SafeGuard Disk Encryption for Mac 5.55.0 Release Notes
Known to apply to the following Sophos product(s) and version(s)
Sophos SafeGuard Disk Encryption for Mac 5.55.0
Supported Hardware and Configuration
• Hardware (Intel-based 64bit CPU only)
With the following terminal command, the EFI firmware can be verified:
"ioreg -l -p IODeviceTree | grep firmware-abi"
The return value should be "firmware-abi" = <"EFI64" > or "firmware-abi" = <"EFI32" >.
• Operating system
10.7 (Lion) recent patch level, 32 or 64 bit kernel
• Update of Sophos SafeGuard Disk Encryption for Mac
As Sophos SafeGuard Disk Encryption for Mac 5.55 is the first version for Mac OS X 10.7 (Lion), an update from previous versions is not possible.
• Update of Mac OS X to version 10.7 (Lion)
To upgrade from Mac OS X 10.6 (Snow Leopard) to 10.7 (Lion), you need to uninstall Sophos SafeGuard Disk Encryption for Mac 5.50.x first. This step includes a final decryption of the encrypted partitions. After the successful update to Lion, you need to install Sophos SafeGuard Disk Encryption 5.55.x and encrypt the partitions again. It is not necessary to change your exclude rules for your time machine configuration for this.
You must set up a machine with a Bootcamp partition prior to installing Sophos SafeGuard Disk Encryption. It is not supported to set up or remove Bootcamp after installing Sophos SafeGuard Disk Encryption.
Note that it is not supported to change/resize the partition layout after installing SafeGuard.
If the default operating system is changed from OS X to Windows it cannot be set back to OS X either with Windows Bootcamp Control Panel or with OS X Startup Disk Utility. This has to be done using the functionality provided by Sophos SafeGuard Disk Encryption.
You can set the default boot system to OS X in the following ways:
1. via user interface:
• Open SafeGuard Disk Management.
• Open the Edit menu and select Boot this operating system by default. You need to to authenticate as an OS X Administrator.
2. via Terminal
• Open a Terminal and enter “sudo sgadmin --set-boot”. Note that OS X Administrator authentication is required.
Unsupported hardware, configurations and operations
PowerPC based hardware
• Operating system
10.6 and prior
• Bootcamp + SafeGuard Enterprise/SafeGuard Easy for Windows
SafeGuard Enterprise for Windows does not support Apple hardware and cannot be installed in a Bootcamp/Windows environment. This restriction is valid until explicitly stated otherwise in the SafeGuard Enterprise for Windows documentation.
• The following LIMITATIONS apply to the product:
Sophos SafeGuard Disk Encryption for Mac does not support multi-boot systems, this means multiple installations of OS X on the same Mac.
Sophos SafeGuard Disk Encryption for Mac and Mac OS X 10.7 (Lion) FileVault must not be run on the same machine at the same time. If you are going to use Sophos SafeGuard Disk Encryption for Mac no local partition must be encrypted by FileVault, and you must ensure that FileVault is disabled before you install SafeGuard Disk Encryption for Mac. If you want to use FileVault, Sophos SafeGuard Disk Encryption for Mac must not be installed.
Do not install the software on systems with more than 50 partitions. We recommend you do not not to encrypt more than five partitions simultaneously.
Keyboard: The keyboard translation code only deals with normal keys and keys with a shift modifier. Non-numeric keypad keys cannot be guaranteed to give the same character sequence when the keyboard is changed from one layout to another. So only use "0-9" from that block. This is due to EFI only returning a US ANSII character equivalent and no modifier keys. During translation, the normal keyboard key takes precedence over the numeric keypad key. This affects the non-numeric keys on the numeric keypad, i.e. the '=', '/', '', '-', '+' keys. These keys may translate into a different character due to the keyboard layout. For example, on a German keyboard the numeric keypad '' key will translate into the keyboard '(' character. The code has been developed and tested with the following keyboards: US, French, German. There is no guarantee that other keyboards work.
Partitioning: After Sophos SafeGuard Disk Encryption for Mac has been installed it is not possible to change the partitioning layout, nor is it supported. You must not change anything with "gpt" or "diskutil".
Important: If someone repartitions the machine you will not be able to use it, and you will need to completely re-installed this machine in order to use it again.
Formatting: Formatting of encrypted partitions is not supported. If you want to remove all data, we recommend that you delete the files or decrypt the partition, format it, and encrypt it again. Note that only HFS+ partitions are supported for encryption.
Target Disk Mode: The use of Target Disk Mode is not supported if both the local machine and the target disk are encrypted. However, it is supported if the local machine is not encrypted and the target disk is, or if the local machine is encrypted and the target disk is not.
diskutil from a system started via network boot: Do not use diskutil from a system started via network boot while local partitions are encrypted. This is because diskutil does not recognize the encrypted partitions and wants to initialize them. Doing so results in data loss.
Erasing partitions: Erasing a partition while an initial encryption or a final decryption operation is performed is not supported. Also, erasing encrypted partitions is not supported. Partitions have to be decrypted first and can then be encrypted again.
Unmounted partitions and encryption/decryption: Starting initial encryption or final decryption for partitions that are not mounted is not supported. Unmounting a partition while it is encrypting or decrypting is also not supported. Doing so may result in data loss.
OS upgrades (e.g from 10.6 to 10.7) are not supported: It is necessary to decrypt the partitions of your Mac first, and then to uninstall Sophos SafeGuard Disk Encryption for Mac. Afterwards, you can upgrade the operating system, install Sophos SafeGuard Disk Encryption for Mac released for 10.7, and encrypt the partitions again.
Deep Sleep: When Sophos SafeGuard Disk Encryption for Mac is installed the hibernation feature "Deep Sleep" is not supported and is disabled. Some applications do not auto-save their data when the sleep mode is activated. If the sleep mode is used for an extended period while not connected to power and such an application is open with unsaved data, data might be lost.
Bad sectors: We recommend you do not install the product if there are bad sectors on your hard disk. Initial encryption does not stop when bad sectors are encountered, but a log entry is created in the kernel log.
Initial encryption/final decryption on data partitions: Before you begin to encrypt a data partition ensure that all files on this partition are closed. Make sure that all files on the data partition to be decrypted are closed while decryption is performed.
Installing Sophos SafeGuard Disk Encryption for Mac
1. Using the web address and download credentials, go to the Sophos web site and download the Sophos SafeGuard Disk Encryption installer for Mac OS X.
2. Locate the installer disk image in the folder to which it was downloaded. Open the disk image. Find Sophos SafeGuard.pkg and double-click it to start the installer.
3. Click Continue, and follow the steps.
4. Enter the Mac OS X administrator credentials when the installer prompts you to do so. This is necessary to allow the installer to make changes.
5. When the installer has finished, restart your Mac.
6. After the restart Sophos SafeGuard Disk Encryption is installed.
7. Power-on Authentication (POA) has not been activated yet, but only displays the "Secured by SOPHOS" logo and continues booting the operating system after about one second. The software will continue to display the "Secured by SOPHOS" logo as long as no SafeGuard user has been created. When the first user is created Power-on Authentication is activated.
Sophos SafeGuard Disk Encryption for Mac places an icon on the right-hand side of the menu bar. Clicking the icon gives you access to the Sophos SafeGuard Disk Encryption user and disk management functions.
Uninstalling Sophos SafeGuard Disk Encryption for Mac
To uninstall Sophos SafeGuard Disk Encryption for Mac, use the uninstaller package Sophos SafeGuard Uninstaller.pkg in /Library/Sophos SafeGuard. You need to decrypt the hard drive first.
Configuring Sophos SafeGuard Disk Encryption
After the installation of the software you have to add SafeGuard users and specify which volumes of your Mac are to be encrypted.
Creating the first Sophos SafeGuard Disk Encryption Admin user
There must always be one Admin user. The first user created must be an Admin user. This is enforced by the user management and is the prerequisite for all administration tasks. When users are deleted it is not possible to delete the last Admin user, if more than one has been created.
1. Seletc the Sophos SafeGuard Disk Encryption icon and click User Management.
2. Enter a name for the Admin user.
3. Enter the password in the Password and Confirm Password field. Sophos SafeGuard Disk Encryption accepts only passwords with eight or more characters. Checking the Show Password option makes the entered password visible.
4. Click OK.
You can now proceed with creating other users.
Encrypting a partition
Sophos SafeGuard Disk Encryption lets you encrypt the hard disk or partitions of your Mac. Every disk management task (encrypt/decrypt/pause/resume) requires an authentication as a SafeGuard Admin.
1. Choose the Sophos SafeGuard Disk Encryption icon and click Disk Management.
2. Enter your SafeGuard Admin credentials and click OK.
3. Choose Partitions in the management pane. All partitions available are displayed.
4. Click Encrypt beside the partition you want to encrypt.
5. Encryption of the selected partitions starts immediately. To enhance encryption speed, check the Fast Mode option in the lower left corner of the Disk management pane.
Encryption/decryption can be paused by clicking the Pause button on the right end of the progress bar. To resume encryption, click the Resume button, which is displayed when the encryption has been paused. For both actions you must authenticate as a SafeGuard Admin.
Paused encryption/decryption tasks are resumed automatically after you restart your Mac.
For a detailed description see the Sophos SafeGuard Disk Encryption User help manual.
Time Machine backups
The following components of Sophos SafeGuard Disk Encryption should be excluded from Time Machine Backups:
• /Library/Sophos SafeGuard