Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

PGP WDE and Seagate FDE drives

Created: 26 Jun 2011 | 21 comments

Hello,

I have a couple of Seagate hardware self-encrypting FDE drives, model ST9250411AS.  Since there are no good software for the Mac that can manage the drive (from what I understand), I'd like to use PGP WDE on it.  I assume this is okay, but thought I'd check first and hope someone from Symantec can answer the question.  Is it okay to encrypt these drives with PGP WDE for both the MacBook Pro and Windows laptop computers?  I know there are a lot of software to manage the drive on Windows computers, but I've since learned that there is no guarantee that my Windows laptop is compatible with the software and management of the encryption/password protection part of drive.

Best regards.

Comments 21 CommentsJump to latest comment

pgp_user's picture

Thanks mallarduck!  I'll take a look at WinMagic.  However, I still would like to know if PGP is okay to use on these drives even though they're hardware self-encrypting, especially since I already have purchased copies of PGP.

Again, thank you for the info!  I appreciate it.

mallardduck's picture

Yep, they work just fine.  I did look at WinMagic by the way, and it was even worse than PGP (including a rather terrible UI), but it's the only way to manage those drives on OSX.  Maybe Lion will surprise us next month.

pgp_user's picture

Thanks again, mallardduck!  I appreciate you taking the time to reply, and thanks for the info on WinMagic.

Symantec technical support (i.e. Tom Mc or PGP_Ben), can you confirm that it is okay to use PGP WDE on these Seagate FDE drives on both Mac and Windows and everything will work as expected?  I'd like to get an official answer from the makers of PGP.

mallardduck's picture

PGP generally won't comment unless they've specifically tested the hardware, which they generally don't do (e.g. hybrid drives).  I know people who've done that without issue - the hardware doesn't care what is written to the disk, and the software doesn't trigger the encryption.

I always recommend that folks keep one unencrypted backup in a secure location.  I never put all my eggs in one basket (and that's true of ANY encryption solution, and not just a reflection of current/recent PGP challenges).

pgp_user's picture

Thanks again, mallardduck.  You've been so helpful!  I appreciate it.

I've sent you a private message with a question.

Tom Mc's picture

I wasn't able to find anything specific to your question, but suspect that mallardduck knows what he is talking about.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

pgp_user's picture

Thanks Tom!  I encrypted the drives on both Windows and Mac.  If I get the pre-boot login screen and the status for the drive in PGP WDE indicates "Encrypted AES" with the padlock icon next to the drive, is it fair to assume everything is okay?

Tom Mc's picture

That sounds about right.  I've actually never encrypted a drive without also encrypting the boot drive.  So, I pretty much see all as working correctly when I'm able to boot and use the drive(s) as expected.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

pgp_user's picture

Thanks Tom!  Both the Windows laptop and Mac laptop have the drives in question installed as the main drive.  No other drives were connected when performing the PGP WDE encryption.  Encryption was only done on the boot drive/main drive (the Seagate FDE drive).  I just asked the question because it's seems kind of weird to be software encrypting a hardware self-encrypting drive and was wondering if there are any known issues. I assume there wasn't any, but thought I'd check with the forum.

I've sent you a PM requesting how to attain 10.1.2 (SP3) for the Mac.

mallardduck's picture

You should NOT encrypt anything on a Mac from windows.  The Mac WDE encrypts the entire disk.

I'd make a good backup of both mac and windows partitions, decrypt, deinstrument (see the forum) and start fresh.

pgp_user's picture

Hi mallardduck,

These are two separate laptop computers that each have a Seagate FDE drive in it.  The Sony laptop is running Windows 7.  The MacBook Pro is running MacOS 10.6.8.  Each has its own copy of PGP 10.x on it.

I apologize any confusion.

Thank you for the concern.  I appreciate it.

mallardduck's picture

Ahh, ok then, you should be safe :-).  PGP on windows does have a few issues, but is generally rock solid over there.  It's the major platform (no surprise) and get's the majority of the development effort (frankly, can't blame PGP for that - I'd do the same...business/financial decision to deploy scarce resources to most profitable platform).

PGP_Ben's picture

Hey, for what it's worth. this is what I could find on this. It's from our old legacy forums which is currently being decommisioned and moved to read-only mode and everything.

http://bit.ly/lfUPSb

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

pgp_user's picture

Thanks PGP_Ben.

Yeah, I knew that PGP WDE didn't support management of hardware self-encrypting drives in terms of taking advantage of the self-encryption nature of the drives.  I just wanted to know if the Seagate FDE drives could still be encrypted through software (PGP) like regular hard drives without any problems.

I'm still hopeful that PGP will someday come out with a version that will manage these types of drives like other companies do.  Also, I'm hoping for PGP to come out with a way to encrypt SSDs so that wear leveling isn't a problem which I assume is a problem now. 

I've been a happy customer of PGP products so far.

Best regards.

PGP_Ben's picture

Actually, we already added several enhacements for optimization of SSD drives in the PGP Desktop 10.1.2 code. Some is to help with the wear-level issue as well as doing read ahead caching. Also taking advantage of new chipset features like the AES-NI instruction set for one. 

Before the release, we had about a 60% performance degredation on SSD drives and it was putting more wear and tear on the disks.  Furthermore, we just recently fixed an issue with apple's driver in 64-bit kernel mode when encrypting on certain Mac SSD drives. I know that they will be doing more code changes in the new release, 10.2, which is due out sometime August-September 2011 timeframe. 

But I'm not sure what additional features we are adding for SSD there yet.  

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

pgp_user's picture

Thanks PGP_Ben!  I'm happy Symantec is working on the SSD issues.  I figured you folks would get around to it since SSDs are getting popular.

You mentioned a previous 60% performance degradation.  Do you know what the performance is like now with 10.1.2?  Also, does it deal with the wear leveling issue in a secure way, and is the wear leveling problem still an issue or completely solved?  Is TRIM supported on a PGP encrypted SSD?

Lastly, would you recommend using PGP WDE in its current state with SSDs or wait until 10.2 comes out?  Does the Windows version of PGP deal with the issue better than the Mac version (since I have both a Mac computer and a Windows computer)?

Best regards.

mallardduck's picture

I don't believe TRIM can work because, as far as the drive is concerned, every single byte is 'in use'.  You might be able to use (if I remember right) the command line option to only encrypt used sectors.

Everyone at my organization that has an SSD has abandoned PGP because of the speed reductions.  We're (finally) going to receive 10.1.2 next week so some folks may try it again.

pgp_user's picture

Thanks again, mallardduck!

>I don't believe TRIM can work because, as far as the drive is concerned, every single byte is 'in use'.

That was what I was wondering about.  Thanks!

>You might be able to use (if I remember right) the command line option to only encrypt used sectors.

Wouldn't that be sort of un-secure?  Would that make unencrypted data previously stored on the drive in those sectors possibly available to some tools?

PGP_Ben's picture

Yes, that is why it's an advanced option only available through command line through guidance from an expert or somebody in support. It does leave un-encrypted sectors on the disk, that could potentially expose old date that might possibly be recovered if not written or by encrypted data.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

pgp_user's picture

PGP_Ben,

Any chance I could get 10.1.2 (SP3)?  I've sent you the info you requested (PM) a couple of days ago.

Thanks.