Go Beyond FileVault - Take Control of FileVault (1.1) (2015)

Take Control of FileVault (1.1) (2015)

Go Beyond FileVault

FileVault is great for what it does, but I wouldn’t pretend that it solves all encryption problems—or even all encrypted file-storage problems for Mac users. After all, FileVault doesn’t protect your data at all when you’re logged in to your Mac, and it doesn’t protect files you might want to share with other people. There are numerous other uses for encryption you may want to explore, too. In this brief chapter, I review some of the ways you can use encryption on a Mac that don’t involve FileVault or even Core Storage. These can supplement FileVault for additional security, or replace it in cases where FileVault can’t be used.

Other Full-Disk Encryption Options

FileVault isn’t the only way a Mac user can encrypt an entire disk. Third-party apps such as Check Point Full Disk Encryption and Symantec Drive Encryption offer roughly similar features, but with more of an enterprise focus. Their main priority is convenient, cross-platform institutional management. There’s nothing wrong with that, but these tools aren’t the sort of things that individual users would typically buy and install on their own Macs.

I should also mention that if you use a third-party full-disk encryption program, you should be sure to decrypt your disk before upgrading to a new version of OS X—a task that isn’t necessary with FileVault. For a cautionary tale about why I say that, read Rich Mogull’s TidBITS article Whole Disk Encryption, and Why Mac OS X 10.6.5 Broke PGP WDE. (The product formerly known as PGP WDE is now Symantec Drive Encryption.)

Use Encrypted Disk Images

Most Mac users are familiar with disk images—files that, when you double-click them, mount on your Desktop as though they were removable disks. A great deal of Mac software is distributed on disk images, because they make packaging convenient and compact.

You can easily create your own disk image using Disk Utility. There’s normally not much value in doing so unless you’re distributing software, unless you want to take advantage of the option to encrypt these images. Using this feature, you can make a container on your disk that securely holds any files or folders you like, and which can still be locked even when FileVault is unlocked. If you have extra-sensitive files, an encrypted disk image may be just what you need.

Note: Legacy FileVault used an encrypted disk image to store a user’s entire home folder. Although that idea turned out to be problematic, encrypted disk images are still useful in other ways.

To create an encrypted disk image:

1. Open Disk Utility (in /Applications/Utilities).

2. Choose File > New > Blank Disk Image (or click New Image on the toolbar). (Alternatively, to create a disk image from an existing folder, choose File > New > Disk Image from Folder and select the folder you want to use.)

3. Fill in the file name (the name of the disk image in the Finder), location to save the file, volume name (the name of the disk image’s mounted volume), and maximum size; leave the format as Mac OS Extended (Journaled).

4. Choose either 128-bit or 256-bit AES encryption from the Encryption pop-up menu. As the menu says, 256-bit AES is more secure, but slower (when creating, opening, and saving data). Leave Partitions set as it is.

5. From the Image Format pop-up menu, choose either Read/Write Disk Image (for a fixed-size disk image), Sparse Disk Image (for a variable-size disk image), or—my favorite option—Sparse Bundle Disk Image (which can vary in size and is friendlier to backup software such as Time Machine, as I discuss in the sidebar just ahead).

6. Click Create. Then enter and verify a password.

7. Before you click OK, consider deselecting Remember Password in My Keychain. Storing the password in your keychain is more convenient (you won’t have to enter the password to mount the disk), but that convenience would extend to anyone else who had access to your computer while you’re logged in (which kind of defeats the purpose).

8. Now click OK.

Your new disk image appears in the designated location. It mounts automatically so you can begin storing files on it immediately.

To eject (and thereby lock) the disk image, click the eject icon next to it in the sidebar of any Finder window, or drag the mounted volume icon (not the disk image file itself!) to the Trash, which turns into an eject icon.

To reopen the disk image later, double-click it, enter the password, and click OK. Again, I suggest avoiding the temptation to select Remember Password in My Keychain.

(Sparse) Bundles of Joy

Mac OS X has long supported several disk image varieties, one of which was the sparse image (extension .sparseimage). Unlike conventional disk images with a .dmg extension, sparse images don’t have a fixed size; they can grow (up to a preset maximum size) as their contents change. This helps avoid disk images with lots of empty space wasting space on your Mac’s disk.

Another type of disk image, the sparse bundle (which has the extension .sparsebundle), looks and behaves almost exactly like a sparse image, but with an interesting twist: behind the scenes, this image is a bundle (hence the name) of smaller files called bands, each only 8 MB in size. As a result, when you modify files in a sparse bundle image, only the band(s) used to store that particular data change—and only those, much smaller, files need to be backed up the next time Time Machine or other backup software runs.

Encrypt Files and Folders

Encrypted disk images are easy to make and highly secure. But you may prefer to encrypt individual files or folders without having to create and manage disk images manually. Fortunately, numerous third-party encryption tools can do this sort of thing. Here are a few examples (for more, search for “encryption” in the Mac App Store):

· 1Password: Although primarily a password manager, 1Password lets you attach files to any login or note item. They’re encrypted along with your other data and can sync across devices and platforms.

· Espionage: Espionage lets you encrypt individual folders by drag-and-drop; it also hides those encrypted folders so they’re not visible in Finder windows. You can even set it to automatically lock a folder after a period of inactivity.

· Hider 2: This app creates an encrypted database on your disk, adds to it whatever files and folders you want to protect, and then securely erases the originals.

· Knox: From the makers of 1Password, this app uses encrypted disk images (like the ones Disk Utility makes), but gives you an easier way to create, organize, and manage them.

Except for 1Password, the apps above are Mac-only. So they won’t help you sync encrypted files across platforms, and even 1Password doesn’t let you send an encrypted file to someone else. (If the other person is a Mac user, you can send an encrypted disk image, but those won’t work on a Windows or Linux PC, or even on an iOS device.)

Here are a few examples of cross-platform tools you can use for encrypting and decrypting files:

· Boxcryptor: This tool can run on a Mac or Windows PC, or on an iOS, Android, Blackberry, or Windows Phone device. It lets you selectively encrypt items in your Dropbox (or other cloud storage). You can even share an encrypted folder, as long as the other users also have Boxcryptor installed.

· GNU Privacy Guard: This cross-platform implementation of the OpenPGP public-key encryption standard lets you encrypt files and email messages in such a way that others with compatible software can decrypt them. The Mac version is called GPGTools.

· BetterZip 2: Use this utility to compress and/or encrypt individual files and folders, which you can then send by email or share in other fashions. Anyone with a copy of BetterZip (or a compatible utility, such as WinZip or StuffIt Expander) and the item’s password can then decrypt it.

Other Ways to Use Encryption

Encrypting your files solves a certain set of problems, but encryption has many other uses too. For example:

· Instant messaging; audio and video chat: To avoid having someone eavesdrop on your text-based, audio, or video conversations, instant messaging and chat apps sometimes encrypt their data as it travels between users. For example, Apple’s iMessage protocol, used in Messages on Mac OS X and iOS, encrypts all conversations automatically.

· Email: Although there are numerous ways to encrypt email messages, they’re all somewhat complicated—and they all require cooperation from the person on the other end. But if you need to send sensitive information by email, encryption is a good idea. I explain multiple methods for doing this with Apple Mail in my book Take Control of Apple Mail.

· Web browsing: Nearly all Web sites that use passwords or engage in commerce use a technology called SSL (Secure Sockets Layer) or its successor, TLS (Transport Layer Security) to encrypt the data traveling from your browser to the server and back.

To learn more about these types of encryption—why they’re important, what the difficulties are, and how to use them effectively—read my book Take Control of Your Online Privacy.