Needed measures to protect sensitive data

[Mac2013orlater]

Hello all,
It's my pleasure to join the MacRumors community. A sleek new iMac 27 inch 2013 has been shipped yesterday. A SSD as the only mass storage is populated in that iMac.
The user did not yet start to store sensitive data on ssd.

The question is what needs to be done now (yet before starts to use ssd
to store own sensitive data) in order to achieve two goals listed below?
1. If some when in the future (middle, or long term) this imac should be resold
- change of ownership - the sensitive user data can be removed from ssd
2. Is some when during the warranty period the appliance should need
to be sent to any repair service the sensitive user data is save from unauthorized access.

The full reliability of removal of user sensitive data and protecting those
data from unauthorized access while the appliance in foreign hands for any reason
has in this case the highest priority.
The used measure of protection should not show any negative impacts
in other computing aspect while using this appliance.

Please see the ssd and all resulting impacts as central point of the question.
There are plenty of discussions in web to be found in regards to
reliability of data removal on ssd and to reliability of data encryption on ssd.
For a newbie however it is not easy to see
what of been pointed out is still valid today and what not.

I guess the full disk encryption by a ssd external software solution might be oversized
- only the sensitive user data needs to be protected. Furthermore such approach
seems to have sever impacts in other computing aspects. Similarly the ssd internal
encryption solution.

 

[Bear]

Use FileVault 2 that is part of OS X to encrypt your disk. This way there is no third party software to break during OS updates.

 

[Mac2013orlater]

Use FileVault 2 that is part of OS X to encrypt your disk. This way there is no third party software to break during OS updates.

Thanks a lot for feedback!

Really?
There will be no impacts regarding other computing aspects then while using this mac? Especially maintenance, os repair, data recovery in emergency situations. Limitations and side effects are not nice to see.

There are discussions widely in web. Inclusively those where FileVault not is not advisable for such requirements as here.

 

[Bear]

Thanks a lot for feedback!

Really?
There will be no impacts regarding other computing aspects then while using this mac? Especially maintenance, os repair, data recovery in emergency situations. Limitations and side effects are not nice to see.

There are discussions widely in web. Inclusively those where FileVault not is not advisable for such requirements as here.

There are 2 versions of FileVault... The original one was pre Lion and only encrypted the home folders... this caused a lot of issues.

FileVault 2 which was introduced in Lion is a full disk encryption and has very little overhead. I have not run in to any recovery issues with FileVault 2.

And as always I would recommend keeping good backups so data recovery is not as much of an issue. And the backups can have their disks encrypted as well.

 

[Mac2013orlater]

Thank you for all your hints! However, I am not sure if encrypting whole disk using FileVault 2 will meet all requirements been risen.
If for some reason the imac will need to be sent to Apple repair service (no matter if on warranty or no longer) the guys will ask me for disk password.
Otherwise they won't be able to conduct the repair.

Furthermore, for the requirements been risen file vault 2 might be oversized.

Furthermore also File Vault 2 has some impacts maintenance and so on,
even if those are just minors, or at least minors.
See the terms Time Machine, Guest user account, Recovery, booting with option/R key.
No idea if all them above all existing have been identified.

On other hand seeking the goal just by encrypted virtual disk won't be
easy task as well - one needs to know the locations of all possible cache directories and files (operating system and software).

 

[heisenberg123]

make an encrypted disk image


think of a disk image as a password protected folder, when its unlocked you can add/remove files when you close it it will lock again

 

[Weaselboy]

Thank you for all your hints! However, I am not sure if encrypting whole disk using FileVault 2 will meet all requirements been risen.
If for some reason the imac will need to be sent to Apple repair service (no matter if on warranty or no longer) the guys will ask me for disk password.
Otherwise they won't be able to conduct the repair.

Furthermore, for the requirements been risen file vault 2 might be oversized.

Furthermore also File Vault 2 has some impacts maintenance and so on,
even if those are just minors, or at least minors.
See the terms Time Machine, Guest user account, Recovery, booting with option/R key.
No idea if all them above all existing have been identified.

On other hand seeking the goal just by encrypted virtual disk won't be
easy task as well - one needs to know the locations of all possible cache directories and files (operating system and software).

I'm not sure what you are reading out there or exactly what your concern is about Filevault2, but it is very transparent to the user. There is a performance hit, but it is minimal. I don't notice it at all on my 2013 Macbook Air. There is no impact at all on any maintenance.

Any solution you use you will want to remove your personal data before sending your machine in to Apple, so I don't see how that matters.

The encrypted disk image solution mentioned by heisenberg123 will work if you just want to protect some documents, but that will not address the issue you mentioned with cache files etc.

Maybe if you can explain specifically what your concern is?

 

[satcomer]

Also try the shareware Espionage.app. Plus start using OpenDNS.com and if you wonder why watch this instructional video, also here:

They also block known Trojan hosting sites.

 

[Mr. Retrofire]

...Plus start using OpenDNS.com...

Do not use OpenDNS, if you use OS X 10.9.0-10.9.1!

 

[satcomer]

Do not use OpenDNS, if you use OS X 10.9.0-10.9.1!

Why? I use it on 10.9.1 with no problem.

 

[Mr. Retrofire]

Why? I use it on 10.9.1 with no problem.

https://forums.macrumors.com/showthread.php?p=18717269#post18717269

 

[Mac2013orlater]

Thanks for all your feedback and me apologizes the lag in coming back to you.
It's due to several other tasks I currently have to do.

I am still considering FV2, or eventually TrueCrypt, if TC then for file/folder based encryption.

FV2 can just full disk encryption. Can it also virtual containers for storing / encrypting
the selection of files/folders. I don't think so.
That means, the service guys if they some day should need have this machine physically for repairing they must be able to boot it in order to analyze the reported issues. That means they must be able to use account authorized by machine administrator for unlocking the disk encryption. The sensitive user data are no more protected against of access by service guys.

> Any solution you use you will want to remove your personal data before sending
> your machine in to Apple
Me can imagine there are issues possible when moving data to other storage
before shipping the machine for service is not possible.
Please take into account it is about encrypting ssd.
This is the only one storage in this machine. Also the Mavericks boot drive.
How well will removing sensitive user data from encrypted ssd meet the
risen requirement? Generally it is not easy to permanent remove data from ssd.
Does it look better if the ssd is encrypted? I am not sure.

Basically FV2 seems to be quite transparent and convenient for user.
Anyhow some impacts are to be indicated.
- backup process can run only if all are logged off - this limitation
has to be considered in one's backup plan
- authorized person is able to boot the machine, one point more
for admin to be considered
- recovery procedure seems to deviate from the case the FV2 is not enabled,
even those are just minors

 

[bobr1952]

I too recommend Firevault2--once enabled it is virtually seamless for most operations and protects all your data--no need to pick and choose what to encrypt.

 

[Weaselboy]

FV2 can just full disk encryption. Can it also virtual containers for storing / encrypting
the selection of files/folders. I don't think so.
That means, the service guys if they some day should need have this machine physically for repairing they must be able to boot it in order to analyze the reported issues. That means they must be able to use account authorized by machine administrator for unlocking the disk encryption. The sensitive user data are no more protected against of access by service guys.

You could do both if you like. You could turn on FV2, then in addition to that setup an encrypted sparse bundle image to keep particularly sensitive material in like mentioned in an earlier post.

> Any solution you use you will want to remove your personal data before sending
> your machine in to Apple
Me can imagine there are issues possible when moving data to other storage
before shipping the machine for service is not possible.
Please take into account it is about encrypting ssd.
This is the only one storage in this machine. Also the Mavericks boot drive.
How well will removing sensitive user data from encrypted ssd meet the
risen requirement? Generally it is not easy to permanent remove data from ssd.
Does it look better if the ssd is encrypted? I am not sure.

I do understand your concern over this issue.

I see two scenarios. I assume in both scenarios you have a full Time Machine (TM) backup.

1. Your FV2 encrypted Mac is generally working but needs to go to Apple for some minor problem. You can still boot and run. In this scenario, I would leave FV2 on and command-option-r boot to Internet recovery. From there erase the entire disk and reinstall the OS, then setup a temp admin account and send the machine off to Apple. By doing this you have erased the encrypted partition and nobody is going to get that data. When you get the machine back just restore from your TM backup and reencrypt.

2. Your FV2 encrypted Mac is broken to the point you cannot boot and make any changes. In this case, just give Apple the machine with FV2 left on and do not give them the password. Once they fix the machine they can just use an external drive or Internet recovery to wipe the drive and reinstall the OS.

Basically FV2 seems to be quite transparent and convenient for user.
Anyhow some impacts are to be indicated.
- backup process can run only if all are logged off - this limitation
has to be considered in one's backup plan
- authorized person is able to boot the machine, one point more
for admin to be considered
- recovery procedure seems to deviate from the case the FV2 is not enabled,
even those are just minors

You do not need to be logged off to run a Time Machine or other backup. Backups work the same either way with FV2 on or off.

Nobody can boot the FV2 machine other than users you have added and allowed access.

Recovery is the same with the one exception that you need to "unlock" the drive in Disk Utility fro the recovery console if you want to do a drive repair. Otherwise, I can't think of anything different.

 

[Dark Dragoon]

You enable FileVault2 encryption, this encrypts all your data.

You setup Time Machine, there is an option to enable encryption for your Time Machine backup, if you want your backups encrypted as well. Unlike with the old FileVault backups happen when you are logged in exactly the same as when you don't have FileVault2 enabled.

Only the user account(s) you authorise can unlock the drive to boot OS X and access the encrypted files. There is also a recovery key which you can choose to keep somewhere safe, with Apple or indeed not bother to keep it at all.

Recovery isn't really any different from normal, except you need the password to unlock the encrypted drive.

You can use your computer exactly as you do now, including copying files around to other encrypted or unencrypted drives.

If you need to take the machine in to Apple wipe it and install a fresh copy of OS X. If you can't wipe it just don't give them the password and tell them to wipe the machine if they need to. They cannot access your data if you don't give them the password.

You don't need to remove the data from the SSD permanently as it is encrypted, you just don't hand the key out.

 

[robgendreau]

The problem with FV isn't really a problem with FV; it's that it's so easy to use that it is only as secure as the person using it. If the user password is compromised it's all there to see. If the user is logged in and the machine is open to someone else snooping on it, it's all there to be seen. If the user puts the sensitve info somewhere he or she shouldn't, like a cloud storage place (more and more applications steer folks in this direction), it isn't under FV protection. And to fix stuff on this computer it is likely the person doing the repair will have access to that info if more isn't done, like separate True Crypt volumes. I think an external would be better.

I would consider protocols that force the user to store all sensitive data somewhere more secure than the hard drive inside the computer if you're really serious about protecting it from both unauthorized access and loss. And you referred to the "user" in the third person, so I assume you also need to access the data. Having an employee bolt with the password of a FV protected Mac is a problem.

 

[satcomer]

https://forums.macrumors.com/showthread.php?p=18717269#post18717269

I saw nothing in forum post about OpenDNS you linked too. Are you trying to hijack the thread?

 

[Dark Dragoon]

I saw nothing in forum post about OpenDNS you linked too. Are you trying to hijack the thread?

Mr. Retrofire linked directly to a post which explains why using a DNS service that returns pages for lookups of nonexistent domains, such as OpenDNS can cause issues with 10-20 second Finder timeouts. So no it isn't a thread hijack, but is a good reason not to use OpenDNS.

 

[satcomer]

Mr. Retrofire linked directly to a post which explains why using a DNS service that returns pages for lookups of nonexistent domains, such as OpenDNS can cause issues with 10-20 second Finder timeouts. So no it isn't a thread hijack, but is a good reason not to use OpenDNS.

One person's mention in was his OpenDNS settings. This is just one person saying this. Show me some real proof and I will admit my mistake.

 

[scaredpoet]

I am still considering FV2, or eventually TrueCrypt, if TC then for file/folder based encryption.

TrueCrypt is a separate app with its own updates and is subject to issues when the OS is updated significantly. It will cause more problems than you seem to be imagining in FileVault 2, and is a lot less transparent.

FV2 can just full disk encryption. Can it also virtual containers for storing / encrypting
the selection of files/folders. I don't think so.

Encryption of separate volumes can happen with the use of CoreStorage, and making encrypted sparse bundles in Disk Utility.

In any case, creating an encrypted "folder" in a volume that is fully encrypted is redundant. Using a strong password and proper access procedures, an unauthorized person will not have access to any part of the drive, not just specific folders. This, by far, is less intrusive than having to authenticate for each individual encrypted folder.

That means, the service guys if they some day should need have this machine physically for repairing they must be able to boot it in order to analyze the reported issues. That means they must be able to use account authorized by machine administrator for unlocking the disk encryption. The sensitive user data are no more protected against of access by service guys.

Where I work, we handle this by making sure the (encrypted, of course) Time Machine backup is up to date, and then wiping the drive on the Mac so it has only an unencrypted base OS X install with a single user account, with credentials not matching any other users here. That dummy account credential is then shared with Apple service staff. With the encryption key gone and the drive reformatted, interested parties will not be able to recover the data that was there previously.

When the Mac comes back from service, we wipe the drive again (discarding the dummy account), then re-encrypt the volume and restore from the Time Machine backup. Then user than has their data back, encrypted, on the serviced Mac, and can continue where they left off.

Addtionally, this setup permits us to "swap out" any Macs requiring service with any other available stock we already have on hand. If we have another Mac with equal or better specs that is not in active use, we can then simply restore the backup to that system and get the user up and running again more quickly. When the serviced Mac comes back, we then have the option of swapping it back in, or leaving it as spare stock for some other situation.

Me can imagine there are issues possible when moving data to other storage
before shipping the machine for service is not possible.

Even secure data needs to be backed up, or you face serious risks should a hard drive/SSD issue render your data lost or corrupted. Time Machine is a good, background, real-time solution that minimizes the effort required in getting an up to date backup copy of a users' data, if used correctly.

If you cannot accommodate backing up data for your users, then your problems are much greater than fretting over whether FileVault 2 is good enough.

Generally it is not easy to permanent remove data from ssd.
Does it look better if the ssd is encrypted? I am not sure.

With all due respect, these are questions that should have been answered before your organization agreed to handling such sensitive data.

But in short: full volume encryption is a must on an SSD if you're handling sensitive data on it. There are too many unknowns about SSD TRIM cleanup routines and when they are executed to leave the deletion of sensitive data to chance. If you're encrypting with FileVault 2, then absolutely, the situation "looks better."

Anyhow some impacts are to be indicated.
- backup process can run only if all are logged off - this limitation
has to be considered in one's backup plan

Your information on this is outdated. This is no longer true with current versions of FileVault. With FileVault 2, backups can and do happen when users are logged in.

- authorized person is able to boot the machine, one point more
for admin to be considered

Why is this a problem? If you are protecting data, then access control is necessary. If you are granted any user access to a machine, you are granting them access to the data. You need to institute a policy where authorized users are established and must log in.

You can build the strongest, most impenetrable fortress in the world. But if you're not locking the front door because you strongly believe that anyone and everyone should be able to just walk in, then what's the point?

You seem to have two conflicting requirements: This Mac needs to have fortress like security for this super sensitive data, and at the same time it has to be open for anyone to just skip on in and use the thing. That's not how security works.

- recovery procedure seems to deviate from the case the FV2 is not enabled,
even those are just minors

I'm not sure what this means.

 

[Mac2013orlater]

Long time is gone since my last activity on this topic. Weather got calmer.
I can come back to all these questions, had lot of other tasks in the meantime.
Few new conclusions made in that time.

Actually the OS X on-board Disk Utility supports Disk Erase with Whole Disk Zero Write.
If to consider the disk is of ssd type such measure could be sufficient to achieve the aimed goal.
Or more aspects need to be considered when using Whole Disk Zero Write for wiping out user data?
This approach has the advantage of one element less (whole disk encryption by FV2) in the system,
as everything in this world the simpler a system is the lower risk of troubles.


Actually, y original concern was and is to get back same grade of data security
as we had it before the change to Mac with SSD as the alone system drive.
Change to Mac 2013 Late with SSD means practically reduction of data security
if to consider that situations. Strange but true, nowadays innovations means
frequently worsening in some points. See the automobile industry, computing
suffers the same problem.
Previous setup showed namely a higher grade of data security than it is the case
with Mac 2013 with SSD as alone drive. If for any case the system must leave the house
und must be given if 3rd hands it was quite simple to ensure our data do not get to 3rd hands.
Remove the drive, or wipe it by using conventional tools.

To make our data secure from all possible undesired access will be stage 2.
First we want to have back the old status which as mentioned was better than current one - that's the only goal now.
If it is fulfilled we can check one day the needs
and consider the increase in security of our data by making the access to it more closed.