Is a hardware-based full disk encryption possible on a Mac?

macos macbook-pro encryption efi

Is it possible to use hardware-based full disk encryption (perhaps on a Samsung 840 Pro SSD) on a Mac, specifically a Macbook Pro 8,2? If so, how?

My understanding is that this will be handled in the BIOS or possibly EFI, however I think Apple's EFI is generally quite locked down.

I'm not looking for any software-based solutions such as FileVault 2 or TrueCrypt. I dual boot and matters will be simpler if it is handled in hardware.


I've asked myself exactly the same thing as I've also bough a Samsung 840 Pro for my MacBook Pro. After some research I've found this post indicating that the 840 Pro's hardware encryption requires TPM support, and that's only found in PC BIOSes, not in Mac's (U)EFI. To be sure, I've asked Samsung support which of the standards "ATA-Security", "Seagate DriveTrust" and "TCG OPAL" are supported by the 840 Pro, and their answer was:

Dear Customer,

Thank you for contacting Samsung SSD support regarding your inquiry. In response to your inquiry, the only one of the 3 that the unit supports is the ATA Security feaure. As for the encryption, the 840 Pro Series SSD only supports AES 256 bit hardware level encryption but requires the BIOS to be TPM enabled.

So there's no way to enable the 840 Pro's hardware encryption in a Mac.

However, there's also the Crucial M500 which supports TCG's Opal. In conjunction with a special Opal management software like WinMagic's SecureDoc for Mac it sounds as if it's possible to get hardware encryption to work on a Mac.

BTW, note that according to Sophos' support their SafeGuard does support Opal only on Windows, not on Mac OS. Also, McAfee's General Q&A for Opal states

Q: Will Opal drives be supported on Mac OS X?

A: No. Apple currently does not ship their devices with Opal drives so Opal is not supported on Endpoint Encryption for Mac.

But of course that's says nothing about that happens if you just put an Opal drive into a Mac yourself.


Expanding on sschuberth's answer, as of December 2013, the Samsung 840 EVO (but not PRO) also has firmware that directly supports TCG OPAL. It's a good bet that an 840 Pro firmware update to do the same thing will come soon.

You need some software to manage the SED drive, otherwise you get little or no benefit from the built-in security.

WinMagic SecureDoc will manage the drive, but not for every OS X release out there (anecdotal evidence suggests 10.8.1: ok, 10.8.2: not ok).

You'll need to run WinMagic enterprise software, too, I believe. While they have a standalone edition of SecureDoc to support SEDs, it appears that it is only available for Windows.

NOTE: SecureDoc does not require a TPM for SEDs, nor does the 840 EVO running in TCG Opal mode. SecureDoc can support the use of a TPM if you have one and enable the feature (Windows only).

Related

Software to horizonally flip (not rotate) OSX's monitor output?
After deleting an app, can you (much) later reinstall it and restore its data from iCloud?
Is it possible to add other networked sources to the Apple Dictionary program?
xcode-select --install not available on update server
How do I disable auto swoosh (automatic space switching) in MacOS Sierra?
How can I see all apps in 'Essentials' in Mac and iTunes app stores?
How do I change the OS X Mouse Pointer's color?
How do I remove the previous App Store user from my computer?
MacBook doesn't remember Screen Orientation
How can I teach Siri how to spell my child's name correctly in texts?
How do I use non-"legacy" launchctl commands to load and unload plists?
Homebrew putty installation does not make the putty command recognisable