 |
 |
Encryption in OS X
|
|
|
|
|
Registered User
Join Date: Mar 2001
Location: Farnborough, UK
Status:
Offline
|
|
Despite the new found security with OS X, another person only needs to get hold of my hard disk to be able to access all of my data. With a Powerbook that is easily done.
I was wondering therefore what methods exist to encrypt, for example my ~/Documents directory such that only when logged in as myself can I have access to the documents. All other users, and users of the hard disk in a different computer will just see an encrypted file/directory.
This of course needs to happen in the background, on the fly, and not prompt me for a password every time I wish to open an individual document.
Is this a feature Apple are likely to offer in a future version of OS X (Microsoft have done since 2000 I believe), or do we look for a 3rd party solution. Does one currently exist?
One further point, does HFS+ support encryption at the file system level, or do we need to look at a higher level of abstraction for this feature?
Andrew
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2001
Status:
Offline
|
|
no other users have access to your Documents folder anyway, regardless of encryption. They're simply denied access. In fact, your home folder is inaccessible to anyone but yourself, and as long as another user isn't an Admin (like yourself), then they won't have priviledges for anything but their home directory.
If you'd like to encrypt certain files or chunks of files, you can make an encrypted disk image, then drag-and-drop documents, pics, etc. to it. Apple's Disk Copy does this nicely, and I've used it to transfer files over the 'net to my brother. Just creat the image, set a passphrase, add your files, and unmount. Instant encrypted disk.
but I know you want something more, as in an encrypted file system.
|
|
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Apr 2001
Location: europe
Status:
Offline
|
|
no other users have access to your Documents folder anyway, regardless of encryption. They're simply denied access.
Unless this other user boots into OS 9 or has a OS X CD available to change the admin password.
|
|
Nasrudin sat on a river bank when someone shouted to him from the opposite side: "Hey! how do I get across?" "You are across!" Nasrudin shouted back.
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Sep 2001
Location: Trana
Status:
Offline
|
|
Originally posted by Developer:
<STRONG>Unless this other user boots into OS 9 or has a OS X CD available to change the admin password.</STRONG>
Unless you enable the firmware password. It has three settings
- off (default)
- require password to boot from anything but the startup disk
- require password to boot
The second setting should suffice to secure the machine in question.
|
|
"Of course the people don't want war. But after all, it's the leaders of the country who determine the policy, and it's always a simple matter to drag the people along whether it's a democracy, a fascist dictatorship, or a parliament, or a communist dictatorship. Voice or no voice, the people can always be brought to the bidding of the leaders. That is easy. All you have to do is tell them they are being attacked, and denounce the pacifists for lack of patriotism, and exposing the country to greater danger."
-- Herman Goering at the Nuremberg trials
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Apr 2001
Location: World capital of drugs and prostitution. Hmmm... SEXTC...
Status:
Offline
|
|
Originally posted by iSore:
<STRONG>
Unless you enable the firmware password. It has three settings
- off (default)
- require password to boot from anything but the startup disk
- require password to boot
The second setting should suffice to secure the machine in question.</STRONG>
Woa! I didn't know you could do that. How do you do that?
|
|
The one you love and the one who loves you are never the same person.
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2001
Status:
Offline
|
|
Originally posted by Developer:
<STRONG>
Unless this other user boots into OS 9 or has a OS X CD available to change the admin password.</STRONG>
whoops. Been using X w/out 9 so long now that I forgot about that little 'workaround'.
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Dec 2001
Location: Toronto, ON
Status:
Offline
|
|
Originally posted by Jelle Monkmater:
<STRONG>
Woa! I didn't know you could do that. How do you do that?</STRONG>
I think a utility is on the OSX cd.
|
Iguana: The other green meat.
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Oct 2000
Location: Cupertino, CA
Status:
Offline
|
|
Originally posted by iSore:
<STRONG>
Unless you enable the firmware password. It has three settings
- off (default)
- require password to boot from anything but the startup disk
- require password to boot
The second setting should suffice to secure the machine in question.</STRONG>
That will not someone from physically removing the disk. It should be acceptable for most users though. If you really, really want your ~/Documents secure you can make the folder a symbolic link to /Volumes/MyEncryptedDiskImage, save the images password in keychain, write a script to automatically mount it, and then have that script run as one of your login items.
I should note that encryption of large amounts of data will result in a big performance loss. Your probably don't care if they are text files, bu you are not going to want to record DV directly to it.
Louis
|
|
Louis Gerbarg
Darwin Developer
These are my views, and not the views of my employer.
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Sep 2001
Location: Trana
Status:
Offline
|
|
Apple released a GUI tool on the 10.1 disks (upgrade & install) that allows you to set the open firmware password. IIRC, it doesn't get installed by default: look in /Applications/Utilities/. It can also be enabled from the Terminal, but I'm afraid I can't recall the command/parameters.
|
|
"Of course the people don't want war. But after all, it's the leaders of the country who determine the policy, and it's always a simple matter to drag the people along whether it's a democracy, a fascist dictatorship, or a parliament, or a communist dictatorship. Voice or no voice, the people can always be brought to the bidding of the leaders. That is easy. All you have to do is tell them they are being attacked, and denounce the pacifists for lack of patriotism, and exposing the country to greater danger."
-- Herman Goering at the Nuremberg trials
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jan 2001
Status:
Offline
|
|
Why don't you make a disk image and encode this Disk IMage (128bit encryption) with disk copy?
every time you need it, you mount it! 
|
|
...happiness is not a fish that you can catch.
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Oct 2001
Location: London
Status:
Offline
|
|
there is an API for encrypting files. However it is "currently unavailable" - you can take that two ways 1: it's a remnant from NeXT and will never be supported in X or 2: it hasn't been implemented on X yet, but will be in the future.
I'm keen on the second option! We had encryption in 9 so it seems reasonable that it'll come to X - eventually
more info: http://developer.apple.com/techpubs/...Workspace.html
|
|
|
| |
|
|
|
|
|
|
|
Forum Regular
Join Date: Sep 2000
Status:
Offline
|
|
Originally posted by Bouba:
<STRONG>Why don't you make a disk image and encode this Disk IMage (128bit encryption) with disk copy?
every time you need it, you mount it! </STRONG>
This would be nice if Apple provided a format similar to VPC's "expand size as you go" type images. Right now, I'm going to take up 10 times as much space as I need to, and when I finally use all of that space, I'll need to make a new one much bigger than that to copy everything over.
Should I even anticipate Apple creating a variable sized disk image format? Or is that just a pipe dream?
-uD
|
|
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Sep 2000
Location: Adelaide, Australia
Status:
Offline
|
|
Originally posted by Developer:
<STRONG>
Unless this other user boots into OS 9 or has a OS X CD available to change the admin password.</STRONG>
Can't you boot single user anway? I have always been told if somone has physical access to a UNIX machine its not secure.
Of course the firmware password will stop that unless they pull out the hard drive. Note that wouldn't be very difficult if they had another machine of the same type to swap it into. Apple documents HD install in the manual and seems to regard it as a user upgrade.
Michael
|
|
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Sep 2000
Location: Adelaide, Australia
Status:
Offline
|
|
Originally posted by lgerbarg:
<STRONG>
That will not someone from physically removing the disk. It should be acceptable for most users though. If you really, really want your ~/Documents secure you can make the folder a symbolic link to /Volumes/MyEncryptedDiskImage, save the images password in keychain, write a script to automatically mount it, and then have that script run as one of your login items.
I should note that encryption of large amounts of data will result in a big performance loss. Your probably don't care if they are text files, bu you are not going to want to record DV directly to it.
Louis</STRONG>
If you save it into the default keychain then I think that keychain is unlocked at login so its security is the 8 digit login password. It might be better to make a keychain just for mounting the volume and give it a long pass phrase. Pick your favourite line of poetry or prose :-) Its worth noting that the keychain will save you a little time as it seems that when disk copy mounts an encrypted image it wants you to enter the passphrase twice. So a keychain halves the typing.
Michael
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top