Why 10.6.5 and Symantec's PGP Whole Disk Encryption didn't get along
Those of you who joined us for last night's TUAW Talkcast know that one of the Mac OS X 10.6.5 issues that we discussed dealt with PGP WDE (Whole Disk Encryption), a Symantec product that is used to encrypt an entire hard drive. PGP WDE is very useful to those who carry sensitive information on their MacBooks, as they can be assured that nobody can access the info or even boot the machine without knowing the encryption password.
Mac OS X 10.6.5 "broke" PGP WDE, with users of the product unable to boot their Macs at all. Rich Mogull at TidBITS looked into the issue and provided a wonderful explanation of how disk encryption works, as well as why the OS update caused the problem.
As Mogull explains, PGP WDE integrates with the Mac firmware so that powering up the computer forces it to enter a special unencrypted state that displays nothing but a password prompt. Entering the correct password then decrypts the normal operating system, which is in an encrypted partition on the disk. To display the special password prompt at bootup, PGP makes changes to the boot.efi file that is used by your Mac to begin loading Mac OS X.
What happened? The shipping version of 10.6.5 overwrote those changes to the boot.efi file, so the pre-boot password prompt was never loaded. Symantec had tested PGP WDE with the beta versions of 10.6.5 with no problems, but apparently something was changed by Apple at the last minute before distribution of the update.
Symantec has posted a recommended upgrade process, and has also created a PGP Recovery CD image that can be downloaded and used if you're already upgraded to 10.6.5 and are stuck in "an unbootable state." As we mentioned on the TUAW Talkcast last night, problems like these are a good reason to keep a bootable clone of your hard drive on hand.