FileVault - Sensitive stuff outside of the Home folder?

[dtemp]

Hello all... As a non-UNIX-geek, and someone unfamiliar with the internals of OS X in general, I'd like to ask ya'll where sensitive data might be stored outside of the Home directory. As you may know, FileVault only encrypts the Home directory, and stores the password as a hash of the account password and the "master" reset password.

So, what sensitive stuff is outside of the Home Directory? Any system logs with potentially damaging info? Any badly written applications (i.e. MS Office 2004) that might keep sensitive data within the Application directory? Any stuff inside of the Library or System folders? Be creative

 

[dtemp]

anyone?

 

[madog]

Potentially in the Macintosh HD/Library/App Support folder. The Application Support folder in there generally is for system wide apps, however some third party apps that you install (for all users) will store info in there, potentially personal depending on the app (nothing in particular strikes me as problematic in that sense)

That's all I can think of.

On a side note, I personally advise against file vault as if the time comes in which you need to recover data from that drive filevault makes it nearly impossible.

I'm not entirely sure of the process of when a filevaulted user folder gets backed up, and whether or not that same user needs to be logged in in order to access it.

 

[drichards]

Outside the Home directory is a no-touch zone. Always wear your safety glasses while modifying files outside /~/

File vault really does stink, though, as mentioned above. Your data may be sensitive, but when things go wrong, that data can be hard for you to get to as well.

 

[dtemp]

Thanks guys. I'm aware of the lack of elegance regarding integration between Time Machine and File Vault... its all or nothing when it comes to restoring the home folder. I'm also aware that editing diretories outside of ~/ may cause issues; this thread is essentially for my own information, I'd like to at least know what to worry about if things go missing or get stolen. I've disabled writing RAM to disk before system sleep, so as far as I know, the only attack on files within my home directory is the infamous cold boot attack.

I'd still however like to be aware what is available to anyone who hooks up my disk to an external enclosure Anyone else have knowledge of sensitive stuff stored outside of ~/ ?

 

[drichards]

You shouldn't find any relevant user data outside ~/ - just some preference files, system logs which just list errors typically, and of course system files in the no touch zone.

As long as you keep the NOC List in ~/, its "safe" in theory. When the operative repels from the ceiling to access your disk, he'll still find it encrypted back in the van. No encryption is unbreakable, and he'll probably be able to access it with brute force attack by the time he has to meet the contact on the train, but by then your people should be able to mobilize an asset and attempt to terminate the threat.

 

[dtemp]

very funny drichards

 

[priller]

File vault really does stink, though, as mentioned above. Your data may be sensitive, but when things go wrong, that data can be hard for you to get to as well.

That's the point, if the data could be easily recovered encryption would be pointless, Filevault only stinks if you've got unreal expectations.

 

[ppc750fx]

1) Your swap file. You can enable swap file encryption.

2) Your safe sleep image. This is a huge hole -- when your Mac enters safe sleep, it dumps the contents of memory (unencrypted) to disk. You can disable this with the SmartSleep prefpane.

3) Your Keychain. By default it's unlocked, and easily recoverable (even if your Mac is asleep.) To fix this, set your keychain to automatically lock.

4) As you pointed out, any apps that are "dumb" and save important stuff outside of ~

 

[dtemp]

1) Your swap file. You can enable swap file encryption.

2) Your safe sleep image. This is a huge hole -- when your Mac enters safe sleep, it dumps the contents of memory (unencrypted) to disk. You can disable this with the SmartSleep prefpane.

3) Your Keychain. By default it's unlocked, and easily recoverable (even if your Mac is asleep.) To fix this, set your keychain to automatically lock.

4) As you pointed out, any apps that are "dumb" and save important stuff outside of ~

Thanks.

1) I have enabled virtual memory encryption.

2) I have disabled "safe sleep"... I forget what terminal command I used, but yeah its off!

3) Hymm... this I'm unsure the implications of! What good is an unlocked keychain? Is it readable in plaintext on the drive? I realize that being logged in with an unlocked keychain is an issue... but what if the display locks on sleep/screensaver? Is an unlocked keychain dangerous orthogonally to the lock status of the screen?

4) Yep, I'm wondering if the keen Mac Rumors audience knows of specific examples of these badly coded apps

 

[ppc750fx]

Thanks.

1) I have enabled virtual memory encryption.

2) I have disabled "safe sleep"... I forget what terminal command I used, but yeah its off!

3) Hymm... this I'm unsure the implications of! What good is an unlocked keychain? Is it readable in plaintext on the drive? I realize that being logged in with an unlocked keychain is an issue... but what if the display locks on sleep/screensaver? Is an unlocked keychain dangerous orthogonally to the lock status of the screen?

4) Yep, I'm wondering if the keen Mac Rumors audience knows of specific examples of these badly coded apps

Re: 2. You didn't disable it. At least you did until you make changes to the power profile, at which point it will re-enable itself (if you're using Leopard.) SmartSleep (the prefpane) is the only reliable way I've found to keep it disabled.

Re: 3. If your keychain is unlocked, any application can read data from your keychain. Any application can write to it. The display lock does nothing to mitigate the threat this poses -- passwords can be recovered from RAM using various attacks without needing to unlock the screen.

 

[dtemp]

Re: 2. You didn't disable it. At least you did until you make changes to the power profile, at which point it will re-enable itself (if you're using Leopard.) SmartSleep (the prefpane) is the only reliable way I've found to keep it disabled.

What I DO know is that, before, after shutting the lid, it would take around 3-6 seconds for the light to start pulsing, but now it starts pulsing immediately upon shutting the lid. This tells me it is no longer writing RAM to disk.

 

[jc1350]

PGP Desktop for Mac finally added something that was worth the cost: whole disk encryption. I have noticed only a slight degradation in performance during start-up. Since the whole disk is encrypted, you don't have to deal with filevault's sometimes long optimization process during logoff/shutdown.

And by excluding one file specific to PGP's WDE, SuperDuper works just fine. Yes, I know - the copy isn't encrypted. I don't care because I don't care the copy with the laptop. The copy stays home. I don't have to log out and use another account like I did with filevault.

 

[Mhaddy]

PGP Desktop for Mac finally added something that was worth the cost: whole disk encryption. I have noticed only a slight degradation in performance during start-up. Since the whole disk is encrypted, you don't have to deal with filevault's sometimes long optimization process during logoff/shutdown.

And by excluding one file specific to PGP's WDE, SuperDuper works just fine. Yes, I know - the copy isn't encrypted. I don't care because I don't care the copy with the laptop. The copy stays home. I don't have to log out and use another account like I did with filevault.

Have you used PGP Desktop? How do you like it?

 

[jc1350]

Have you used PGP Desktop? How do you like it?

I like it. My only complaint is that the marketing propaganda lead me to believe it has real Exchange support for Mac and it doesn't. It ONLY supports pop and imap with regard to email.


Whole Disk Encryption is working just fine so far (several months). If you have sensitive data on a laptop, I recommend it. I think it's overkill for a desktop at home, though.

 

[Mhaddy]

Couple more questions for ya:

1. Can I encrypt my MBAir and MP and still continue to sync files back and forth via ChronoSync?
2. Can I encrypt an external USB HDD and continue to b/u files to it from my MP?
3. Can you revert back to an unencrypted state/uninstall PGP WDE?
4. What happens if I want to reinstall OSX or upgrade to Snow Leopard? Can I still access my encrypted HDDs (internal or external)?

 

[sclough]

The only other thing I could think of is tmp files. I'm not so sure that many Mac problems would use those, but some ported from unix might write work files to /tmp .

 

[jc1350]

Couple more questions for ya:

1. Can I encrypt my MBAir and MP and still continue to sync files back and forth via ChronoSync?
2. Can I encrypt an external USB HDD and continue to b/u files to it from my MP?
3. Can you revert back to an unencrypted state/uninstall PGP WDE?
4. What happens if I want to reinstall OSX or upgrade to Snow Leopard? Can I still access my encrypted HDDs (internal or external)?

1. I don't know anything about Chronosync, but only the data on the encrypted HD is encrytped. Copying to any other disk/network share/etc results in an non-encrypted file on the target disk (unless you encrypt that disk, of course).

2. Yes, but that external disk will only work on the system that did the encryption unless you use a password-only encyption (PGP uses your PGP keys + password). You would have to have PGP installed on any system that would read the external disk.

3. Yes, you can revert the disk to an unencrypted format.

4. Patching (10.5.5 to 10.5.6) doesn't affect WDE. I don't know the details of reinstalling (I'm assuming you mean on a blank drive or doing an "erase and install").

What I do is make a weekly clone of my HD using SuperDuper. As long as I exclude /PGPWDE01 from the clone, I can boot from the USB/SuperDuper cone disk which is not encypted. So if I have a problem, I'll just boot from the external disk and use SD to restore to the internal disk as normal, then encrypt the internal disk. The reason I have to exclude that file is simply that it is only valid for the drive on which it was created.

I wouldn't do any FULL OS upgrades (Leopard to Snow Leopard for example) until PGP supports it officially. And when I do such a thing, I'll probably remove the encryption, upgrade as usual (archive and install), then encrypt the new system when I'm ready.

The only other thing I could think of is tmp files. I'm not so sure that many Mac problems would use those, but some ported from unix might write work files to /tmp .

Since PGP uses Whole Disk Encryption, the whole thing is encrypted including /tmp, /var/tmp, etc. If you mean the swap partition, if there is such a beast on Mac OS, then I don't know and it's a good question. I don't know if by whole DISK encryption if they mean a physical disk or a partition that appears as a disk. I'm not concerned about that much encryption.