PDA

View Full Version : Yet another FileVault Question


rdlsmith
06-26-2006, 09:09 PM
In a post for 2004 it was recommended to NOT use FileVault. I may not understand it completely but from what I've read it's the only way to really protect your data.

The firmware password only protects the data on that particular Mac. True? Firmware was offered as an alternative.

Once the data is backed up say to a Firewire doing a copy, anyone could then mount the bootable image and get to the data. Yes/No? If you use Sparse, you can't mount it. Yes/No?

If you use FVault, you run a risk in trying to restore, the backups take up more space and there may be some other bad things. True even if you create a non-FV account and use that to backup?

I'm just trying to find a totally secure system that will let me back and restore easily.

From all my reading I've come up with the following. Please let me know if you think it would work and also be secure.

==============================
1. Turn on firmware password. This will protect your data while on that machine.

2. Create a bootable partition on a firewire big enough to hold a brand new OS X install. I made one at 15g and then left off the printer drivers/extra fonts/languages/etc. I think it would be better to make one at 20 Gig and to allow for updates. For example, my system discs are at 10.4.4. I've since upgraded through the software update to 10.4.6.

3. Install Super Duper on the new install.

4. Backup and only use only sparse images. You can password protect those and if you have a registered copy, you can add to them if you want. You can also keep different versions of them if you choose to do that. The only thing you can't do is boot from them.

5. Restore. In the event of a HD failure you could mount the copy of OS X created in step 2 and then restore from a sparse image back to a new HD.

If someone walks off with your Firewire drive they'll get the hardware, a fresh copy of OS X and that's about it. The backups should run clean because FV was never used.

Did I miss something? Will that work?

Randall

dnanian
06-27-2006, 08:51 AM
Randall:

You can use FileVault if you want full security for your entire Home folder. Just recognize that, as explained in the User's Guide, you need to take steps to ensure you have a good backup.

Specifically, you should create a non-FileVault account. Log out of your FileVault account and into your non-FileVault account before you back up: this will ensure that the FileVault volume is put away cleanly.

It'll take longer than "normal" to back up, because any changes to your Home will always copy the entire FileVault image, but it will stay secure on both source and destination.

It's not so much that backups take more space will FileVault: they're less convenient and take longer to create.

In general, yes, I think FileVault is massive overkill. But, in that, it's also much more comprehensive than other methods of securing your Home...

rdlsmith
06-27-2006, 08:22 PM
Would someone other than the person making the sparse image be able to access the home area of the backup or a restore from that backup? Would they even be able to perform a restore from a sparse image they didn't create?

dnanian
06-27-2006, 08:26 PM
Restoration can be a pain, since everything's encrypted in FileVault, so you can't easily get direct access to the files if you're not booted from the drive.

Note that, if you show hidden files, you can see the encrypted sparse image on the backup. If you open that hidden image with the appropriate password, you can get at the files. But booting from it is easiest.

Of course, when you're booted from it, your "real" Home is now locked up and hidden, right? So, you have to play some games, storing the files you want to restore somewhere, booting back, and then copying them in.

So... security has its price!

rdlsmith
06-27-2006, 08:51 PM
"Note that, if you show hidden files, you can see the encrypted sparse image on the backup. If you open that hidden image with the appropriate password, you can get at the files. But booting from it is easiest."

It's my understanding that you can't boot from a sparse image.

Anyway, my question at this point is still basically this:

Are Sparse Images (Not Sparse Images that had FV enabled) of a file system secure? That is, no FV used before the backup. Just the password required by using a sparse image backup.

I made a sparse image backup, logged out and back in as a guest user. I could open the sparse image (mount it) and see many of the files but I couldn't open any of the files in my other Home account.

Would someone that walked off with the external drive that contains such a sparse image be able to access my files from the Home directory? Even if they did a restore to another box of any type?

dnanian
06-27-2006, 08:55 PM
Sorry, you're absolutely right. You can't boot from the image, but can restore the image to a bootable device to get access to it, or you can open the invisible FileVault volume on the image (so, an image in the image) to get at the files.

Sparse images with password protection are, indeed, secure -- in fact, that's what FileVault uses. If you're FileVaulted, and they got the sparse image, password protected or not, those files are just as encrypted as they were on the original drive. So, no -- they wouldn't be able to get access without breaking the encryption (unless, of course, you didn't have a password on your login account, or had one that was easily cracked).

rdlsmith
06-27-2006, 09:45 PM
No FV being used. Nothing but a sparse image. No image within an image.

Just a sparse image with a password.

Is there anyway a hacker or whatever could get to those files short of knowing the password?

dnanian
06-27-2006, 10:03 PM
Without breaking the encryption, no.

MacD
07-03-2006, 12:51 AM
In general, yes, I think FileVault is massive overkill. But, in that, it's also much more comprehensive than other methods of securing your Home...

Dave,

I have seen this type of thinking from you in other threads and I wanted to address my concern for it.

If people encrypt only the file they need encrypted, be it customer data or bank account information or even super-secret government plans, encrypting a single file does not necessarily secure it.

That data could be stored on the hard drive elsewhere in cleartext format and anyone with Disk Rescue could find that information without being a budding cryptomaniac. Even "secure erase" on Apple's trash can is a false sense of security, because again... you have no ide if the hard drive has stored that data elsewhere prior to moving it to the current location. While the currently location would be, in theory, securely erased, the other locations that data was stored on the HD previous are NOT erased.

The ONLY solution around this problem is to encrypt everything, or what you deem to be overkill. Using a sparse image means that everything you do with your user account, all caches, temp files, account settings, history tracking is all encrypted. Even data that is moved around on the HD is still only moved around in that 'sparseimage' location on the drive and is thus always encrypted.

It is annoyingly slow to backup sparse images or even to an ecrypted sparse image if your home directory is 27GB. Imagine 60GB or more. Using applications like Rsync, while they are built to handle sparse files (with the -S) option in Tiger, it is still terribly slow. Mounting those seperate sparse images, the original and the backup is faster, but still slow because of the encryption.

But, because it's annoyingly slow doesn't mean its overkill to use that. You mentioned somewhere that does one need to really encrypt MP3 files or iPhotos of your family. You may or may not have that need, that is a personal decision of the individual user. I have no room to pass assumptions onto other folks personal security needs.

I personally encrypt everything with filevault and store my mp3 and photos inside of it. Why? Because I need those items secure? Nope, I just like knowing that should I lose my Powerbook, that NOTHING personal, not even my taste in music, is passed on. Even for the budding forensic kiddie, searching blocks on the hard drive for data now encrypted but previously not would not be a concern, because it was never written anywhere BUT in the sparse image.

For others reading this, I wanted to comment on a previous comment I made in which secure erase is not good enough. Then you ask, but what is? Using "Erase Free Space" in Disk Utility is the ONLY true way of removing data from your drive.

So, which is good enough? One secure pass, 7 passes or the whopping, it takes 5 days to complete, 35 pass option? Well..., the 35 pass option of course. It has been determined that 7 passes is NOT enough, as different hard drive brands store data differently. The 35 pass uses the Guttman method, which produces 27 different types of writes for all types of hard drives... to zero out that data and make it unrecoverable.

Memory media like USB Thumb Drives, iPod Nano's... 7 passes is enough.

In conclusion... I think it would be a benefit of SuperDuper to support methods (secure methods that is) of automated or taking advantage of the fastest methods available to produce backups using FileVault, Encrypted Sparseimages, etc. That said... there is no secure of automating such backups as you would not want to store your password somewhere for the application to use to mount and backup encrypted images, even if you use the secure encrypted keychain as all it would take is for the 2:00am backup to begin and have it mount those images and now they are available to anyone in possession of the laptop and your security went out the door.

Please stop encouraging people to skip on Filevault for a less secure method. The ONLY way to have the non-filevault method work is to run a secure erase after anytime you modify encrypted files.

MacD
07-03-2006, 01:01 AM
One last comment... RocBit produces a external drive that uses hardware encryption to store data and is MUCH faster than the software method that we use for FileVault, etc. It even includes a hardware based key that you stick into the drive in a key port and only with that key and the knowledge of a password (two-factor authentication) can you access data on that drive.

This would be the best (although more expensive) means of encrypting your backups without going through the encrypted diskimage or filevault method. That said, this only applies to your backup, not the data on your internal drive. So, your still stuck with filevault until Apple releases the ability to have your full drive encrypted and its hardware encryption based solution.

Sometimes I wish I had something to hide as going through all the hoops of the "possible scenerio" that may never happen is a lot of time wasted, but much like paying an insurance premium for something that may never happen, and may end up being a complete waste of funds... provides peace of mind.

I believe that is why most people like encryption, peace of mind.

dnanian
07-03-2006, 01:31 AM
There is nothing about encrypting the home folder that guarantees that a given application is going to write everything into Home, MacD...

MacD
07-03-2006, 01:43 AM
Yes, you are correct. It could write them anywhere.

However, in my experience, most applications which store user specific settings, history, browser cache, and all other activities are primarily stored in the Library folder, in your home folder. So, while some information is stored outside of it and achieving ultimate disk encryption is impossibel without the whole drive being encrypted... I'd rather run with knowing that at a minimum, 80% of my stuff is encrypted, vs 0% of not running Filevault.

You will be hard pressed to win a security argument taking any other approach.

dnanian
07-03-2006, 01:50 AM
Honestly, I'm not trying to "win" a security argument. I'm just suggesting that FileVault is probably more than most people need for general "security". Given that you're running on a system that doesn't enforce encryption across all interfaces, it seems that encrypting the data you need encrypted -- even storing it on an encrypted image, managed with something like Knox (http://www.knoxformac.com), is probably more practical than doing the whole home folder.

If you're concerned about everything then, by all means, please use FileVault. Just recognize that you're balancing safety (security) and convenience, and you might need to take extra steps -- like logging out of your Home folder and into a different account -- when backing up.

In addition, since you're abstracting the storage of your files a level, disk damage can be far, far more damaging with FileVault than without, since the same tools you're concerned about "hacking" your data, like Data Rescue, can no longer recover your files in the event of a disaster.

It's a tradeoff...

MacD
07-03-2006, 02:01 AM
It very much is a tradeoff. I don't want Disk Rescue to recover files and obviously, if I have a crash of either the drive of corruption of the image, and I have not be diligent in my backups, then yes, I am screwed and Disk Rescue will not help me out.

However, most people are HERE on this forum because they WANT to be diligent about backing up their data and they want to know the best way using the methods available under various circumstances, including, but not limited to using FileVault.

I think it is honorable to have people concerned with backups because most people I know, don't make backups and live dangerously.

I think what most folks with Encryption backup needs want, is an easy to way to "spawn" the event... even if that means being reminded to manually starting an event and having an application like SuperDuper to mount the necessary images and go through the process even if requiring a "start of session" authentication to mount encrypted volumes would be a good thing.

dnanian
07-03-2006, 07:40 AM
Settings, which are discussed in the User's Guide, are a good way to "spawn" the event. By double-clicking a saved settings file in the Finder, SD! will load up with whatever you'd like ready to go, and you need only click "Copy Now".

If your destination sparse image is encrypted, we'll mount it and request the password (or use the one in the keychain), and you're off and running.

rdlsmith
07-04-2006, 01:02 PM
Didn't mean to start a cat fight.

I just want to secure the data being backed up. Sparse images allow for a password, it's encrypted, what's the problem? If someone walks with my data, if they don't know the password or have the government manual on how to get around Apple's encryption, they can't get to my data no?

If you're using a firmware password and lock your system you should have your bases covered. Maybe not 'as secure' as with File Vault but then again, isn't there a huge risk to using FV? It sounds like new technology that could corrupt everything. I don't know, that's just the feeling I get from what I've read so far. Maybe it was stuff I read out here. Take it with a grain of salt.

In any case, sparse images seem to work well for me. I setup another account and couldn't get to files. FV may be a good solution too but only if you can actually get to your files when needed.

dnanian
07-04-2006, 02:35 PM
Honestly, I'm not trying to fight: I'm just trying to provide what additional information I can. Firmware password is fine, but it locks the machine, not the drive. So, if you extract the drive, the files are available.

In general, I don't think FileVault is worth the risks. Sensitive items I encrypt separately: I don't really care if a thief has access to my iTunes music, programs I've downloaded, etc. :)

johare
07-15-2006, 12:24 PM
I'm a recent convert from windows and on that side I used PGP Whole disk Encryption with terrific results. Upon booting, you have to enter a passphrase into the PGP application before you can go any further. it then boots and runs normaly. In addition to work stuff, I played games such as Half Life 2 & Far Cry with no performance problems. Apparently PGP will be offering this solution for OSX soon if not already. I think the benefit of this aproach over file vault is that ALL files are ALWAYS encrypted and you probably won't have the File Vault maintenence on shutdown like you do now. PGP also lets you create virtual encrypted drives - may be similar to Disk utility's encrypted Disk image. Might be worth looking into.

hukalaki
07-16-2006, 12:29 PM
I need to have some kind of security for some of my data and would prefer to be able to encrypt my Mail folder, which Knox cannot do and have it behave properly.

FileVault seemed like the only thing that would safely encrypt my user folder. I had heard about problems but was willing to give it a try anyway. After Dave's advice re logging out of my user account and then backing up, my backups worked fine, although not automated at all--a definite downside.

More importantly, however, I did develop issues with FileVault itself. First I had a wierd problem with Safari not being able to download files when it could download in other user accounts without a problem. Then I began to be unable to properly save in Word--I'd get a filename/path error, which I never had before. So I figured things were getting buggy.

I tried turning off FileVault from the Security pref pane, but it gave me an error "error making copy--unable to decrypt FileVault."

So this gave me the willies. From my admin account I pulled all my user files out of FileVault, transferred them into a new user account, deleted the old user account and re set my ownership and permissions. So I am now back to square one.

My experience supports the common comment that FileVault has problems. I can't recommend using it and would appreciate any alternatives.

bdahm
11-25-2006, 05:37 AM
After reading through this entire thread my head is spinning. I have two goals for my backup and based on what I have been reading they may be contradictory. If not, please enlighten me.

First and foremost, I want to protect against a catastrophic hard disk failure on my iBook. Along with this go lesser emergencies when I might want to restore the system to a previous state.

Secondly, since I am backing up to an external firewire hard drive, I would like to know that that data is secure should that hard drive itself by stolen.

One question that comes to mind is whether a File Vault file stored as a sparse image is bootable? I get a sense that it isn't. Right now I am not using File Vault, but was considering doing so. The other issue is my understanding that a smart backup of File Vault will take some time because the entire sparse image file will have to be backed up even if only few files have been changed since the last backup.

Please feel free to comment on these issues.

-Bill

dnanian
11-25-2006, 10:07 AM
FileVault only secures your Home folder. As long as the backup itself is bootable ("Backup - all files" using Erase, then copy or Smart update to a supported FireWire drive [or USB on Intel]), FileVault doesn't have much effect.

However, please note that FileVault makes it much harder to restore individual files from a backup. It also means that you shouldn't back up while logged into the FileVault account, and that every backup will copy your entire Home folder, because the whole thing is actually stored in one big file...