digg

Facebook Connect Join Digg About

OS Encryption Showdown: Vista's BitLocker vs. Mac's FileVault

lifehacker.com Both Windows Vista and Mac OS X can encrypt files and protect them from the prying eyes of thieves and snoops. Vista's new BitLocker feature and Mac OS X's FileVault are especially useful to those of you toting laptops that contain sensitive data.

Who dugg this? Made popular Mar 20, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

105 Comments

show profanity settings
expand all
  • estvir, on 10/12/2007, -3/+30TrueCrypt which a lot of people will swear by.

    I don't think there is a Vista-compatible version yet though (If you don't have the requirements for BitLocker) but apparently the latest version works, it's just your fault if your hard drive explodes killing several small children and/or creating a subtle worm hole.
  • eropuri, on 10/12/2007, -2/+23This ain't no showdown - the author of this article basically decided on a completely unscientific method. They felt that Bit Locker was more secure, but provided no evidence to support the theory.
  • rudy23, on 10/12/2007, -2/+23@jman8888

    then you dont need encryption in the first place.
  • doctechnical, on 10/12/2007, -1/+20Alas, the article didn't go into any technical comparo of the encryption algorithms used and their relative strengths/weaknesses.

    I'd also like to know if the Bitlocker will still work if I move the hard drive to another computer. I'd hate to have the filesystem tied to one motherboard or hardware configuration... in that case you'd be SOL if the USB controller went on the blink.
  • ventralnet, on 10/12/2007, -6/+22@Lyph4

    Unfortunately there is nothing it can do.. easily

    This will probably be buried
  • etx313, on 10/12/2007, -5/+21A Vista feature winning over an OS X feature? On the homepage of Digg? What is this, Bizarro Digg?!
  • splinecl, on 10/12/2007, -1/+14@digitalarcanum

    Locking the BIOS is probably the least secure way to protect your computer. All you have to do is reset the CMOS with some jumper settings or remove the CMOS battery.
  • Mootabolife, on 10/12/2007, -1/+13T r u e C r y p t
    Free open-source disk encryption software for Windows Vista/XP/2000 and Linux

    Yes, there is a vista version.
  • bobcrotch, on 10/12/2007, -1/+12If you lose your hardware key and forget your password you deserve to lose your data. Believe it or not there is a certain amount of responsibility when it comes to computing, especially with sensitive data.
  • inactive, on 10/12/2007, -6/+16It'd be nice if Ubuntu made me waffles and bacon in the morning when I woke up.

    I'm sure you can find a way to do that.. I mean, it's Linux. There's seriously NOTHING you can't do.
  • crackedplastic, on 10/12/2007, -0/+9Very cursory article. Some points missing:

    Vista:
    - Can use TPM (v1.2) instead of just a USB device (if your hardware is capable)
    - Centralized administration via ADS and group policies
    - Key contingency: via recovery certificate through group policies
    - REQUIRES at least two NTFS partitions, since boot volume isn't encrypted

    The main issue is that OSX's Filevault ISN'T whole disk encryption, and this is like comparing apples to oranges (pardon the pun).

    A better comparison would be with products from PointSec, SafeGuard, or PGP, which offer whole disk encryption products (PointSec's offering is for Windows, Linux, and OSX (in the works)). Some are FIPS 140-2 compliant as well.
  • cdmarcus, on 10/12/2007, -3/+12It all comes down to the icons. If you look at them, you'll notice that BitLocker uses a key, which can be considered more secure than FileVault's combination lock. However, BitLocker can be picked or bumped...
  • samadam, on 10/12/2007, -3/+11You do notice, and here's the kicker, that truecrypt is not available for Mac?

    Yeah, so not so much a good alternative. Unless you mean Bsd is the third of your major operating systems?
  • xymor, on 10/12/2007, -1/+9God forbid review a software made by communists open source freaks...

    Seriously, TrueCrypt is a great piece of software, and encrypting your files using proprietary closed solutions feels like playing Russian roulette.
  • kblommel, on 10/12/2007, -0/+8So what happens when you lose your car keys AND forget what you car looks like?
  • aecarol, on 10/12/2007, -0/+7Where's the "Showdown" part? He goes over some very basic features, explains in a sentence why Bitlocker was for him, and we're done. It was almost less than useless.

    I would expect a "Showdown" to perform a series tasks using each and report ease of use, reliability, problems encountered, etc. How easy is it to enable? Does either effect performance? How hard to backup? What if you lose the key/password? Can you do it on an external drive?

  • inactive, on 10/12/2007, -1/+8If someone wants to go through all the hard work to find out I'm AMAZINGLY broke and not worth identity theft, I'll let 'em. Seriously. Once they open my bank account, see it's overdrawn, open my credit cards, see they're maxed, the criminal will probably return my hard drive and give me a "Sorry for stealing your *****" card.
  • drlha, on 10/12/2007, -1/+8@ssulistyo: On Macs you can encrypt the swap as well. Don't know about Vista.
  • NerveBand, on 10/12/2007, -7/+13BitLocker is pretty amazing stuff especially the feature of using your USB drive as a smart card. Is there other implementations avaliable for Windows XP and such?
  • cquinnd, on 10/12/2007, -0/+6@themacthinker

    Windows has had file and folder encryption (EFS) since Windows 2000, and Bitlocker is in many ways an evolution of volume management ideas that have been around (at Microsoft and elsewhere) since the mid 1980s. Bitlocker itself might be seen a new implementation, but the underlying technology is quite mature.

    Vista can also use individual file encryption on top of Bitlocker.

    ... and another second for what digitalarcanum said.
  • rudy23, on 10/12/2007, -1/+7am not sure what the name of the software is but my thinkpad has a feature which can encrpt your entire drive using the fingerprint as a key which itself is stored in a secure hardware device.

    more protection that I would ever need.

    I think in most of these cases you just want to make sure that if it gets stolen any joe blow wont be able to decrypt your hard drive. IMO any of these tools will be able to get the job done for you.
  • mattmcm, on 10/12/2007, -0/+6You can write down your password and use as many USB drives as you want. So long as they're not ALL destroyed, you can still use Bitlocker just fine. Suppose one DOES get destroyed (it happens.) You can use your backup USB drive to boot up and create another backup. USB drives are ten a penny these days. Nothing's stopping you from creating more than one.
  • drlha, on 10/12/2007, -0/+6Most of us are more worried about our laptop's data being used by theives than the NSA.
  • andycr512, on 10/12/2007, -7/+13In my opinion, neither can be trusted - with something as important as data security, you really should use something open source. The good news is, TrueCrypt works on all 3 major platforms, and does military-grade encryption for free... Why not use that?
  • SpacedCowboy, on 10/12/2007, -1/+7[Sigh]

    It doesn't mention that you can create individual disk-images and encrypt those. The Mac uses these sort-of-like files. Double-click and a finder-window will open (after you've typed in the password). Drag the mount to the trash or eject to prevent access.

    Whenever I check-out the source code to the app I work on to a portable, I do it to an encrypted disk image. It works well, there's no noticeable performance issue with the constant encryption/decryption, and it's not my home directory.

    Simon.
  • Radan, on 10/12/2007, -3/+8@drmangrum:

    Erm... doesn't that kinda ruin the whole point of the USB key?
  • parrots, on 10/12/2007, -1/+6@ssulistyo: In addition to being able to encrypt one's swap on OS X, all user-based data (including temp files, internet cache, preferences, etc) exists within the user's home folder -- the part of the drive that is encrypted by FileVault. I believe this is why colincornaby was questioning encrypting the entire drive: it would be a wasted overhead to encrypt the entire drive, unless you really didn't want a thief to see what applications you have installed.
  • doctechnical, on 10/12/2007, -3/+8"what if you keep the usb key in your laptop bag or suitcase and a thief takes your suitcase? "

    What if you leave your keys in your car, or your front door unlocked/

    I think it's acceptable to require at least *some* degree of responsibility on the user's part.
  • Bitaemo, on 10/12/2007, -6/+11@splinecl

    Uhm, he said Laptop. I have yet to see a laptop whose Bios you can reset like a desktop's.

    Most laptops to reset the bios, you must find the 24C02 chip (roughly the size of a drop of rain) and in most chips solder a wire between pins 1 and 4 and apply power. This will reset the chip, and release the password.

    Most thiefs are NOT that smart or willing to go to those extremes. Also the fact that on most laptops, you will find more then 1 of these chips. Without knowing the laptop on a shall I say Intimate basis, you most likely wont guess the right one. :-)

  • Frost9999, on 10/12/2007, -1/+5Unfortunately TrueCrypt is not available for OS X. I really like TrueCrypt though and think it's a great option for XP at least. Not sure about Vista support.
  • bj00rn, on 10/12/2007, -0/+4On XP i use Truecrypt, on my Mac I use an encrypted image (.dmg) (Easily set up in Disk Utility, and basically functions the same way as Truecrypt). Both easy and good methods.
  • MioTheGreat, on 10/12/2007, -0/+3If your swap is on a bitlockered partition, it will be encrypted. Bitlocker encrypts ALL data except the boot volume required to initialize the bitlockered one.
  • cplkai, on 10/12/2007, -2/+5No, it doesn't.
  • mattclare, on 10/12/2007, -0/+3BitLocker is a good technology - but I'd choose file vault or true crypt. I don't need the OS encrypted, and no matter what algorithm each are using (RSA or blowfish I assume) encrypting the whole drive will slow things down a lot. If you want to make the thing tough to steel, FileVault or Truecrypt and a boot password are good enough. OSX and Linux can encrypt their swap files too - I don't know how to reproduce that on Windows.

    THE BEST REASON TO USE FileVault or TrueCrypt: The encrypted volumes are easy to backup and transfer!

    That's never been the case with Windows encryption of any kind!
  • Roybertito, on 10/12/2007, -1/+4Well, I know I'll probably get flamed for being pro-Mac (and then all the anti-Mac comments will be dugg down by Mac fans, then they'll be dugg down by anti-Mac... anti-fans, etc.), however, I have to say that in terms of comparing BitLocker and FileVault, how secure they are is all up to the observer. One might not need the 100% lockdown of BitLocker, and some may call that too secure, and thus prefer FileVault - that's my personal opinion on the subject. Others may say that they need what's in BitLocker that FileVault lacks and say that BitLocker's better for that reason - that's okay too.

  • rudy23, on 10/12/2007, -0/+3IMO in the future all data will be encrypted and there will be some sort of a hardware device either at the HDD level or proc level whose sole job is to encrypt and decrypt.

    Once the performance issue is outta the way there would be no reason to not encrypt everything.
  • Boondoggle, on 10/12/2007, -1/+4You can create a separate keychain for OS X and put the pws for your encrypted DMGs in there, and keep it on a flash drive. Then when you need the volume, plug in the flash drive.... no typing, and associated keylogging, is involved. It also lets you use crazy huge passwords.

  • ventralnet, on 10/12/2007, -3/+6While it is my preferred server operating system for my servers the reason it can't compete quite yet in the market against Apple and the Windows family is its difficulty of use for the average user.

    I don't have much experience in ubuntu, but I don't think you will find many who disagree with me.
  • Ahnteis, on 10/12/2007, -0/+3You lose access.

    What -- there should be a backdoor or something? That would completely invalidate the whole POINT of disk encryption.
  • Wyzard, on 10/12/2007, -0/+3Wouldn't be RSA since that's a public-key cipher. Most likely it's AES, which is well-suited to disk encryption because it's fast to initialize and disk-encryption software typically encrypts each sector or group of several sectors independently. Blowfish is fast at encrypting data in bulk once it's been initialized, but not so fast when it has to be repeatedly re-initialized after encrypting just a small amount of data.

    Besides, Twofish, the successor to Blowfish, was a contestant in the competition held by NIST a few years back to choose a replacement for DES, and it didn't win; AES did. (That's why we call it AES; its original name is Rijndael.)

    BTW, while I haven't personally used FileVault or BitLocker, I do use Linux's "dm-crypt" facility for full-disk encryption on several computers, and I find that the CPU overhead is fairly minimal for typical desktop use. It's only when copying large files around that it becomes really noticeable.
  • cquinnd, on 10/12/2007, -0/+3That didn't come across as pro-Mac, it makes a lot of sense, which is why there are different ways to do encryption in the first place.

    The only point I would add is that it is possible to do individual file encryption with both OSes, and to use Bitlocker on a whole hard drive (IIRC) requires a full reformat of the target disk.

    For the average user, being able to secure a few specific files and folders might be enough.
    For companies like Banks, the FBI, the VA, and all the other firms that seem to have trouble keeping track of user data on laptops (and desktops), full disk encryption like Bitlocker should be highly encouraged.
  • Wyzard, on 10/12/2007, -0/+2@digitalarcanum:
    "If you don't have a locked bios they can just install an OS over the encrypted disk."

    They can do that anyway, simply by taking the hard drive out of the laptop. The point of disk encryption isn't to stop someone from erasing the disk and re-using it for another purpose, it's to prevent people from accessing your private data.

    Most modern hard drives have a built-in "security lock" feature, in fact, which allows the drive itself to protect itself with a password, and the only way to use the drive without knowing the password is to perform a "security erase" which causes the drive to wipe its contents before unlocking itself. (This isn't as secure as disk encryption, though, because it's possible to recover the contents of a "locked" hard drive with specialized equipment.)
  • MrMacMan, on 10/12/2007, -0/+2Yeah I think the article missed the whole impact about how effective their encryption is. We all know that it can be broken (see WEP and the RC5 competition), but it failed to mention the important technical aspects of each OS's file protection system.
  • Wyzard, on 10/12/2007, -1/+3You can keep the USB key plugged in for convenience while you're at home, and when you go traveling, leave the USB key behind and authenticate with the password instead.
  • Ahnteis, on 10/12/2007, -0/+2The database storing hundreds of SSNs (for example) probably isn't going to be in your user directory. Full drive encryption isn't something that EVERYONE needs, but there are uses for it. If you only want part of your HDD encrypted, there are solutions for doing so. (In fact, Windows has had the ability to encrypt folders for some time -- don't know many details about it as I've never personally needed it.)
  • ssulistyo, on 10/12/2007, -2/+4Ever heard of swap and temp files? These and a myriad of other locations on your hard disk could contain (and retain) copies of your personal files, when opening, moving, or copying them.
  • tHePeOPle, on 10/12/2007, -3/+5I wouldn't mind using FileVault, but I can't shake the feeling that Microsoft has some other key to my data. A key they might be willing to share if pressured. That's why I'm using Truecrypt.
  • cquinnd, on 10/12/2007, -0/+2For an idea of speed:
    http://apcmag.com/3893/vista_disk_encryption_very_damn_fast

    There is also a discussion at: http://www.xml-dev.com/pipermail/fde/2006-November/000067.html giving some information on how Bitlocker tries to maintain the speed of file accesses while running.

    FileVault or Truecrypt, while good enough, can still allow a thief to make use of the stolen system for other purposes if they can manage to log in. The technologies target different needs.

    The point about backups is a good one though.
  • Ramble, on 10/12/2007, -1/+3You moron the swap file will be encrypted along with everything else on the main partition.
  • Ramble, on 10/12/2007, -1/+3That's what UAC is for..
  • Fetching more discussions...
    Show 51 - 98 of 98 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.