Apple’s Encryption Needs Care In OS X Lion Upgrade

Mac owners should decrypt files before upgrading to Lion because of changes in the encryption mechanism

Apple has added a number of new privacy and security features into the latest version of the Mac operating system, expected by the end of July.

The Mac OS X Version 10.7, code-named “Lion”, has over 250 new features, including more controls over user privacy and security capabilities to keep users safe. The new operating system is expected in July but no one knows the exact timing.

Lion’s Encryption Needs Careful Handling

Endpoint security vendor Safend offers several kinds of security protection for data. This includes encryption, controlling file-sharing properties, and identifying user-access rights. Edy Almer, the company’s vice president of marketing and business development, told eWEEK that the Safend team has identified changes that could affect how people work with Mac OS X Lion.

Apple has revamped its approach to encryption, so users should be careful when upgrading from “Snow Leopard” to “Lion”. If they have encrypted any files using File Vault or other encryption tools, they should first decrypt the file before running the upgrade process, Almer advised. Once the operating system has finished the upgrade process and the user has ensured everything was working correctly, then it would “be safer” to re-encrypt the files, Almer said.

Apple made some changes to the way it implemented encryption in Lion, according to Almer, but he did not know exactly what those changes were. He said there was not a lot of documentation available at the moment on the way the new encryption scheme worked.

“Whenever you aren’t sure what changed in an encryption product, it’s safer to do the upgrade without it running,” Almer said.

Time Machine Backup Encryption

In previous versions of the Mac OS X, encryption was handled on a file-by-file basis. The operating system did not offer a way to fully encrypt the disk. That has not changed in Lion, according to Almer. However, under Lion, users would be able to encrypt their Time Machine backups as well.

According to Apple, the ASLR (address space layout randomisation) has been improved for all applications so that it would be harder for attackers to target the 64-bit applications.

“The kernel is definitely 64-bit,” Almer said. All the drivers now must be 64-bit or it won’t work on Lion, he said, calling this a “big change for anyone who develops” for the Mac platform. Up until now, it was “optional” to have 64-bit, but now it will be “mandatory”, Almer said.

For privacy, Lion features a new Privacy pane, a central location for enabling and disabling location services and data collection as well as designating which applications have access to the location information. An icon appears in the menu bar whenever the application requests the information, making it easy for users to identify what the app is doing.

Apple also has improved its sandbox technology so Websites and applications are isolated from each other and from the operating system. Malicious Websites and applications are automatically trapped within the sandbox and unable to access the data stored elsewhere on the system.

Apple is still very consumer-focused and Lion reflects that, Almer said. The goal is to make everything easier and more straightforward. To that end, Apple has moved a lot of housekeeping and system tasks to automatically run in the background.