Mac OS X: Encrypting personal files
August 7, 2008
(This is a post from my old blog which seems to be going offline once in a while, maybe even permanently at some point. This article is still very useful, especially with laptop searches now happening at U.S. borders, so I’ve reposted it here for other people’s and my reference.)
Let’s face it, you always end up having sensitive data on your laptop. If you ever have your laptop stolen (and I have!) or when you cross borders, this sensitive data may fall into the wrong hands. It’s not that I carry nuclear missile launch codes around with me, but thinking that a simple laptop thief may easily access
- VPN keys for accessing customer networks and customer code that I have signed NDAs for,
- credit card bills, tax reports and other financial information,
- print-ready PDFs of my book that might eventually circulate eMule,
does scare me a bit. If you’re thinking that laptop thieves perhaps don’t have enough technical expertise to take advantage of this data, how about this: I archive all electronic invoices, especially for my computer equipment and various other gadgets, and my home address can easily be found in many documents on my harddrive. I could get my laptop stolen and the thief might decide to come back to my house for another “shopping tour.” Perhaps he can even deduce from the electronic plane tickets when I’m on a business trip and take all the time he needs to break into my appartment.
One obvious solution to avoid letting this information fall into the wrong hands is not to carry it around all the time. But I only have this one computer and I’d like to keep it that way. “So store sensitive data on an external harddrive,” you might say. That makes a lot of sense, but more than often I’m away from home, perhaps with a customer, when I want to check something that would be on the external harddrive. And if I took it with me, it could be stolen or detained by the DHS just as well.
The best solution, and most comfortable one, simply is to encrypt your sensitive data.
Mac OS X comes with a built-in system to encrypt your whole home directory with a pass-phrase. It’s called FileVault. The integration is seamless and you won’t notice that your files actually live inside an encrypted disk image. That’s very nice. The problems with this approach are the following:
- I have loads of other data in my home directory that doesn’t need to be encrypted at all: mp3s, movies, tons of checkouts of open source software, etc. Encrypting those would be a waste of CPU cycles.
- When I make a backup, I want to back up the encrypted form, not the raw form. Otherwise somebody would just have to get a hold of my backup (e.g. the backup disk I carry around in the same bag as the laptop…).
- Being logged in automatically means having access to the encrypted data. Sometimes I would like to be logged in to let others have access to the machine (e.g. during repairs, parties, sprints, etc.) and NOT risk sensitive data to be accessible. Sure, in most of those cases it’d be possible to create a new user account and be logged in there, but that’s typically a major hassle. Wouldn’t it be easier if I could simply lock down parts of my home dir for a while?
Encrypted disk image
Mac OS X supports a particular form of “loop devices” called disk images. These are files that look like a regular disk device: They contain an (Apple) partition map and an HFS or UDF partition. There are several neat things about these disk images:
- they’re resizable
- they support a SPARSE mode in which the image grows as it needs and doesn’t occupy its defined size
- there’s an on-the-fly compression available
- they support on-the-fly AES encryption
So much for the well-known features of DMGs. One of the lesser known features is that when Mac OS X “attaches” an image, it represents it as an actual disk block device unter
/dev, so you can mount it practically anywhere you like — not necessarily under
/Volumes where double-clicking on an image would normally mount it.
My idea was to designate a certain directory within my home directory as a “secure” area. This directory would in fact be a mount point for an encrypted DMG.
Creating an encrypted sparse image
The image can be created using Mac OS X’s excellent command line toolbox:
hdiutil create \ -encryption -stdinpass \ -type SPARSE -fs HFS+J \ -volname Secure \ -size 100g \ Secure.sparseimage
Note that the 100 GiB size limit here is purely theoretical as the image is of type
SPARSE, which means it starts with practically 0 Bytes of size and grows as it needs. And even if it had to grow larger than 100 GiB, you could always resize it quite easily.
You can now mount the image file by double-clicking on it. This however, will mount it below /Volumes. If you’re ok with that, stop reading here and go on moving your sensitive data to the disk. If you prefer having the image mounted below your home directory, keep reading.
Mounting the image inside the home directory
Instead of double-clicking on the image, use the following command to attach the DMG to a disk device and mount it to a mount-point inside your home directory:
hdiutil attach -mountpoint ~/Secure Secure.sparseimage
If you’re like me and work with the command line a lot, you could alias this command line to a short command (e.g.
mount-secure) in your
.profile file. If you prefer to work with Finder, you can create the following small AppleScript (worst scripting language in the world, but it lets you create OS X apps that are executable with a simple double-click):
do shell script ("hdiutil attach -mountpoint ~/Secure ~/Secure.sparseimage") tell application "Finder" activate make new Finder window select Finder window 1 set target of Finder window 1 to disk "Secure" end tell
With this saved as an
.app application, you can now double click on it, enter the passphrase for the image and be presented with the Finder window of the newly mounted volume.
One interesting and slightly-annoying detail is that once the
~/Secure folder has become the mount point of the image, the Finder doesn’t not show it inside the home folder anymore, but instead as a top-level volume, while from the Unix environment, it’s obviously still accessible as
~/Secure. So visually, the
Secure image does not seem part of the home directory while physically it is. But since I work with the command line a lot, I care more about the physical location of the mount point.