Sophos SafeGuard Disk Encryption for Mac offers full-disk encryption (FDE) for the Mac, with protection at boot time from unauthorized access. FDE scrambles the entire contents of a disk drive, rendering it ostensibly unrecoverable without access to the long encryption key used, or a shorter account passphrase that unlocks that key.
FDE makes your data secure when someone gains unauthorized physical access to it while your computer is shut down. If a computer with an FDE-protected drive is booted and running, the data is still susceptible to various forms of extraction using forensic tools, even if there’s a password lock enabled in OS X. But when the computer is shut down, it’s as close to Fort Knox as one could hope.
With Lion, you have the option to use the built-in FileVault 2 FDE that replaces the directory-only encryption provided in the original FileVault system introduced in OS X 10.3 Panther. FileVault 2 works quite well, is integrated into system accounts and system boot time, and relies on AppleCare support as an optional backstop to help with extreme cases in which an account password fails or is forgotten and a separate emergency recovery key has been lost.
SafeGuard, compatible with Lion in version 5.5, has to scale a mountain to convince users to purchase a feature that’s otherwise built into the OS. A third-party encryption tool has to do the job right, but also have features or options that set it apart from FileVault 2. (SafeGuard provides a separate installer for Mac OS X 10.5 and 10.6. If you upgrade from Snow Leopard to Lion, it is vitally important to follow Sophos’s instructions. An upcoming SafeGuard 6.0 release will work on 10.5 through 10.7, however, according to Sophos.)
SafeGuard doesn’t quite get there. There are enough rough edges and confusing bits that don’t place it anywhere near the ease with which Apple enables FileVault 2, which make SafeGuard hard to recommend highly. Sophos could sand down the interface and documentation friction, while adding a couple of compelling features. However, SafeGuard is a good choice for anyone who prefers not to rely on Apple for their encryption needs for whatever reason.
Sophos relies on its own user accounts set up as User and Admin categories, which means extra account management instead of using Mac OS X authentication. This is clearly required because at startup time SafeGuard has to rely only on what its own system can manage—it can’t access Mac OS X or accounts. We can’t ding the product for that, but it’s more complicated than Apple’s integrated ability.
You set up at least one Admin account to start encrypting the drive with a single click. There’s an option to use Fast Mode, which has no explanation in the program or documentation as to what “fast” means. I had to query the company, which explained that with Fast Mode disabled, disk encryption takes a back seat to whatever the user is doing. In Fast Mode, encryption consumes all available computational power, which might slow down other activities.
Admin accounts can enable and disable encryption on partitions, and create and delete regular users. A User can log in at startup. User accounts can be backed up with a third form of account, Recovery, which are one-time use logins assigned to specific User accounts, and which are meant to help in case you forget or lose the password for a User account.
Sophos could provide a more sensible handholding walkthrough here. It should have the option of an assistant that guides you through creating an Admin user, and gives you the opportunity to create a regular User and one or more Recovery accounts. Instead, I had to stumble through the documentation to figure out the precise relationship.
Any FDE system needs to offer tools to help you when things go awry, as normal disk utilities won’t work. Sophos includes options in its program’s Users tab in a gear pop-up menu, but they’re rather hard to parse there and in longer explanations in the documentation. I sorted it out, but I don’t expect that even an advanced user will find the explanation straightforward.
Sophos has three recovery options, but it’s really two ways to make bootable media, with a third menu item to export your encryption and authentication data. You can either create a generic bootable image without your login bits (which lets you separately attach your authentication data), or you can create one that’s bootable and has the necessary credentials for the specific computer from which the disk was exported.
What Sophos doesn’t explain is that you need to take the disk image and create a bootable volume from it. This is trivial in Disk Utility. Drag the disk image into Disk Utility, where it shows up in the bottom of the list at left. Insert some kind of media, such as a USB thumb drive, that you’re willing to erase one or more partitions of. Select the disk image icon, and then drag the partition of the drive you’re using into the Destination field. Click Restore. This creates an EFI-formatted bootable drive you can select at startup time by holding down the Option key. Would that these instructions (with some screen captures and more detail) were in the manual.
SafeGuard also warns you in the documentation against backing up certain files in Time Machine, but doesn’t provide a tool to exclude those automatically. SafeGuard can’t encrypt external drives. And it requires the use of the keyboard in its boot manager, which makes it feel a bit more like using a newer PC BIOS than a Mac. Ostensibly, they didn’t want to include mouse and trackpad drivers.
Macworld’s buying advice
SafeGuard is perfectly fine, and would be better with some software assistants and better documentation. Sophos needs to beef up the program to help it compete against the free FDE in Lion.
[Glenn Fleishman, a senior contributor to Macworld, writes regularly about security and networking here, at the Economist’s Babbage blog, and in books, such as Take Control of iPhone and iPod touch Networking and Security.]