Filevault "best" setup?

Discussion in 'macOS' started by Schtibbie, Dec 27, 2009.

  1. Schtibbie macrumors 6502

    Jan 13, 2007
    I just turned Filevault on (Snow Leopard, in case it matters) and i want to make sure I've done everything prudent to make it effective - IOW, is filevault known to be pretty much useless (like WEP, for example) under certain common circumstances unless you *also* do X, Y, Z?

    Here's the setup: one user is Admin-level, which is never logged on unless i'm updating firefox or other stuff. Main user is a NON-admin user logged in all day, laptop always running.

    Screensaver lock ON, pass required. Encrypted VM on. Filevault ON with a master pass set. The admin user does NOT have filevault on but "he" has no content to speak of (or is that necessary too?) Keychains are not separately locked.

    Time machine is on, but i haven't checked the backup disk to see if my old unencrypted home is still on there..
  2. angelwatt Moderator emeritus


    Aug 16, 2005
    Time Machine and FileVault as a combo isn't very great due to the way they work together. Backups are only done on logout. My preferred method is to use TrueCrypt to encrypt and backup location, then use CCC to backup my FileVault user contents, which works while logged in. This method also better allows you to retrieve individual files from the backup. The only weakness of FileVault that I know of is the password, as in don't use a weak password.

    The VM doesn't need a separate encryption if the VM file is saved inside your user directory somewhere. It wasn't clear if you were doing anything special. The rest of your setup sounds fine though, maybe even overkill depending on the level of security you need. Most people only need a few things protected and can get by using an encrypted disk image.

    If you want to look at a few other Mac hardening tricks, check out the NSAs reading on the topic. They haven't finished the Snow Leopard version yet. Apple also has their own security configuration documents.
  3. Schtibbie thread starter macrumors 6502

    Jan 13, 2007
    OP here.. For folks who are interested, I also found info on the web that indicates one should not only turn on secure VM (which I already did), but turn OFF safe sleep so the computer won't save RAM contents when hibernating to the disk. It turns out that while the sleep-image is encrypted in this situation, the key to unlock it is contained in the header of that file right there for all to see. LAME.

    Really, it shouldn't be this tricky to properly secure a computer. I suppose I could just go get PGP Whole Disk Encryption and then there'd be NO unencrypted info anywhere on the disk.

Share This Page