Mac OS X: Encrypting personal files

August 7, 2008

(This is a post from my old blog which seems to be going offline once in a while, maybe even permanently at some point. This article is still very useful, especially with laptop searches now happening at U.S. borders, so I’ve reposted it here for other people’s and my reference.)
Let’s face it, you always end up having sensitive data on your laptop. If you ever have your laptop stolen (and I have!) or when you cross borders, this sensitive data may fall into the wrong hands.  It’s not that I carry nuclear missile launch codes around with me, but thinking that a simple laptop thief may easily access

  • VPN keys for accessing customer networks and customer code that I have signed NDAs for,
  • credit card bills, tax reports and other financial information,
  • print-ready PDFs of my book that might eventually circulate eMule,

does scare me a bit.  If you’re thinking that laptop thieves perhaps don’t have enough technical expertise to take advantage of this data, how about this: I archive all electronic invoices, especially for my computer equipment and various other gadgets, and my home address can easily be found in many documents on my harddrive. I could get my laptop stolen and the thief might decide to come back to my house for another “shopping tour.”  Perhaps he can even deduce from the electronic plane tickets when I’m on a business trip and take all the time he needs to break into my appartment.

One obvious solution to avoid letting this information fall into the wrong hands is not to carry it around all the time.  But I only have this one computer and I’d like to keep it that way.  “So store sensitive data on an external harddrive,” you might say.  That makes a lot of sense, but more than often I’m away from home, perhaps with a customer, when I want to check something that would be on the external harddrive.  And if I took it with me, it could be stolen or detained by the DHS just as well.

The best solution, and most comfortable one, simply is to encrypt your sensitive data.

FileVault

Mac OS X comes with a built-in system to encrypt your whole home directory with a pass-phrase.  It’s called FileVault.  The integration is seamless and you won’t notice that your files actually live inside an encrypted disk image.  That’s very nice.  The problems with this approach are the following:

  • I have loads of other data in my home directory that doesn’t need to be encrypted at all: mp3s, movies, tons of checkouts of open source software, etc.  Encrypting those would be a waste of CPU cycles.
  • When I make a backup, I want to back up the encrypted form, not the raw form.  Otherwise somebody would just have to get a hold of my backup (e.g. the backup disk I carry around in the same bag as the laptop…).
  • Being logged in automatically means having access to the encrypted data.  Sometimes I would like to be logged in to let others have access to the machine (e.g. during repairs, parties, sprints, etc.) and NOT risk sensitive data to be accessible.  Sure, in most of those cases it’d be possible to create a new user account and be logged in there, but that’s typically a major hassle.  Wouldn’t it be easier if I could simply lock down parts of my home dir for a while?

Encrypted disk image

Mac OS X supports a particular form of “loop devices” called disk images.  These are files that look like a regular disk device: They contain an (Apple) partition map and an HFS or UDF partition.  There are several neat things about these disk images:

  • they’re resizable
  • they support a SPARSE mode in which the image grows as it needs and doesn’t occupy its defined size
  • there’s an on-the-fly compression available
  • they support on-the-fly AES encryption

So much for the well-known features of DMGs.  One of the lesser known features is that when Mac OS X “attaches” an image, it represents it as an actual disk block device unter /dev, so you can mount it practically anywhere you like — not necessarily under /Volumes where double-clicking on an image would normally mount it.

My idea was to designate a certain directory within my home directory as a “secure” area.  This directory would in fact be a mount point for an encrypted DMG.

Creating an encrypted sparse image

The image can be created using Mac OS X’s excellent command line toolbox:

hdiutil create \
    -encryption -stdinpass \
    -type SPARSE -fs HFS+J \
    -volname Secure \
    -size 100g \
    Secure.sparseimage

Note that the 100 GiB size limit here is purely theoretical as the image is of type SPARSE, which means it starts with practically 0 Bytes of size and grows as it needs.  And even if it had to grow larger than 100 GiB, you could always resize it quite easily.

You can now mount the image file by double-clicking on it.  This however, will mount it below /Volumes.  If you’re ok with that, stop reading here and go on moving your sensitive data to the disk.  If you prefer having the image mounted below your home directory, keep reading.

Mounting the image inside the home directory

Instead of double-clicking on the image, use the following command to attach the DMG to a disk device and mount it to a mount-point inside your home directory:

hdiutil attach -mountpoint ~/Secure Secure.sparseimage

If you’re like me and work with the command line a lot, you could alias this command line to a short command (e.g. mount-secure) in your .profile file.  If you prefer to work with Finder, you can create the following small AppleScript (worst scripting language in the world, but it lets you create OS X apps that are executable with a simple double-click):

do shell script ("hdiutil attach -mountpoint ~/Secure ~/Secure.sparseimage")
tell application "Finder"
  activate
  make new Finder window
  select Finder window 1
  set target of Finder window 1 to disk "Secure"
end tell

With this saved as an .app application, you can now double click on it, enter the passphrase for the image and be presented with the Finder window of the newly mounted volume.

One interesting and slightly-annoying detail is that once the ~/Secure folder has become the mount point of the image, the Finder doesn’t not show it inside the home folder anymore, but instead as a top-level volume, while from the Unix environment, it’s obviously still accessible as ~/Secure.  So visually, the Secure image does not seem part of the home directory while physically it is.  But since I work with the command line a lot, I care more about the physical location of the mount point.

6 Responses to “Mac OS X: Encrypting personal files”

  1. Justin Ryan Says:

    Some things to consider, as I’ve done this a long time myself:

    (a) This is true of FileVault esp, but also this solution – if you sleep your computer, and leave it logged in, root can access these files, as though root can’t mount it, root can access every node of the filesystem. Something like SELinux could help this, but Apple haven’t gone so far, yet. So, consider unmounting it.

    (b) If you maintain a symlink from ~/Secure to /Volumes/Secure, it shows up in Finder.

    (c) Symlinks can also be used to keep your ssh and pgp keys, even if themselves passphrase protected, in here.

    It is a very handy approach, and something Apple should put more engineering resources into integration and UI for.

  2. philikon Says:

    Justin, thanks for the feedback. Yes, consider unmounting before putting laptop to sleep. Before going through customs and immigration, consider turning the machine off altogether.

  3. Claus Conrad Says:

    While this is a very nice solution with built-in tools, some might be interested in the alternative solution TrueCrypt, making it possible to have cross-platform mountable encrypted images: http://www.truecrypt.org/

  4. Richard Connamacher Says:

    Philipp, thanks for the tip (though I didn’t see it until just now). I hadn’t thought to use hdiutil to create a mountpoint for it. Instead I’ve just got a standard encrypted sparseimage that has to be opened the normal way and which mounts at /Volumes like everything else.

    By the way, you fell for classic link spam. That first post about inaccuracies was put there to create a link to financist’s credit card info web site. You should delete it (and then delete this part of my comment about it).

  5. Richard Connamacher Says:

    By the way, another problem with FileVault is it doesn’t play well with Time Machine backups. File Vault saves your home folder as a series of sparseimage slices, and when one file changes Time Machine has to backup the entire slice it’s on instead of saving the changes to just that one file.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: