I have important and private information on my Mac Pro, could someone simply remove the hard drive, and put it into there Mac Pro, and have access to all my files?!
Kind Regards
Me
Kind Regards
Me
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Can anyone access my hard drive if they put it in their computer?
- Thread starter MythicFrost
- Start date
- Sort by reaction score
How would I go about stopping this, would FileVault stop anyone from accessing the files on my computer?
Kind Regards
Me
Kind Regards
Me
I *think* putting a firmware password on your computer might stop this.
The best thing to do is create an encrypted disk image for your sensitive material.
The best thing to do is create an encrypted disk image for your sensitive material.
I don't know what a firmware password is, and all my information is sensitive, I just want my information protected, and what is my home folder?
Kind Regards
Me
Kind Regards
Me
Your home folder is located at /Users/yourusername this folder is also called ~/
PS: if anyone wants to tell him how to set a firmware password that'd be great. I'd also like to know since I don't remember how I did it...
Yes, but can't you set it up so you need a password to boot? or is that computer specific?
Also: I did a little research and apparently you have to set it up from the boot disk. Gross!
Oh so it's my account folder, that has my desktop folder etc.. on it?
Anyway to secure an external hard drive used for backup? or any other reason.
Kind Regards
Me
Anyway to secure an external hard drive used for backup? or any other reason.
Kind Regards
Me
You could store sensitive files in a secure disk image on the external hard drive. Use Disk Utility to create the secure disk image.
Thanks, that would work for some of it, but it's backed up with time machine software, so.. that might not work with that part of it:/
Kind Regards
Me
Kind Regards
Me
Duff-Man says....if you do even a simple search at Macupdate you'll see that there are several options out there in addition to the built-in tools of Mac OS X - whether the tool(s) you have are sufficient or you want something more is your decision. You can use something like TrueCrypt (to use as an example) where you can encrypt the entire disk and have hidden partitions etc. How far you feel you need to go is up to you to decide, but you just want to make certain that you know what you are doing as in the wrong hands encryption tools can make your data a little too safe - meaning you can't get at it either.....oh yeah!
A firmware password or a machine lockout would do nothing to address TS's question, which is, what if someone removes the hard drive? The only feasible answer to his question is to encrypt the drive's contents. Period.
Also, it's worth noting that FileVault has a couple known vulnerabilities, one of which is its use of a "master password". If you're going to use it, I'd recommend at least removing the master password keychain, as leaving it in place reduces your effective key strength to (IIRC) that of a 768-bit RSA key. (I don't remember the vilefault presentation all that well -- it's been a couple years -- it may have been 1024... still, in either case it's a security risk.)
Edit: If you've got sensitive information on your machine, what you really need is a form of FDE like dm-crypt or loopback AES -- but unfortunately, Mac OS X is somewhat behind Linux in this regard; there are (to my knowledge) no good solutions for FDE w/ Mac OS X.
Edit: If you've got sensitive information on your machine, what you really need is a form of FDE like dm-crypt or loopback AES -- but unfortunately, Mac OS X is somewhat behind Linux in this regard; there are (to my knowledge) no good solutions for FDE w/ Mac OS X.
Wow, is this really an issue? (Not saying it isn't, just really seems odd.) I think the best thing is this case is to make sure no one else is able to physically access the computer. Once someone gets physical access, chances are they'll be able to get at something (though some of the solution here might help). Seems investing in better security would be better than encrypting the drive though, perhaps something as simple as putting a lock on the computer itself to prevent the side door from being opened (also prevents the drives from being removed, IIRC).
jW
jW
Filevault is decent. I'm also a fan of TrueCrypt as it works on Mac, Windows, and Linux so you can transport encrypted files to other machines. A note on the firmware password, don't bother. It's rather easy to get around, even Apple provides documentation on their site to get around it.
If you're worried about thievery then check out Undercover. It won't necessarily help if they only steal the hard drive, but is a decent product.
There's not many options for full disk encryption (FDE) of the system hard drive. Here's one, but it's not free. TrueCrypt can do FDE of external drives (but not of the system HD), but I had trouble with it so just use individual encrypted storage spaces.
I work with the government sometimes so have to deal with all of the encryption stuff and security. If you're really needing to improve your security on your Mac check of the documents the NSA has (which also points to Apple's security configuration document) for securing your Mac. It has decent suggestions, though some I feel are unnecessary.
If you're worried about thievery then check out Undercover. It won't necessarily help if they only steal the hard drive, but is a decent product.
There's not many options for full disk encryption (FDE) of the system hard drive. Here's one, but it's not free. TrueCrypt can do FDE of external drives (but not of the system HD), but I had trouble with it so just use individual encrypted storage spaces.
I work with the government sometimes so have to deal with all of the encryption stuff and security. If you're really needing to improve your security on your Mac check of the documents the NSA has (which also points to Apple's security configuration document) for securing your Mac. It has decent suggestions, though some I feel are unnecessary.
If they put your disk in another computer, they can access all your files. A firmware password will not do a thing once the drive is removed from the computer.
Filevault will keep everything in your HOME FOLDER secure. You will need to pick a strong, long, password (~15 characters. Every character added after that will make it take an extra 100x as long to brute force.)
Delete the master password keychain, and make sure you securely erase it with at least a 7 pass overwrite. You don't want it being recovered.
Filevault does not protect anything outside your home folder. Some applications store temporary files outside, your sleep image is stored there unencrypted, and so are some caches and logs.
Full disk encryption protects against this. PGP Whole Disk Encryption is the best for OS X at the moment. Truecrypt can encrypt entire disks, but not the system partition at the moment.
You can back up to encrypted disk images created by either Disk Utility or Truecrypt.
Don't store disk image password in the keychain. Encrypted disk images can also be used to store files. With Disk Utility, make sure you use 256 bit AES, with Truecrypt, you can use even stronger encryption if you wish.
Filevault will keep everything in your HOME FOLDER secure. You will need to pick a strong, long, password (~15 characters. Every character added after that will make it take an extra 100x as long to brute force.)
Delete the master password keychain, and make sure you securely erase it with at least a 7 pass overwrite. You don't want it being recovered.
Filevault does not protect anything outside your home folder. Some applications store temporary files outside, your sleep image is stored there unencrypted, and so are some caches and logs.
Full disk encryption protects against this. PGP Whole Disk Encryption is the best for OS X at the moment. Truecrypt can encrypt entire disks, but not the system partition at the moment.
You can back up to encrypted disk images created by either Disk Utility or Truecrypt.
Don't store disk image password in the keychain. Encrypted disk images can also be used to store files. With Disk Utility, make sure you use 256 bit AES, with Truecrypt, you can use even stronger encryption if you wish.
Several things come to mind:
1) Use the NSA guides. They go a long way towards hardening OS X.
2) Nuke the master password (see above).
3) Disable safe sleep.
4) Enable encrypted swap.
5) Add a LaunchAgent to relocate /tmp, /var/tmp, etc. to somehwere inside your home directory upon log-in. (Note: this is not for the faint-of-heart, and it will only work reliably if there is only ever one user logged in at a time.)
6) If you're serious about security, give up on OS X. SELinux, loopback-aes, etc. can provide a much, much stronger configuration than the current version of OS X. Also, I don't like to trust closed-source crypto if I can help it...
3 & 4 are especially important. Safe sleep and unencrypted swap will completely remove any and all security afforded you by FileVault.
1) Use the NSA guides. They go a long way towards hardening OS X.
2) Nuke the master password (see above).
3) Disable safe sleep.
4) Enable encrypted swap.
5) Add a LaunchAgent to relocate /tmp, /var/tmp, etc. to somehwere inside your home directory upon log-in. (Note: this is not for the faint-of-heart, and it will only work reliably if there is only ever one user logged in at a time.)
6) If you're serious about security, give up on OS X. SELinux, loopback-aes, etc. can provide a much, much stronger configuration than the current version of OS X. Also, I don't like to trust closed-source crypto if I can help it...
3 & 4 are especially important. Safe sleep and unencrypted swap will completely remove any and all security afforded you by FileVault.
Let's get real.
The TS's question was probably answered.
If he were SERIOUS about security, he wouldn't be asking a relatively naive (no offense) question about how to secure a hard drive.
Every other dude reading thread knows what 90% of these types of questions are all about - guys who don't want their wives finding their porn collection. If you were really engaging in sensitive work, you'd already know and have measures in place to secure your info.
The TS's question was probably answered.
If he were SERIOUS about security, he wouldn't be asking a relatively naive (no offense) question about how to secure a hard drive.
Every other dude reading thread knows what 90% of these types of questions are all about - guys who don't want their wives finding their porn collection. If you were really engaging in sensitive work, you'd already know and have measures in place to secure your info.
The downside is that the Master Password is essentially a backup password to access the information if the user/administrators password is lost/forgotten. If that happens and there is no master password as a backup, then you information is essentially lost.
Yes, but I have a hard time believing that a home user would forget his account password (which he uses every day) but not his master password (which he doesn't.)
I dunno -- that just struck me as odd, at least for home users.
You'd be very surprised. At my old job it would be at least 1-2 people every week someone would come in asking if we could change their password. Typically old people, but otherwise would be the people who don't really use their computer that much outside of the applications that came preinstalled on it. The people who set up a password on their machine the very first day for "security" purposes, yet don't install anything for 10 months and then have absolutely no idea what their password is.
Not after too long though, we did make it a policy to not change someone's password unless they had their system disks with them in case they had stolen the machine ("You guys buy computers or iPods? I got three iPod Videos in sealed condition and these computers that I forgot the passswords to".... and a huge puffy winter jacket in the middle of 100 degree summer and smell like I just smoked thirteen blunts...)
Not often did we get someone who forgot everything, and happened to have FileVault turned on, but that did happen at least twice (over a long period of time, but it did happen).