Skip to Content

Why 10.6.5 and Symantec's PGP Whole Disk Encryption didn't get along

by Steven Sande Nov 15th 2010 at 7:00PM

Those of you who joined us for last night's TUAW Talkcast know that one of the Mac OS X 10.6.5 issues that we discussed dealt with PGP WDE (Whole Disk Encryption), a Symantec product that is used to encrypt an entire hard drive. PGP WDE is very useful to those who carry sensitive information on their MacBooks, as they can be assured that nobody can access the info or even boot the machine without knowing the encryption password.

Mac OS X 10.6.5 "broke" PGP WDE, with users of the product unable to boot their Macs at all. Rich Mogull at TidBITS looked into the issue and provided a wonderful explanation of how disk encryption works, as well as why the OS update caused the problem.

As Mogull explains, PGP WDE integrates with the Mac firmware so that powering up the computer forces it to enter a special unencrypted state that displays nothing but a password prompt. Entering the correct password then decrypts the normal operating system, which is in an encrypted partition on the disk. To display the special password prompt at bootup, PGP makes changes to the boot.efi file that is used by your Mac to begin loading Mac OS X.

What happened? The shipping version of 10.6.5 overwrote those changes to the boot.efi file, so the pre-boot password prompt was never loaded. Symantec had tested PGP WDE with the beta versions of 10.6.5 with no problems, but apparently something was changed by Apple at the last minute before distribution of the update.

Symantec has posted a recommended upgrade process, and has also created a PGP Recovery CD image that can be downloaded and used if you're already upgraded to 10.6.5 and are stuck in "an unbootable state." As we mentioned on the TUAW Talkcast last night, problems like these are a good reason to keep a bootable clone of your hard drive on hand.



View Tags

Related Stories

Categories

Software Bugs/Recalls OS X

Those of you who joined us for last night's TUAW Talkcast know that one of the Mac OS X 10.6.5 issues that we discussed dealt with PGP WDE...
 

Add a Comment

Sign in »
*0 / 3000 Character Maximum Comment Moderation Enabled. Your comment will appear after it is cleared by an editor.

10 Comments

Filter by:
MikeC

First, Bk is not telling the truth that he found this last week. That, and his email from Steve Jobs is phony as well, unless he posted the headers.

No one could have seen this. This is squarely Apple's fault.

If you read the PGP forums, you can tell what happened. Apple's Software Updater (that does incremental updates) is, for some odd reason, not the same as the full combo updater (which is generally the recommended path anyway).

Those using the full combo update experienced no issues. Only those running the incremental update. The incremental updater disabled the protections PGP has in place to protect their boot.efi. For whatever reason, Apple chose to replace boot.efi (something they have NEVER done except during major releases (10.4, 10.5, 10.6, etc.). Add to that, an inconsistent updater behavior and throw in the fact the OS betas are all combo updates, and you have a recipe for disaster.

PGP has rightly taken some lumps in the past for their Mac support, but in this case, it's Apple who deserve the criticism, and should improve their OS testing and development. This is why I always wait a few weeks before doing the updates, and then only do the combo.

By the way, cross-platform whole disk encryption is not that easy to do. How many vendors (reputable) are there in the market? Three?

November 15 2010 at 11:24 PM Report abuse rate up rate down Reply
1 reply to MikeC's comment
bk

MikeC, I don't take kindly to being called a liar. *smack* Pistols at dawn.

I applied the update 5 minutes after it was announced. I immediately found the problem when my Mac was bricked. I alerted my coworkers and went to work on being part of the fix. (Note my comments in the PGP forums).

I'll differ in my opinion about who is at fault--I'd blame the process more than any one side. However, replacing root-level Apple system files with your own is risky business for a developer. PGP should have been looking more closely and Apple should review their deltas. I respect what you say about the oddity about the behavior. Well noted.

As for the headers about Steve Mail, here they are (personal and domain info redacted for privacy]:

From: Steve Jobs
Subject: Re: HiEd Frustrations
Date: November 11, 2010 4:49:01 PM CST
To: [my name redacted]
Return-Path:
Received: from localhost ([unix socket]) by cyrus1a.mail.[mydomain redacted].edu (Cyrus v2.3.16) with LMTPA; Thu, 11 Nov 2010 16:49:52 -0600
Received: from mh5.mail.[mydomain redacted].edu (mh5.mail.[mydomain redacted].edu [x.x.199.32]) by cyrus1a.mail.[mydomain redacted].edu (Postfix) with ESMTP id 910842A80A6 for ; Thu, 11 Nov 2010 16:49:52 -0600 (CST)
Received: by mh5.mail.[mydomain redacted].edu (Postfix) id 85DF128F75B; Thu, 11 Nov 2010 16:49:52 -0600 (CST)
Received: from mh5.mail.[mydomain redacted].edu (localhost.localdomain [127.0.0.1]) by mh5.mail.[mydomain redacted].edu (Postfix) with ESMTP id 78FDB28F757 for ; Thu, 11 Nov 2010 16:49:52 -0600 (CST)
Received: from mh5.mail.[mydomain redacted].edu ([127.0.0.1]) by mh5.mail.[mydomain redacted].edu (mh5.mail.[mydomain redacted].edu [127.0.0.1]) (amavis, port 10024) with ESMTP id jmPRdhVzrSfB for ; Thu, 11 Nov 2010 16:49:51 -0600 (CST)
Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mh5.mail.[mydomain redacted].edu (Postfix) with ESMTPS id CE56028F739 for ; Thu, 11 Nov 2010 16:49:49 -0600 (CST)
Received: from relay16.apple.com (relay16.apple.com [17.128.113.55]) by mail-out4.apple.com (Postfix) with ESMTP id 867B3BC5D7A8 for ; Thu, 11 Nov 2010 14:49:48 -0800 (PST)
Received: from et.apple.com (et.apple.com [17.151.62.12]) by relay16.apple.com (Apple SCV relay) with SMTP id 67.CE.03845.C037CDC4; Thu, 11 Nov 2010 14:49:48 -0800 (PST)
Received: from [17.248.4.101] (wave-dhcp101.apple.com [17.248.4.101]) by et.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id for bk@[mydomain redacted].edu; Thu, 11 Nov 2010 14:49:48 -0800 (PST)
X-Sieve: CMU Sieve 2.3
Delivered-To: bk@[mydomain redacted].edu
X-Virus-Scanned: by amavis-2.6.4 at mh5.mail.[mydomain redacted].edu
X-Smtp-Auth: no
X-Policyd-Weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_HELO_MX=-3.1 (check from: .apple. - helo: .mail-out4.apple. - helo-domain: .apple.) FROM/MX_MATCHES_HELO(DOMAIN)=-2; rate: -9.6
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
X-Auditid: 11807137-b7bf7ae000000f05-e3-4cdc730c67c8
Mime-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=us-ascii
References:
X-Mailer: iPhone Mail (8B117)
In-Reply-To:
Message-Id:
X-Brightmail-Tracker: AAAAAQAAAZE=
X-Dspam-Result: Innocent
X-Dspam-Processed: Thu Nov 11 16:49:52 2010
X-Dspam-Confidence: 0.9920
X-Dspam-Probability: 0.0000
X-Dspam-Signature: 390,4cdc731025385225088591
X-Dspam-Factors: 27, University+>, 0.00196, >+Hi, 0.00208, >+Thanks, 0.00229, >+[mydomain redacted], 0.00283, >+>, 0.00600, >+>, 0.00600, >+I'm, 0.00666, wrote+>, 0.00672, It+would, 0.00812, Received*ESMTPSA, 0.00822, Received*ESMTPSA+id, 0.00822, Received*with+ESMTPSA, 0.00822, Sent+from, 0.00886, Research+Computing, 0.00923, glad+you're, 0.01000, >+Nothing, 0.01000, >+regards, 0.01000, us+The, 0.01000, edu>+713, 0.01000, areas+>, 0.01000, >+Bill, 0.01000, Received*(Apple, 0.01000, 34+PM, 0.01000, PGP, 0.01000, we're+having, 0.01000, a+fix, 0.01000, Received*(Apple+SCV, 0.01000

November 16 2010 at 12:16 AM Report abuse rate up rate down Reply
ajanata

>As we mentioned on the TUAW Talkcast last night, problems like these are a good reason to keep a bootable clone of your hard drive on hand.

Which completely defeats the point of using whole-disk encryption, unless you can somehow manage to clone the encrypted data including all the fun stuff required to make it boot.

November 15 2010 at 8:54 PM Report abuse rate up rate down Reply
1 reply to ajanata's comment
bk

Ajanata--you're right about the ironies of the backup. To solve this problem, I use a hardware level encrypted external disk for my backup. It protects both integrity of the encryption model without the liabilities of software-controlled solutions like PGP.

November 15 2010 at 10:23 PM Report abuse rate up rate down Reply
Ryan

We had a lot of trouble with this problem at the university I work for. I wish users wouldn't update right away lol.

November 15 2010 at 8:23 PM Report abuse rate up rate down Reply
mrsteveman1

> problems like these are a good reason to keep a bootable clone of your hard drive on hand.

Actually problems like this are a good reason for Apple to stop pretending their operating system development is a state secret. They could have warned PGP but they didn't. They could have released whatever changes they made as part of a developer-only prerelease of 10.6.5, but they didn't.

And now PGP is probably getting flooded with support requests for something Apple broke.

November 15 2010 at 7:47 PM Report abuse rate up rate down Reply
4 replies to mrsteveman1's comment
Buy an ad here

Tweets

© 2012 AOL Inc. All Rights Reserved.