Security, encryption etc.

Hi,

Couple of months into the MBP and so far so good! I am about to go on holiday and have a few questions about security.

1. Hardware. As I understand it, if nasty person steals my MBP then, ignoring the data, he could simply start the computer with a system disc and reformat the hard drive and have a nice new computer? Apple has an option to install a firmware password which would prevent this but according to their support site this can be disabled by physical access to the inside of the computer, so is it worth the trouble? I am thinking of this as sort of a BIOS type password?

2. I currently use TrueCrypt which has served me well for years, for the relatively small number of files I need to encrypt, but I am conscious of the many posts recommending to use what comes with the machine- great advice so far. So I have read that I could use the disc utility to create a new image which would be encrypted? Is this actually a better way of doing things - TrueCrypt is excellent but can be a bit clunky? With TrueCrypt I can take it anywhere, could I put the disc image onto a thumb drive and open it from other Macs? I realise that I could encrypt the whole drive but this seems a bit over the top and wouldn't allow me to take a small number of encrypted files away... Some files I could simply encrypt using the option on Preview but I cannot find what level of encryption this is?

3. And finally(!) it has now occurred to me that my Time Machine backups are not encrypted. I do not see an option for encryption on the Time Machine preferences, - is there a way to do this without encrypting my MBP hard drive?

(Minor other thing. I was playing with Automator, having read an excellent post by lifeisabeach and have created a service - how do I delete it!!)

Thanks for the help!

Pigstick said:

1. Hardware. As I understand it, if nasty person steals my MBP then, ignoring the data, he could simply start the computer with a system disc and reformat the hard drive and have a nice new computer? Apple has an option to install a firmware password which would prevent this but according to their support site this can be disabled by physical access to the inside of the computer, so is it worth the trouble? I am thinking of this as sort of a BIOS type password?

Click to expand...

Not really the same thing as a BIOS password. But the rest of your scenario is true. Disabling the firmware password is a LOT more trouble than just "has physical access to the computer," so yes if you think your laptop is at high risk of being stolen then it's probably worth doing.

2. So I have read that I could use the disc utility to create a new image which would be encrypted? Is this actually a better way of doing things - TrueCrypt is excellent but can be a bit clunky? With TrueCrypt I can take it anywhere, could I put the disc image onto a thumb drive and open it from other Macs?

Click to expand...

Yes.

3. And finally(!) it has now occurred to me that my Time Machine backups are not encrypted. I do not see an option for encryption on the Time Machine preferences, - is there a way to do this without encrypting my MBP hard drive?

Click to expand...

Not that I'm aware of, but your TM backup isn't on your MBP hard drive -- or at least it shouldn't be (that would be kind of dumb). I know there are hard drives that employ their own hardware-level encryption, but I've never used one so I have no idea if it would work with TM or not.

Another option is using a clone program to create a clone image of the drive to an encrypted sparse disk image (this would be in place of using TM for backing up). I believe this can be done with SuperDuper or Carbon Copy Cloner though again I've never tried it.

Progress

Thanks for the reply!

I have had a play with the Disc Utility and created a .DMG 'file'(?) which I understand to be a kind of folder. Works great. Small enough to include on Dropbox and a neater interface than TrueCrypt, although I lose the ability to load it across systems.

I am a bit surprised about Time Machine. It is one of my favourite things about the Mac, painless (and just cool to watch). Although I do not need to encrypt my entire hard drive on the computer, I do think that having a back up drive encrypted is sensible at times, especially if you store it off site as I do. If I lose my little hard drive (I'm preparing for a really bad day between my MBP being stolen and losing my back up drive!) I'd like to think it had some protection.

A DMG file is short for Disk Image. There are two types: fixed and "sparse." As you may already know, a sparse image grows as you put more stuff into it. Storing a sparse image on Dropbox will work fine as long as you're careful not to exceed the 2GB.

Apple has a system for encrypting the entire User Folder (not the entire HD, since there's no reason for systems or apps to be encrypted) called FileVault. I would **STRONGLY** recommend you AVOID it -- it is very prone to people forgetting the master password or simply becoming corrupt, and if either of those happens your data is simply gone (there's no way to recover it).

Lion (coming next month) will have a new scheme called Filevault 2 -- my advice would be to anyone considering the use of Filevault would be to wait and check out Filevault 2 and see if they've corrected the issues that made the original Filevault a huge disaster for so many people.

Hi,

Thanks once again for the reply. I did not know about the sparse image so really useful tip - thanks.

I didn't know about the problems with FileVault corrupting. That leads me to wonder about the stability of the .dmg image option I am now using - and like a lot. Does it suffer from the same issue, as I believe it uses the same encryption system, or is it more reliable? I am backing it up, along with Time Machine, so unlikely all would be lost but I'd rather avoid an unreliable method.

No, it doesn't suffer from the same issue.

Most of the time I deactivate services from the Keyboard preference pane and leave them on the system in case I need them later. If you want to delete a service the path is User/Library/Services.

Thanks Slydude, problem sorted...

Glad that helped.

I strongly recommend NOT using encryption UNLESS you have a good backup. Encryption creates a single point of failure for your data. Bits get corrupted, the entire vault is lost. If you're concerned with the security of your backups, I've been using an Apricorn drive - hardware encrypted with AES-256 bit encryption, numeric keypad for access, and bus powered. The retail on the 640GB drive is about $130 now. I've been very impressed with the drive.

Thanks for that. Had a look at the Apricorn drives and they look a good solution, just got to track down a local supplier. Theoretically I believe that hardware encryption should also be faster.