Quote:
|
Originally Posted by dnanian
In general, yes, I think FileVault is massive overkill. But, in that, it's also much more comprehensive than other methods of securing your Home...
|
Dave,
I have seen this type of thinking from you in other threads and I wanted to address my concern for it.
If people encrypt only the file they need encrypted, be it customer data or bank account information or even super-secret government plans, encrypting a single file does not necessarily secure it.
That data could be stored on the hard drive elsewhere in cleartext format and anyone with Disk Rescue could find that information without being a budding cryptomaniac. Even "secure erase" on Apple's trash can is a false sense of security, because again... you have no ide if the hard drive has stored that data elsewhere prior to moving it to the current location. While the currently location would be, in theory, securely erased, the other locations that data was stored on the HD previous are NOT erased.
The
ONLY solution around this problem is to encrypt everything, or what you deem to be overkill. Using a sparse image means that everything you do with your user account, all caches, temp files, account settings, history tracking is all encrypted. Even data that is moved around on the HD is still only moved around in that 'sparseimage' location on the drive and is thus always encrypted.
It is annoyingly slow to backup sparse images or even to an ecrypted sparse image if your home directory is 27GB. Imagine 60GB or more. Using applications like Rsync, while they are built to handle sparse files (with the -S) option in Tiger, it is still terribly slow. Mounting those seperate sparse images, the original and the backup is faster, but still slow because of the encryption.
But, because it's annoyingly slow doesn't mean its overkill to use that. You mentioned somewhere that does one need to really encrypt MP3 files or iPhotos of your family. You may or may not have that need, that is a personal decision of the individual user. I have no room to pass assumptions onto other folks personal security needs.
I personally encrypt everything with filevault and store my mp3 and photos inside of it. Why? Because I need those items secure? Nope, I just like knowing that should I lose my Powerbook, that NOTHING personal, not even my taste in music, is passed on. Even for the budding forensic kiddie, searching blocks on the hard drive for data now encrypted but previously not would not be a concern, because it was never written anywhere BUT in the sparse image.
For others reading this, I wanted to comment on a previous comment I made in which secure erase is not good enough. Then you ask, but what is? Using "Erase Free Space" in Disk Utility is the ONLY true way of removing data from your drive.
So, which is good enough? One secure pass, 7 passes or the whopping, it takes 5 days to complete, 35 pass option? Well..., the 35 pass option of course. It has been determined that 7 passes is NOT enough, as different hard drive brands store data differently. The 35 pass uses the Guttman method, which produces 27 different types of writes for all types of hard drives... to zero out that data and make it unrecoverable.
Memory media like USB Thumb Drives, iPod Nano's... 7 passes is enough.
In conclusion... I think it would be a benefit of SuperDuper to support methods (secure methods that is) of automated or taking advantage of the fastest methods available to produce backups using FileVault, Encrypted Sparseimages, etc. That said... there is no secure of automating such backups as you would not want to store your password somewhere for the application to use to mount and backup encrypted images, even if you use the secure encrypted keychain as all it would take is for the 2:00am backup to begin and have it mount those images and now they are available to anyone in possession of the laptop and your security went out the door.
Please stop encouraging people to skip on Filevault for a less secure method. The ONLY way to have the non-filevault method work is to run a secure erase after anytime you modify encrypted files.