![]() As a consequence, Microsoft’s BitLocker equivalent of FileVault stopped trusting in-disk encryption in 2019.Īpple’s T2 and M1 systems include a secure enclave, which is designed to store keys securely. Several researchers have assessed this type of encryption, and found it’s often extremely easy to bypass. Unfortunately it’s also a real gamble, and the odds aren’t in your favour. Several models of SSD offer encryption which is built into the SSD itself, and seems a more transparent alternative to APFS encryption. For example, one common requirement is that passwords satisfy criteria on length and content, and may need to be changed periodically: there’s nothing in APFS encryption to ensure those are met, or to provide evidence that they met those criteria. Don’t rely on this to be safe from state/government agencies, for example, but this is going to defeat the casual or criminal.Īs with encrypted sparsebundles and images, this doesn’t address safeguarding the data from loss or damage, and you’ll have to be very careful if you need to demonstrate compliance. If you decide to store your sensitive data on an external SSD in APFS Encrypted format, it should be safe from all but the most serious attacker. This is different from FileVault whole-disk encryption* used, for example, in Intel Macs with a T2 chip and M1 Macs on their internal SSDs, as it’s not performed in the disk controller, so comes at a performance cost. Unlike HFS+, APFS has native support for encryption, and you can easily enable this when creating any new APFS volume, by selecting its format as APFS (Encrypted) rather than plain APFS. ![]() You also need to make separate provision for safeguarding the data by means of a robust backup system, which again exposes it to the potential for theft.įor modest amounts of data of fairly low sensitivity, this is a cheap option, but you’ll find it hard to demonstrate compliance, and existing standards and codes may not accept that. In the case of a state or government agency, that may well be a feasible proposition with their existing tools. I’ve explained their basics here, and there are two excellent tools for working with them: C-Command’s excellent DropDMG for Disk Images, and my own free Spundle for sparsebundles from here.Īlthough I’ve no reason to suspect that their encryption has been broken, one snag with these is that someone can make off with your encrypted data and use brute force and other techniques to decrypt it. These are convenient and essentially free of cost. ![]() Ask yourself if something did go wrong and someone else were to scrutinise what you did, how could you justify that, perhaps in a court or to an enquiry? In many situations, simply being able to justify to yourself that you have exercised due diligence isn’t sufficient, and your equipment, procedures and practices need to comply with accepted standards. There’s another important issue in how you might need to demonstrate compliance. ![]() A lot of emphasis has been placed on encryption as a means of preventing others from access, but far less on the need to safeguard. Laws and practices of data protection vary with different legislation around the world, but in general expect you to comply with two principles when it comes to storing sensitive data: it must be secured from access by anyone who isn’t entitled, and it must be safeguarded from loss or damage. This article presents a short summary of what you should consider using. Thankfully, there’s now a wide range of different methods to secure data. Many of us now have both moral and legal responsibilities to look after some of the information we use on our Macs. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |