13.5. Encrypting an Entire Disk
So far, this chapter has covered encrypting individual files, folders, and disk images, up to and including one's entire home folder. In general, encrypting a large set of files rather than numerous smaller sets makes sense because it requires fewer passwords and less bother. But even encrypting your entire home folder can leave some sensitive files unprotected. So, why not simply encrypt everything on your disk — meaning you can lock or unlock every file at once? Indeed, you can do exactly that by using any of several software packages.
Until relatively recently, however, this option was available only for non-boot volumes. You couldn't encrypt an entire Mac OS X startup disk because the infrastructure needed to load the software that could decrypt the data during the startup process didn't exist. However, thanks to Apple's move to Intel processors and the ingenuity of a few software companies, that formerly elusive capability is now also a reality.
Most means of encrypting an entire Mac OS X volume — startup disk or not — are geared toward large-scale enterprise use, and may be difficult for ordinary users to find and equally difficult for them to configure. PGP Whole Disk Encryption is a notable exception in that it's extremely consumer-friendly, as encryption software goes. These products also carry with them certain intrinsic limitations. For example, once you've started your computer and typed your password, all your files are freely accessible ...
Get Mac® Security Bible now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.