title
brancg
adam_ev
oped resources forums contacts subscribe site_map home
 

forums


OpEd

All Mac Considered
Amen Corner
Apple Peel
Digital Canvas
Editorials
Ether Nectar
iMaculate
   Conception
Infinite Loop
Notes from Dis
Scientia et
   Macintosh
Skewed Mac
Treo of Life

Resources

Books
Contacts/Mission
Forums
Links
Reviews
Subscribe

RadTech

Applelust is looking to add writers to its staff. If you are interested or want to be part of the Applelust community, drop us a line with your resume or vita. We are always on the look out for good, very smart, and reliable people to join the staff. If you think you have what it takes, let us know.

- The Publisher
Editorials @ Applelust
Panther In Depth: FileVault: A Secure Image

© 10-27-03 András Puiz

- Print Friendly Version

What good is all that great Unix security if there are dead easy ways to go around it? Your home folder may be unaccessible for other users of the same machine or network, but if your Mac is still capable of booting into OS 9, that system will happily reveal all folders and files, ignorant of access privileges. But even if your computer is OS X-only, that's still not a reason to feel secure about your data: thieves can put your Mac in Target Disk Mode and see all your files on a Mac running OS 9, or simply remove your hard disk and insert it into an older Mac that will show it all. (That should make Macs capable of running OS 9 a great commodity among data thieves for years to come…)

Security experts agree that most security measures are futile once someone has physical access to your computer. Once your laptop is stolen, or your desktop is in the hands of a tech-savy burglar, your privileged data will no longer be privileged: by using the means described above, your credit card numbers, mailboxes, classified documents and access privileges to secure websites may easily be taken advantage of. This is bad news (and old news) for people who store sensitive content on their computers, but with Panther, it's about to change.

Destruction of your data is still impossible to prevent: erasing a hard disk will always do the trick, but dipping your PowerBook into hot lava will most probably also adversely affect the data stored on the machine (though Applelust hasn't been able to fully verify this allegation yet). But if you're worried that your data would ever get into the wrong hands, worry no more: enter FileVault, a clever, ingenious way to secure your home folder by encrypting it using the Advanced Encryption Standard (AES) 128-bit encryption, keeping it totally unintelligible and unpenetrable to prying eyes. How secure is that? According to the National Institute of Standards and Technology, it's pretty secure:

Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.

The Details

Here's what FileVault does. If you choose to enable it, the contents of your home folder (your Library, containing your applications' preferences; your Documents folder, your Desktop, as well as your Movies, Pictures and Music folders, and whatever else you store under your user folder) will be moved into an encrypted disk image. And that's it. FileVault will use your account's login password to encrypt and decrypt your data, so make sure you choose a strong enough (i.e. hard to guess) password. But be careful: should you forget that password, there'll be no way in hell to get your data back! (As a "safety net" measure, you can set a master password for your entire computer that will let you decrypt any user's FileVault. Use this master password with care, though, and make sure it won't defeat the purpose of your FileVault.)

With FileVault active, any read/write operations will perform the necessary encryption/decryption on the fly. This is totally transparent for the user, but naturally, comes with a performance penalty. In the few tests I've performed, I've discovered that copying a large file to an encrypted home folder took, on the average, almost twice as long as copying the same file to an unprotected location, with all other circumstances being equal. This may be quite significant for some hard disk-intensive uses, like movie rendering, but we'll have to see experts confirming this before jumping to conclusions. With the exception of disk-intensive tasks, the system didn't seem any slower with FileVault turned on.

You activate FileVault in the Security pane of the System Preferences application. If you enable it, the system will log you out, and spend considerable time moving the contents of your home folder into the encrypted disk image. After that, you'll be able to log back in. Your home folder will be kept and renamed as an empty placeholder, but your real files will be kept in a secure disk image.

Security Preferences
The Security Control Panel, where FileVault is controlled.

Is It For You?

Who should use FileVault? Turning it on is no big deal, and the performance hit you get with it may not be that great. Yet it may be unnecessary overkill for many users. You should definitely consider using FileVault if you have sensitive data on your computer that could cause great harm to you (or others) if it falls into the wrong hands. If you feel you may not be able to prevent malicious physical access to your Mac (for example, you are a laptop user), that's another reason to be extra careful. In that case, you should definitely use the other security features as well. Disabling automatic login is a necessary step, or else your secured home folder may automatically surrender to anyone restarting your Mac. If you fear that the security of your Mac may be compromised while it's in use, consider password-protecting your screen saver and sleep mode, and maybe even automatically logging out after a set time. These options can all be set in the Security pane of System Preferences.

Alternatives and Workarounds

If you're suffering from the performance penalty caused by FileVault, and don't want to secure all your files, you can always work outside your home folder, and maybe move those files into your secured home later. But if you don't think that all your data (including application preferences, bookmarks, etc.) need to be secured, only a few classified documents, you can skip FileVault and create your own secure location anywhere. All you need to do is launch Disk Utility from the Utilities folder (within the Applications folder), and create an AES-128-encrypted disk image. You'll need to specify a password (that will be stored in your Keychain if you agree to that), and there, you'll have your own miniature FileVault.

Creating your own miniature "FileVault"

It will be a disk image you can mount using that password, and use it as a separate volume unti you eject it (at which point, its contents will be stored in the Disk Image file). This image will be fixed-size, unlike the FileVault, which Mac OS X keeps always at the right size, offering to resize it each time you log out. Note, though, that just like the "real" FileVault, the DIY version will be easily broken into as well if you keep logged in with you Keychain unlocked – just like no real-life vault is secure enough if you leave the key in its door.

- András Puiz

What do you think? Hash it in our forums...

  • MacBook Pro (5-17-06) Dr. Neale Monks. A subjective review of the MacBook Pro
  • Freeway 4 Pro (2-28-06) Dr. Neale Monks. Freeway Pro, the Quark-like web design program from Softpress, has been substantially revised and sports a bright new look. But do the changes go more than skin deep? Neale Monks finds out.
  • Astrostack (1-18-06) Dr. Neale Monks. Long respected as one best astronomical image processing applications about, in its newest incarnation AstroStack now runs on the Macintosh. Has the wait been worthwhile?
  • Virtual PC 7 (11-23-05) Dr. Neale Monks. Virtual PC 7 is the update to the venerable Windows emulator to be entirely all Microsoft’s own work. Can Mac users expect to see any dramatic changes?
  • Eudora Pro 6.2 (8-5-05) Dr. Neale Monks. Eudora has been one of the most popular e-mail clients for the Macintosh for more than a decade. Neale Monks finds out how it compares with the Mail application that comes with OS X
  • MacAstronomica (4-22-05) Dr. Neale Monks. How does this amateur naked eye astronomy software stack up?
  • iKey 2.0 (3-11-05) Jeremy Young. How well does this automation utility work? How much time will you save?
  • Wolfram Research Publicon (3-11-05) Jeff Terry Does this new scientific word processor live up to the potential?
  • Microsoft Office 2004, Part 3, Word (1-28-05) Dr. Neale Monks. Are there enough new features to necessitate a jump from v.X?
  • REALbasic 5.5 (12-03-04) Dr. Neale Monks. Neale takes a look at the latest version of this programming package.
  • Office 2004, Part 2, Excel and Entourage (11-05-04) Dr. Neale Monks. In the second part of his review of Office 2004, Neale Monks looks at Excel and Entourage.
  • Phone Valet 2.0 (11-05-04) Pat St-Arnaud. The best question to ask might be "Is there anything that you can't do with this telephone/Mac integration tool?"
  • TiPaint Touch-up Kit and iKlear iPod Cleaning Kit (10-29-04) Dr. Neale Monks. Is it possible to restore the shiny good looks of iPods and PowerBooks even after years of use? Neale Monks looks at two cleaning products designed especially for Apple hardware.
  • Microsoft Office 2004, Part 1, PowerPoint (10-15-04) Dr. Neale Monks. In the first part of his review of Office 2004, Neale Monks looks at PowerPoint, for many people still the benchmark for presentation software.
  • ScrapX (9-17-04) Dr. Neale Monks. Aqueous Software's ScrapX brings the Scrapbook to OS X
  • CDFinder (8-20-04) Dr. Neale Monks. Finding what you want from among a stack of similar looking CDs can be a hassle, but help is at hand. Neale Monks looks at CDFinder, a budget-priced but powerful cataloguing tool.
  • Endnote 7 (8-13-04) Dr. Markus Geisen. EndNote 7 is a literature database that seamlessly interacts with your word processor. Is the latest version worth the upgrade?

forums_speak
home

© 2000-2006 Applelust.com. All rights reserved. No part of this publication may be reproduced in any way without prior, expressed permission from the Publisher. It is the sole property of Applelust.com and its writers, who retain copyright to their own works. If you wish to link to us, please see our Privacy Statement for conditions. Apple, Macintosh, and Mac are trademarks of Apple Computer, Inc, with whom we are in no way affiliated or endorsed.

Hosting provided by itsamac.com -- Macintosh Powered Web Hosting

Serve Different

dreamy