Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Dave410

macrumors regular
Original poster
Aug 31, 2015
107
21
Hey Gang,

I'm planning to make the switch from Windows to Mac, but I have a question about data security first. How do Mac users protect their data - you know, passwords, financial data, tax returns, nuclear launch codes - if they have to send the machine in for repairs? As I understand it, you can't just pull the hard drive yourself so all your data would go to the repair shop or behind the Genius bar for the techs to see. I asked a kid in the Apple store once and he just said "Apple takes data security very seriously. We could get fired..." which is pretty bogus. How do Mac users stay secure? Keeping your important data on an external drive would do it, but that makes travel more difficult and defeats the purpose of the 1Tb drive I'm planning. What about encryption? Any other methods?

Many thanks,
Dave
 
Last edited:
I've never sent it in for a return, but turn on File Vault and that will encrypt your data.

You could also create a separate user account for the Apple store folks to use if they need it.
 
It's impossible to know what happens to your computer once it's out of your hands. Erasing the hard drive, if possible, before turning it over for a repair of a hardware issue would be advised.

The technician will most likely startup from an external disk to run any diagnostics.

If the issue IS hard drive related and/or you can't erase or remove before turning it over then you'd probably wish you had been running the Mac with FileVault on.
 
  • Like
Reactions: Weaselboy
How do Mac users stay secure?

If you are concerned about this, the only real answer if you backup the Mac and completely erase the internal drive then install the OS and make a temp admin account before you hand it over for repair. Then when you get it back, erase the internal drive again and restore from your backup. You can use either the included Time Machine software to do this or a third party clone tool like Carbon Copy Cloner. Or even clone with Disk Utility if you like.
 
  • Like
Reactions: AlanShutko
Thanks, guys. Makes sense. As a Windows guy, I'm not familiar with FileVault, but I'll look into it. If it encrypts the entire drive, however, I'll bet it's a drag on performance. I really only need to encrypt sensitive files like my financial data so I'm guessing there is third-party software for that. There are plenty in the Windows world so I'm sure they exist for Macs too.

By the way, the last I looked, it's actually impossible to securely erase an SSD. You can't replace the data with zeros like you can with a spinner because of the way data is shuffled to prolong the SSD's life. One of those secure erase programs would probably be good enough for sending a drive to Apple, but I wouldn't count on it if the NSA was after you.
 
Thanks, guys. Makes sense. As a Windows guy, I'm not familiar with FileVault, but I'll look into it. If it encrypts the entire drive, however, I'll bet it's a drag on performance. I really only need to encrypt sensitive files like my financial data so I'm guessing there is third-party software for that. There are plenty in the Windows world so I'm sure they exist for Macs too.

By the way, the last I looked, it's actually impossible to securely erase an SSD. You can't replace the data with zeros like you can with a spinner because of the way data is shuffled to prolong the SSD's life. One of those secure erase programs would probably be good enough for sending a drive to Apple, but I wouldn't count on it if the NSA was after you.

FileVault slows things a tiny bit, but very little on newer Macs. Totally worth using IMO and it is very transparent.

If you just want to protect a few documents and don't want to use FileVault to encrypt the whole drive, you can make an encrypted sparse bundle image (link) and just drop the documents inside that.

You can secure erase and SSD with the ATA Secure Erase command. The problem is there is no way to do that in macOS (at least not that I have ever found), so you need to make a Linux boot disk of some sort to run the "hdparm" command.

It is actually fairly difficult to restore data on an SSD once it has been erased and the OS reinstalled. Like you alluded to, just for leaving your Mac with Apple for repair, it would be sufficient.
 
Last edited:
If it encrypts the entire drive, however, I'll bet it's a drag on performance. I really only need to encrypt sensitive files like my financial data so I'm guessing there is third-party software for that.
Don't bother. I used to do the same as you. I'd turn off hibernation, set a bunch of file system flags, avoid full disk encryption and use sparse files to encrypt only important stuff etc.

But the SSDs in these MacBooks are so freaking fast... most of the industry is sauntering along with silly SATA 3 drives and meanwhile these latest MacBooks are clocking over 2GB/s and heaven knows how many IOPS. And the stuff is protected with a super responsive fingerprint recognition.
 
just enable filevalut, it won't allow any access without your password, even if you pull the hard drive off computer, it's still encrypted.
apple can boot your computer via network if they need to repair it.
 
A word of caution - turning on FileVault will prevent access to some diagnostic tools needed by the technician. I'm an Apple-certified tech (though I don't work for Apple), SSD tests CAN NOT BE RUN if FileVault is enabled. Also, I recently repaired an out of warranty system with a bad GPU (under the repair extension plan), the verification tests after repair would not run with FileVault enabled, unless I had a password to unlock the drive.
 
if they have to send the machine in for repairs
I back up my computer, wipe the drive and install a vanilla copy of OS X. That way my data is out of the hands of everyone. Once the computer comes back, I restore it.
 
  • Like
Reactions: Weaselboy
A word of caution - turning on FileVault will prevent access to some diagnostic tools needed by the technician. I'm an Apple-certified tech (though I don't work for Apple), SSD tests CAN NOT BE RUN if FileVault is enabled. Also, I recently repaired an out of warranty system with a bad GPU (under the repair extension plan), the verification tests after repair would not run with FileVault enabled, unless I had a password to unlock the drive.

What happens if there is a guest account or a separate user account?
 
What happens if there is a guest account or a separate user account?
If you have FV turned on the guest account does not work like it would otherwise. With FV turned on a guest boot boots to a Safari only screen that runs off the recovery partition, so it would be pretty useless for testing.

If you create a separate admin account for Apple to use for testing, then they can easily use the sudo command from that account to access your real data if they want to.

As pointed out by others, I suppose some repairs could be carried out and tested with an external boot source and FV left on, but not all can. The real answer is if you have data you are concerned about on there you need to erase the disk before you hand it over.
 
I believe a regular user account can also unlock FileVault, and that user wouldn't have access to the admin account's files but should be able to enable the service technician to do what needs to be done.
 
  • Like
Reactions: Weaselboy
I believe a regular user account can also unlock FileVault, and that user wouldn't have access to the admin account's files but should be able to enable the service technician to do what needs to be done.

Yeah... maybe depending on what is wrong and what needs to be done for the repair. There would still be some limitations.
 
Yeah... maybe depending on what is wrong and what needs to be done for the repair. There would still be some limitations.

They wouldn't be backing up the data anyway (that's the user's responsibility), so as long as they can unlock the disk for diagnostics they should be clear, keeping in mind that even some non-disk issues could need the disk unlocked to run the tests.
 
They wouldn't be backing up the data anyway (that's the user's responsibility), so as long as they can unlock the disk for diagnostics they should be clear, keeping in mind that even some non-disk issues could need the disk unlocked to run the tests.
I don't follow what you are saying regarding backing up data. All I am saying is that not having an admin password limits what one can do on a system both in terms of diagnostics and potential repairs in some cases.
 
I don't follow what you are saying regarding backing up data. All I am saying is that not having an admin password limits what one can do on a system both in terms of diagnostics and potential repairs in some cases.

I don't have my FileVault-encrypted Mac handy (it's at work, I haven't been there in 10 days), I'm not sure if a standard user account will allow an Apple tech to run the needed diagnostics but as long as the disk can be unlocked I don't see why it can't be done.. Actually, my Mac at work IS our diagnostic host so I'd need to find another.

What I meant about backing up data - there's no reason for the tech to have access to YOUR account, and I don't think they even need an admin account for a hardware repair as long as they can unlock the encryption. Needing to unlock FileVault for diagnostics is a new thing, that's why I'm unsure about it even as a certified tech.
 
Many thanks, everyone. Lots of good information here.

How about third party encryption software to encrypt just a few files or folders? I saw the post on the sparse bundle image and that looks a lot like Truecrypt and Veracrypt, which I'm familiar with from Windows world, but I really just want to encrypt my tax returns and password list and those methods are a bit cumbersome. I now use Axcrypt on Windows and it works great. Anything similar for the Mac?

Cheers.
 
I use an encrypted sparse bundle for the stuff I REALLY care about keeping private. I wouldn't use TC anymore and I have no experience or opinion on Veracrypt.
 
Yeah, I'm familiar with the Truecrypt issue too and don't use it. Veracrypt is the follow on to it and works pretty much the same. It's supposed to be safer, but who knows? In any case, I'm not trying to hide anything from the FBI or NSA; I just don't want some thief to have my password list if he steals my laptop.

While we're on this subject, I read awhile back that the police can't force you to give up a password because it's in your head, but they can force you to put your finger on Touch ID to open your phone or computer.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.