Encrypting Your Laptop: Mac Edition

Here's another chapter in my ongoing experiment with the mobile lifestyle.

Periodically a story crops up about some poor sap having his or her laptop pilfered. The news I get has all sorts of cringe-worthy details...doctors losing their laptops with patient information, accountants, business people...even my own employer has departments with sensitive information going between work and home.

Every time I see the story and the concern of personal data being ripped from the drive and used for identity theft, I laugh and think, "You dolt! Why would  you carry sensitive information on a portable computer without encrypting it?!"

Then I stopped and remembered that I never got around to securing my own work laptop (or the EEE PC). It was always one of those things I "meant" to do but just hadn't bothered, and every time I thought of it I knew it was a bad thing because not only would my equipment be missing but they could get passwords, cached emails, etc. on the system. I'd make yet another mental note to take care of it and promptly procrastinate again.

Well, no longer.

My employer lets me use a MacBook. Here I'll outline how I used the default form of protection, called FileVault.

How do you use it? Open the security preference pane. Go to FileVault. Set the "master password" and turn on FileVault for your account. I strongly advise setting the "Secure delete" to wipe the drive of your unencrypted data after your directory is moved to the encrypted volume.

And that's about it.

FileVault creates an invisible encrypted disk file that is mounted as your home directory; it's a sparse image file that grows as you add more files. When you log in with your password, OS X mounts the image file to your home directory. Everything you save or alter goes into that file. When you log out, it's unmounted.

You can see this if you create another user and try viewing the home directory of your filevaulted user. It's just a bundle of encrypted files.

The secure delete takes care of another issue with deletion and security; when you delete a file, it's just removing a reference to the file. The disk still has the data on it so data recovery utilities will be able to retrieve the data you're trying to encrypt (well, the remnants of your previously unencrypted home directory would be recoverable until it is overwritten with other files in the course of just using the computer.)

The process of secure deleting the slack space of the drive and the moving of your data to the FileVault volume can take quite a bit of time; in my case, a couple hours. On the plus side, I put the computer to sleep when I had to leave the office, and as soon as I woke the computer back up it continued with the secure delete task.

There are some issues with encryption (why must everything be a pain in some way?) Apple has tried to address some of the issues, but it's never simple.

Time machine apparently doesn't like the FileVault. See, attempts to back up the system sees the volume files plus your mounted volume as separate files, confusing the backup system. Plus, since you have those files mounted, they show up as being constantly altered, so time machine will keep trying to copy the sparseimage files, which as soon as your home directory changes triggers a change on the image files which triggers confusion for the backup system again...meaning a simple differential backup can easily be corrupted or take hours when it should have taken minutes.

Apple tried to address this by turning the FileVault image into many smaller images. From what I found online, this helps, but still leaves room for complaints. Fortunately I don't use Time Machine so this didn't affect me.

What does affect me, though, is the use of Carbon Copy Cloner. This is one of the best (free!) utilities I've found for creating backup images of your Mac. The problem is that you confuse the @#$% out of it if you're FileVaulted and logged in. It's trying to copy your drive while you're altering the image files.

The solution is to have an administrative user that isn't FileVaulted, made just for administrative work, then image the drive. That way the FileVault image files are unmounted and untouched and you won't need to worry about corrupting your home directory.

I also need to remember to log off or turn off the laptop if I want data secured. When you're logged in, the volumes are mounted, and so anyone else logged into the computer can read your files. Only when you are logged off and the images are disconnected from the home directory mount point are the files "secured."

The only other complaint I've really run into is that logging off takes longer. Because FileVault uses a disk image, the image can't "shrink" just because you delete files. When you log off OS X will try to shrink slack space in the image and thus recover some space on the drive. If you deleted a lot of data, like gigs of photos, then log off it can take quite a while for the shrinking process to complete.

Overall Apple made it extremely simple to encrypt your home directory. It's all graphical, it's simple, and Apple takes the burden off the end user to figure out the technical workings of encryption. A few clicks, a few passwords, and the rest is largely invisible and "just works". The process took an hour and a half...but an hour and 25 minutes of it was just waiting for it to finish the background copy and scrub of data. OS X let me continue working as if nothing was happening (well, it slowed a little since the drive was given a workout, but I could keep working without issue.)

I can say that barring issues like having the image files become corrupt due to disk or power problems, encrypting your home directory on the Mac has been painless. I've been using it for a week or so without issues with any of my software, including virtualizing Windows in a Virtualbox session.

Next, I tackle encrypting my EEE PC with Ubuntu...