FileVault vs Time Machine vs I have to encrypt stuff
My new MBP is on order. Now's the time to rethink how I have stuff organized.
Some of my work for work should be encrypted. I have research data that "we" wouldn't want floating around if the laptop were stolen.
I also use Time Machine. FileVault only backs up when logged out. That's not so bad but I like to leave all my stuff up and running so I can remember where I left off. I could log out.
I was thinking about splitting into two users. One for everyday use and one for stuff that should be encrypted. Problem is the stuff to be encrypted is everyday use. So then I was thinking I need one encrypted for everyday use and one open for just personal stuff.
Now I think I've talked myself into one encrypted user and logout much more often. Things that have a lot of data with them, like Papers, iTunes, iMovie, iPhoto, can go outside the home dir to slim down the encryption. More important stuff will stay inside the home dir for encryption.
Has anyone else dealt with this issue? What was a good (or best of the bad) solutions.
Some of my work for work should be encrypted. I have research data that "we" wouldn't want floating around if the laptop were stolen.
I also use Time Machine. FileVault only backs up when logged out. That's not so bad but I like to leave all my stuff up and running so I can remember where I left off. I could log out.
I was thinking about splitting into two users. One for everyday use and one for stuff that should be encrypted. Problem is the stuff to be encrypted is everyday use. So then I was thinking I need one encrypted for everyday use and one open for just personal stuff.
Now I think I've talked myself into one encrypted user and logout much more often. Things that have a lot of data with them, like Papers, iTunes, iMovie, iPhoto, can go outside the home dir to slim down the encryption. More important stuff will stay inside the home dir for encryption.
Has anyone else dealt with this issue? What was a good (or best of the bad) solutions.
Comments
I generally make a fixed image (avoiding sparse because they are not reliable during system crashes, which is what File Vault uses btw) at most 4.2GB in size, so that it can burnt to a DVD and then just mount the image when you need to work on the files and save. Then eject the image.
The whole image then gets backed up. It's a good idea to match the size of the image to the contents so that you aren't backing up more than you need. You can easily make new ones and copy over contents when you run out of space and delete the old one.
I thought about creating a type of "sand box" that would be decrypted as needed but my email should be encrypted too. Plus with Time Machine I have a hedge against corrupted sparse images (I assume). My home folder is 40GB and at least 26GB can go outside the home directory (and FileVault).
Yeah the backup protects you against the sparse image being corrupted. Apple really need to enhance the backup process here by allowing you to put in your password so it mounts your backed up filevault and then it can sync files on it rather than the image. You can give them feedback about that on their site.
I read here to be sure to update the filevault from the Tiger version as it does it a different way:
http://www.macosxhints.com/article.p...07111404402514
Even so, it seems that Time Machine does a backup while logged in but just avoids the encrypted home folder until you log out. Does the OS inform you this is the case?. That seems like a pretty stupid design given that the files you'd want backed up most are inside the home folder.
Logging out defeats the point of OS X being able to leave all your apps open.
Manually encrypting that stuff would be too cumbersome. I think the best option would be to not use Time Machine and instead make a large enough encrypted image on the external and use a clone tool like Superduper or Carbon Copy Cloner to clone the home folder onto the image and keep it updated. You need to buy Superduper to do updates, CCC is free.
Either that or use the 3rd party tool with a hardware encrypted drive like Lacie's safe drive. I don't really trust those kind of devices personally. I'd feel safer with an image that I could backup multiple times easily.
I've been looking for an Apple white paper on FV but can't find one
Which reminds me I need to turn on Firmware password too.
Any other users that have dealt with all this? Any web sites I should read?
http://www.pgp.com/mac/
I think a review said that it does impact performance after a while though. This should mean however that you could turn filevault off and get backups while logged in.
I hate to sound like a new member complaining but ... I can't believe apple sells this shit. If I didn't know what I was doing I would have lost everything.
Yawn. At least the migration assistant makes it easy to restore a user from a backup. It just takes hours.
I can't believe apple sells this shit. If I didn't know what I was doing I would have lost everything.
I should have made my distaste for File Vault clearer but when I do, people usually tell me they use it without any problems. When you turn it on, it essentially makes a sparse disk image, copies all your files to it and then deletes the originals. This means that your files are held on a single image that is mounted automatically when needed.
If anything corrupts this single file such as a hard reset (sparse images are particularly prone to corruption from hard resets unlike fixed images - I've tested them before and managed to corrupt them after 3 hard resets), the image won't mount and as you have noted, you would lose all your files. It has happened to people before. The files aren't recoverable either because they are all enclosed in a single encrypted and corrupted file.
Like I say, I personally use manually encrypted images but I don't encrypt emails and things like that. They are trickier as they have to go in certain folders. Perhaps you can make shortcuts to folders on a disk image. This way you can leave all your music in the home folder but your private stuff would be encrypted.
Whenever apps tried to access the folder, they would probably ask for the password to mount the image. Some apps assume the folder isn't there.
So make an image with Disk Utility (not sparse but fixed size, read/write and a fixed size larger than you'd need) and copy over your Mail folder from home/Library/Mail and in your home folder, make the /Library/Mail folder into a shortcut to the folder on the disk image.
You need to make a symbolic link rather than an alias so you'd type a command-line command:
ln -s /Volumes/Encrypted/Mail ~/Library/Mail
This assumes the name of the volume you made was called Encrypted and you should rename the original Mail folder.
If you open Mail when it's not mounted, it assumes you don't have an account. When you mount it, the emails open right up. You can do the mounting manually but if it's stuff you will access regularly, you can drag the dmg into startup items. Then when you login, it will ask for your encrypted image password.
It can be a bit of a nuisance as it's always mounted but you can remove the shortcut from the sidebar.
This setup means that you only encrypt what you need and Time Machine will work while logged in but I'm not sure if changes are written to the encrypted file until you unmount it. This is probably why Time Machine makes you log out. But in this case, you can simply eject the volume. It will say it's in use but you just quit the apps using it. You can also force eject it.
I set the Mail disk image to mount on start up along with mail. It crashed mail. I may solve that with a script to mount the image, wait a bit, and then start mail.
I think I'm digging the encrypted disk image. Mounting them is not that annoying because I allow keychain to hold the password. Before I start working I just double click on the alias and start working.
I think I'm digging the encrypted disk image. Mounting them is not that annoying because I allow keychain to hold the password. Before I start working I just double click on the alias and start working.
I always find Keychain to be a bit counter to encryption. I guess it depends on what the encryption is used to prevent but I generally use it to protect against say theft of the machine or access when I'm away from my machine.
Automatic mounting means that people with access to the machine can do the same thing. Even having a password protected login won't help much as you can reset this with the installer disc. I think the keychain goes out of sync if you reset the login password but I'm sure it's a simple matter of deleting a keychain file to sync it with the new login.
Long story short, I never allow keychain to store encrypted volume passwords but if it's secure enough for the purpose (e.g. making sure the backup is encrypted) and the convenience is desired, I guess it's ok. I find that once you type a password every day or so, you can do it so quickly, you don't even notice the extra time it takes.
You can also turn off the image verification step in Disk Utility > preferences > mounting > turn verify checksums off. This speeds up mounting, especially on bigger images.