I used keychain once by accident for a disk image password and stopped using it as soon as I saw it was unlocked at login. I think that's one of the stupidest designs ever. The way I think it should work is that it shows some visual cue like a mounted volume when it is open and it should always request a password to open the first time.
(emphasis added)
Have you enabled the "Show Status in Menu Bar" preference in Keychain Access? That'll display a locked icon when all keychains are locked and an opened lock icon when any keychains are unlocked. Clicking the icon displays a menu showing which keychains are (un)locked, plus Lock Screen, Open Security Preferences?, and Open Keychain Access? items.
One wish for I have for keychains is that the unlock dialog that applications can trigger would specify more detail about what the application is attempting to access. Another would be optional logging of all keychain access activity.
Have you enabled the "Show Status in Menu Bar" preference in Keychain Access? That'll display a locked icon when all keychains are locked and an opened lock icon when any keychains are unlocked. Clicking the icon displays a menu showing which keychains are (un)locked, plus Lock Screen, Open Security Preferences?, and Open Keychain Access? items.
Nope, I haven't really explored the Keychain stuff because I don't use it but that seems to cover what I wanted. It should appear by default though and just allow people to remove it. I also wonder why it's not part of the security system preferences. To me it would make sense to have the entire keychain app inside the system prefs.
Quote:
Originally Posted by sjk
One wish for I have for keychains is that the unlock dialog that applications can trigger would specify more detail about what the application is attempting to access. Another would be optional logging of all keychain access activity.
Some dialogs have a triangle under the password box that opens to tell you what is being accessed but I don't know if keychain has this. It's not always very helpful. Feedback is definitely something Apple needs to work on.
To me it would make sense to have the entire keychain app inside the system prefs.
Not with its current 3-pane design, IMO. I personally don't mind it remaining a separate app.
Quote:
Some dialogs have a triangle under the password box that opens to tell you what is being accessed but I don't know if keychain has this. It's not always very helpful.
It's usually too general (for me), which is why I said that I'd like more detail.
Quote:
Feedback is definitely something Apple needs to work on.
Depends on what you mean by "feedback"; other words might more accurately describe what you'd want.
. . .
Frankly, most people don't seem concerned about security-related issues after they've been advised how to be more careful and warned of the consequences. And sometimes being a victim of some incident isn't enough to change their attitude and behavior. Or they might overreact based misunderstanding, FUD, etc.
I partly answered that in the thread where you were having trouble with the trash emptying (I bet you read that reply before this one ).
Anyway, filevault is basically making an image of your home folder similar to how you can make an image of a CD/DVD. It's like the .dmg files you download for OS X software.
This basically packs the contents into one file or volume. This volume can then be encrypted whereby all the contents are scrambled using a key. In filevault's case, it uses your filevault password to do this and if you lose it and the master password, you basically lose the contents as they are scrambled - it's not like a locked door where you can maybe find a back entrance (an example of which would be the account password).
Filevault gets unlocked at login by default, which I think defeats the point of it because if someone is able to turn your machine on then they can access your files unless you manually lock the filevault each time. It does however mean that no one could ever see your home folder contents e.g if other users tried to get access somehow.
The truth is that most people won't care particularly about others seeing their home folder as there likely won't be anything there worth seeing. If there is then it should be encrypted manually so you have better control over it.
Ok, so, I put it on, simply because i could, not because i really needed to, to protect my own intellectual property, at present this comes to about 3 gigs, I can encrypt this seperately then, and avoid slowing down the whole machine?
Ok, so, I put it on, simply because i could, not because i really needed to, to protect my own intellectual property, at present this comes to about 3 gigs, I can encrypt this seperately then, and avoid slowing down the whole machine?
Please how
Yes you can and should encrypt it separate because otherwise, if someone just powers on your machine and it logs in automatically or if you've left it on, someone can see your stuff. Also, doing it manually means you can quickly back up your data still encrypted. If you have more than one DVD, split your stuff into 4.2GB images. Try not to go to 4.4GB as I've found the outer edges of DVDs to be not as reliable and if one part of the image gets corrupted, it won't mount.
Make the image bigger than the stuff you want to encrypt though. If you have 3GB then a 4.2GB image is good and try not to fill it up too full (always leave about 20-30MB free minimum).
I'd back the images up to an external hard drive as well as DVD. If it's a regularly updated image, use DVDRW.
One thing about encrypted images is Finder permissions too. Sometimes the finder won't let you move stuff around on an image just after mounting it. You just need to relaunch the Finder if this happens - you can do so quickly by holding alt and right-click the Finder icon.
The manual process as posted above would be to simply use Disk Utility in /Applications/Utilities. I've cut and pasted it here:
To make an encrypted disk image, you just open Disk Utility, File menu, new > blank disk image. Then choose the size and whether or not you want encryption on it. You'd make it read/write and choose AES encryption. Uncheck the box that says to use keychain because this will store your password in keychain.
Choose the size depending on what you want to put in it. Don't use sparse images because they can be corrupted quite easily (which incidentally is one reason not to use filevault because that's what it uses). If you need more space, make a new image and just drag the old stuff over. You can just delete the old image because it's still encrypted.
You just mount this image when you need to get its contents and it will ask for your password each time. Unmount the image to secure the contents again. Remember if you have a file on the image open, you won't be able to eject it. You need to close those files/programs first. If you can't find those, you can force eject it by opening a terminal and typing hdiutil eject -force and dragging the image into the window and hitting return.
Comments
I used keychain once by accident for a disk image password and stopped using it as soon as I saw it was unlocked at login. I think that's one of the stupidest designs ever. The way I think it should work is that it shows some visual cue like a mounted volume when it is open and it should always request a password to open the first time.
(emphasis added)
Have you enabled the "Show Status in Menu Bar" preference in Keychain Access? That'll display a locked icon when all keychains are locked and an opened lock icon when any keychains are unlocked. Clicking the icon displays a menu showing which keychains are (un)locked, plus Lock Screen, Open Security Preferences?, and Open Keychain Access? items.
One wish for I have for keychains is that the unlock dialog that applications can trigger would specify more detail about what the application is attempting to access. Another would be optional logging of all keychain access activity.
Have you enabled the "Show Status in Menu Bar" preference in Keychain Access? That'll display a locked icon when all keychains are locked and an opened lock icon when any keychains are unlocked. Clicking the icon displays a menu showing which keychains are (un)locked, plus Lock Screen, Open Security Preferences?, and Open Keychain Access? items.
Nope, I haven't really explored the Keychain stuff because I don't use it but that seems to cover what I wanted. It should appear by default though and just allow people to remove it. I also wonder why it's not part of the security system preferences. To me it would make sense to have the entire keychain app inside the system prefs.
One wish for I have for keychains is that the unlock dialog that applications can trigger would specify more detail about what the application is attempting to access. Another would be optional logging of all keychain access activity.
Some dialogs have a triangle under the password box that opens to tell you what is being accessed but I don't know if keychain has this. It's not always very helpful. Feedback is definitely something Apple needs to work on.
To me it would make sense to have the entire keychain app inside the system prefs.
Not with its current 3-pane design, IMO. I personally don't mind it remaining a separate app.
Some dialogs have a triangle under the password box that opens to tell you what is being accessed but I don't know if keychain has this. It's not always very helpful.
It's usually too general (for me), which is why I said that I'd like more detail.
Feedback is definitely something Apple needs to work on.
Depends on what you mean by "feedback"; other words might more accurately describe what you'd want.
. . .
Frankly, most people don't seem concerned about security-related issues after they've been advised how to be more careful and warned of the consequences. And sometimes being a victim of some incident isn't enough to change their attitude and behavior. Or they might overreact based misunderstanding, FUD, etc.
So what does filevault actually do?
wow, i'm confused,
So what does filevault actually do?
Anyway, filevault is basically making an image of your home folder similar to how you can make an image of a CD/DVD. It's like the .dmg files you download for OS X software.
This basically packs the contents into one file or volume. This volume can then be encrypted whereby all the contents are scrambled using a key. In filevault's case, it uses your filevault password to do this and if you lose it and the master password, you basically lose the contents as they are scrambled - it's not like a locked door where you can maybe find a back entrance (an example of which would be the account password).
Filevault gets unlocked at login by default, which I think defeats the point of it because if someone is able to turn your machine on then they can access your files unless you manually lock the filevault each time. It does however mean that no one could ever see your home folder contents e.g if other users tried to get access somehow.
The truth is that most people won't care particularly about others seeing their home folder as there likely won't be anything there worth seeing. If there is then it should be encrypted manually so you have better control over it.
Please how,
Thanks, you're super
Ok, so, I put it on, simply because i could, not because i really needed to, to protect my own intellectual property, at present this comes to about 3 gigs, I can encrypt this seperately then, and avoid slowing down the whole machine?
Please how
Yes you can and should encrypt it separate because otherwise, if someone just powers on your machine and it logs in automatically or if you've left it on, someone can see your stuff. Also, doing it manually means you can quickly back up your data still encrypted. If you have more than one DVD, split your stuff into 4.2GB images. Try not to go to 4.4GB as I've found the outer edges of DVDs to be not as reliable and if one part of the image gets corrupted, it won't mount.
Make the image bigger than the stuff you want to encrypt though. If you have 3GB then a 4.2GB image is good and try not to fill it up too full (always leave about 20-30MB free minimum).
I'd back the images up to an external hard drive as well as DVD. If it's a regularly updated image, use DVDRW.
One thing about encrypted images is Finder permissions too. Sometimes the finder won't let you move stuff around on an image just after mounting it. You just need to relaunch the Finder if this happens - you can do so quickly by holding alt and right-click the Finder icon.
The manual process as posted above would be to simply use Disk Utility in /Applications/Utilities. I've cut and pasted it here:
To make an encrypted disk image, you just open Disk Utility, File menu, new > blank disk image. Then choose the size and whether or not you want encryption on it. You'd make it read/write and choose AES encryption. Uncheck the box that says to use keychain because this will store your password in keychain.
Choose the size depending on what you want to put in it. Don't use sparse images because they can be corrupted quite easily (which incidentally is one reason not to use filevault because that's what it uses). If you need more space, make a new image and just drag the old stuff over. You can just delete the old image because it's still encrypted.
You just mount this image when you need to get its contents and it will ask for your password each time. Unmount the image to secure the contents again. Remember if you have a file on the image open, you won't be able to eject it. You need to close those files/programs first. If you can't find those, you can force eject it by opening a terminal and typing hdiutil eject -force and dragging the image into the window and hitting return.
i feel somewhat enlightened!
i should wait and see how it all works out first i suppose!