do not send the Encryption key to Apple😉

Which ever solution you prefer, I strongly recommend always using  backups. Physical security is very important if your Time Machine backup is not setup for solutions like truecrypt. Lion is supposed to allow Time Machine using an encrypted container. We will have to see if this is also supported through the full restore procedure but it sounds promising.

Appendix:

[1] Lion update rumor
http://www.computerworld.com/s/article/9218158/How_to_prep_your_Mac_for_Lion or http://tinyurl.com/3wsvjt3

[2] OS X Lion 10.7:
https://secure.wikimedia.org/wikipedia/en/wiki/Mac_OS_X_Lion or http://tinyurl.com/6jl8akl

[3] Disk Encryption:
https://secure.wikimedia.org/wikipedia/en/wiki/Disk_encryption or http://tinyurl.com/6xte86a

[4] Master Boot Record:
https://secure.wikimedia.org/wikipedia/en/wiki/Master_boot_record or http://tinyurl.com/6x8ntll

[5] OS X 10.6 Snow Leopard:
https://secure.wikimedia.org/wikipedia/en/wiki/Mac_OS_X_Snow_Leopard or http://tinyurl.com/64u7emm

[6] About the OS X 10.6.8 Update
http://support.apple.com/kb/HT4561 or http://tinyurl.com/6lx43wv

[7] PGP Whole Disk Encryption Recovery
https://supportimg.pgp.com/guides/Tech_Note_PGP_WDE_Recovering_Data_Mac_OS_X.pdf or http://tinyurl.com/26bb4jo

8 thoughts on “Apple OS X 10.7 Lion upgrade with PGP Desktop encryption

  1. Has anyone found indications whether Apple will be offering enterprise management capabilities for WDE? One of the big benefits of PGP WDE is the ability to register a client with the Universal Server, which gives the option of recovery keys as well as an audit trail as the encryption status of the device is reported back regularly. Very useful for risk analysis in the case of a stolen device. Unless Apple can provide that, I can see a lot of organizations being hard pressed to justify the move to Lion’s native encryption despite the purported performance improvements and zero additional cost.

    1. I’d like to see Lion’s WDE (final) first in place. See what we actually get. I still haven’t found what I was looking for. Thanks🙂

  2. Be Advised:
    Symantec PGP 10.2.0 build 1672 when simply installed on OS X 10.7.2 will destroy (remove) the Lion “Recovery HD” partition on your Mac. The steps to restore this partition are painful at best.

    Here’s what I did:

    1. Boot Mac into Recovery Mode (CMD + R)

    2. Wait for Internet Recovery to launch … … … …

    3. Attach an external hard drive large enough with enough free space to hold all the data on your boot partition

    4. Launch Disk Utility

    5. Select your boot partition (probably called “Macintosh HD”)

    6. Select “New Image” from the Toolbar and save this image to your external hard drive (I recommend you save it out as READ ONLY and not compressed as performing compression cooks your computer and takes longer) — this will take awhile … … … …

    7. Once your recovery image has been saved, select your hard drive, then click on Partition and remove, then add a new partition (using defaults). You’ll need to rename it back to “Macintosh HD” — ( removing and creating a new partition may not be required, but for sake of cleanness, it is what I did )

    8. Close Disk Utility then select “Reinstall Mac OS X”, follow the steps, this will take awhile … … … …

    9. Your system will reboot. Go through the motions until you get to a point where you can cleanly reboot, then reboot and enter into Recovery Mode again (CMD + R) — this should load very quickly as the reinstall restored you Recovery HD

    10. Once again, once you’re presented with the recovery menu, select Disk Utility

    11. Select your boot partition (probably called “Macintosh HD”), then select Restore

    12. You’ll have two fields, Source and Destination. For source, click on the “image” button and choose the image file you created under step 6 above. When mounting the image file, disk utility may attempt to verify the image, you may skip or stop that if you like as it will take a long time (or you may let it run if time isn’t an issue). Simply drag your boot partition from the left column into the destination field, and select “restore” — this will take awhile … … … …

    It took hours to backup and restore everything. I should note that before I created my recovery image I ran disk utility’s “First Aid” on my boot partition. First ran “Repair Disk” then “Repair Disk Permissions” — this is to ensure you get a clean image. Additionally, before I entered into recovery mode, I uninstalled Symantec PGP ( this may not be necessary, however, if you ever find yourself needing to reinstall Symantec PGP, you will be faced with performing these steps again — in the meantime, I’m looking for an alternative to encrypt my external drives )

    Once the image has been restored, I run disk utility’s “First Aid” again (“Repair Disk” and “Repair Disk Permissions”) on my newly restored boot partition just to make sure all is good.

    Hope this helps.

    1. I need to make a few caveats:

      1. You don’t need to use sudo when doing this
      2. You cannot move (mv) multiple dicrectories at a time. You need to do each one separately and then cd (change directory) to where you moved PGPwde.kext in order to move again.
      3. I wasn’t able to delete kernelcache in the last step, but it still worked.

    2. Yet another caveat:

      I could not do this:

      sudo mv PGPwde.kext /Users/Shared/ (after this command, input your OS X password in the password prompt)

      Instead, I moved the file to the root directory and continued the procedure. After the computer booted (yes it still worked!) I moved the file from the root directory into Users/Shared.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s