Nuclear Launch Codes - how do you secure sensitive data on your new MacBook Pro

[Dave410]

Hi Guys,

I'm still struggling with this question -- how do you secure sensitive data on your new MacBook Pro if the hard drive isn't replaceable? The Genius can't hand you your old SSD when he takes your machine in back to replace the motherboard or when Apple replaces the whole computer for some reason. File Vault won't help because the tech would need your login password to troubleshoot, right? So how do you protect your bank passwords and business data from both grab-and-run thieves and the techies at Apple? Is third-party encryption software that only encrypts certain files the answer?

Cheers,
Dave

 

[708692]

Hi Guys,

I'm still struggling with this question -- how do you secure sensitive data on your new MacBook Pro if the hard drive isn't replaceable? The Genius can't hand you your old SSD when he takes your machine in back to replace the motherboard or when Apple replaces the whole computer for some reason. File Vault won't help because the tech would need your login password to troubleshoot, right? So how do you protect your bank passwords and business data from both grab-and-run thieves and the techies at Apple? Is third-party encryption software that only encrypts certain files the answer?

Cheers,
Dave

I refused to hand over my login details to the genius and he said that was perfectly ok as they have another way to run diagnostics.

 

[Samuelsan2001]

Hi Guys,

I'm still struggling with this question -- how do you secure sensitive data on your new MacBook Pro if the hard drive isn't replaceable? The Genius can't hand you your old SSD when he takes your machine in back to replace the motherboard or when Apple replaces the whole computer for some reason. File Vault won't help because the tech would need your login password to troubleshoot, right? So how do you protect your bank passwords and business data from both grab-and-run thieves and the techies at Apple? Is third-party encryption software that only encrypts certain files the answer?

Cheers,
Dave

Well if you have such sensitive data then I assume you have a great backup solution, if you are really worried you just wipe the machine before it goes in for a repair and restore it from backup when you get it back.

If you have sensitive and crucial data (nucleur launch codes??) on your computer without a bullet proof backup system then you probably should just stop using computers altogether because you have no idea what you are doing.

 

[twinlight]

I read tjat Apple has a device for backup and transfering your SSD during service/repair.

Edit: I completely miss understood the question sorry!

 

[Sovon Halder]

You can always keep a nuclear bomb taped to the MBP(or vice versa) in addition to a small circuitry that's programmed to trigger the bomb whenever the ssd is removed.

 

[ideal.dreams]

You can either use FileVault 2 to encrypt your entire SSD and refuse to give up login information when (if) you bring your MBP in to the Apple Store for service or you can use an external HHD/SSD to store your most sensitive information and leave that encrypted instead.

Having owned 3 MacBooks over the last 8 years, I have never had to have any one of them serviced by Apple, so I think you're looking for a solution to a problem that may not even present itself.

 

[mcnallym]

Well if you have such sensitive data then I assume you have a great backup solution, if you are really worried you just wipe the machine before it goes in for a repair and restore it from backup when you get it back.

If you have sensitive and crucial data (nucleur launch codes??) on your computer without a bullet proof backup system then you probably should just stop using computers altogether because you have no idea what you are doing.

Excellent advice!

1. Backup device - should do this anyway
2. Wipe Device with fresh install of os. Use Disk Util to secure erase.
3. create dummy account for apple technician. Don!t use iCloud details or anything

 

[Dave410]

Thanks, guys. I'm a long-time PC user trying to get answers before I switch to the Dark Side. The solution is trivial in the Windows world because I can physically remove the hard drive myself. It seems to be a sticky wicket on the Apple side however and I'll bet there is a lot of interesting data sitting unprotected on hard drives and SSDs in Apple labs. That's undoubtedly true in Dell and HP labs as well, of course.

By the way, wiping and restoring the system as suggested wouldn't work because of wear leveling in the SSD. You'd have to do a reset instead and flush all stored electrons causing the SSD to forget all data. That would remove the operating system too, which is no big deal. Of course, if you had a problem where the computer wouldn't even boot, you couldn't do the reset and you'd be back to square one.

 

[New_Mac_Smell]

Thanks, guys. I'm a long-time PC user trying to get answers before I switch to the Dark Side. The solution is trivial in the Windows world because I can physically remove the hard drive myself. It seems to be a sticky wicket on the Apple side however and I'll bet there is a lot of interesting data sitting unprotected on hard drives and SSDs in Apple labs. That's undoubtedly true in Dell and HP labs as well, of course.

By the way, wiping and restoring the system as suggested wouldn't work because of wear leveling in the SSD. You'd have to do a reset instead and flush all stored electrons causing the SSD to forget all data. That would remove the operating system too, which is no big deal. Of course, if you had a problem where the computer wouldn't even boot, you couldn't do the reset and you'd be back to square one.

FWIW I believe Macs are considered more secure than Windows due to a number of factors, so getting the data off (giggity) in the first place is more difficult.

Secondly, at least in the UK, we have the DPA which would make it extremely difficult for anyone to access the data on a HDD in the care of Apple or others, and any discarded HDD must be completely destroyed. Whilst not a physical barrier, the consequences are significant and you'd have to hope that such a large company would abide by it. Otherwise you'd hear more cases. I don't know if there is (Was?...) anything similar in the US, but I imagine Apple would do something similar even if there was no law as trust and privacy are a big part of their ethos.

 

[/V\acpower]

Hi Guys,

I'm still struggling with this question -- how do you secure sensitive data on your new MacBook Pro if the hard drive isn't replaceable? The Genius can't hand you your old SSD when he takes your machine in back to replace the motherboard or when Apple replaces the whole computer for some reason. File Vault won't help because the tech would need your login password to troubleshoot, right? So how do you protect your bank passwords and business data from both grab-and-run thieves and the techies at Apple? Is third-party encryption software that only encrypts certain files the answer?

Cheers,
Dave

Very easy solutions, depend on what you want.

For all your login and sensitive data : 1Password. (or any good password manager)
For your dick picks : You can use Disk Utility to create encrypted disk images. (need a password to open, can be configured to expand with content size)
For the Apple Store Genius : create a new admin user just for him before going. admin/admin or something like that. This way he can access OS X but cannot access your own home folder.

 

[hallux]

Alternatively - have a second account on your machine for use by the service tech when you bring it in. Share THAT account name and password and it should not (theoretically) have access to the data in your user account...

 

[Mefisto]

For your dick picks : You can use Disk Utility to create encrypted disk images. (need a password to open, can be configured to expand with content size)

There's a joke here somewhere about dick picks and disk images expanding with content size, but first things first.

How exactly would I go about creating a disk image that isn't fixed in size? I must be missing an option somewhere...

 

[ideal.dreams]

There's a joke here somewhere about dick picks and disk images expanding with content size, but first things first.

How exactly would I go about creating a disk image that isn't fixed in size? I must be missing an option somewhere...

You can make a sparse disk image using Disk Utility however you still must set a maximum fixed size that it can grow to. The difference here is that when you create it, it starts out at 0 bytes and expands as you add documents/data to the disk image. So if you make a 50 GB sparse disk image, it will start out at zero, and then if you add say 20 GB of data to it, it will grow to 20 GB (only taking up 20 GB of space on your drive instead of the maximum 50 GB). Note that if you remove files from the disk image that its size will not shrink back down, so be careful what you put in there.

 

[Mefisto]

^Perfect, thanks a lot!

 

[Dave410]

I knew there had to be a convenient way. Thanks.

PS I like my title to this thread way better.

 

[baypharm]

Hi Guys,

I'm still struggling with this question -- how do you secure sensitive data on your new MacBook Pro if the hard drive isn't replaceable? The Genius can't hand you your old SSD when he takes your machine in back to replace the motherboard or when Apple replaces the whole computer for some reason. File Vault won't help because the tech would need your login password to troubleshoot, right? So how do you protect your bank passwords and business data from both grab-and-run thieves and the techies at Apple? Is third-party encryption software that only encrypts certain files the answer?

Cheers,
Dave

I love how you put the grab and run guys in the same basket as Apple techies. Lol.

If someone physically steals your system, you are prety much out of luck. There are so many good penetration tools out there for breaking passwords and getting inside secured networks, it's not funny. I wouldn't worry about the techies at Apple. To work there, you have to have a criminal bacground check done. That alone will weed at the bad guys (unless they have yet to be caught). Best to keep your data with you and off any network.

 

[OneMike]

In the past I've used Knox by the people that make 1Password. However, that is now pretty much EOL. I've never used this particular one but there is other software such as BoxCryptor. You can essentially encrypt portions of your hard drive.

As with 1Password, which I'm a big fan of. I never consider a password alone on my user account as the only line of security.

Basically encrypt your data outside of Apple services and keep recent backups of it off of your machine.

 

[ZapNZs]

1Password
FV2 encrypted external SSDs and HDDs using a different password than the FV2 internal SSD
non-admin account I create for someone to access I do not know

 

[Dave410]

Is it possible to make 1Password not sync to other devices? That is, keep the encrypted password file just on my computer and not store it on 1Password's server for syncing to other devices. That's what I'm doing now with RoboForm on my Windows machine because I don't like the idea of a single file with access to every single bank account living on someone's cloud. Encrypted or not, it's still vulnerable.

I've also used VeraCrypt and TrueCrypt in the Windows world and they are similar to creating a disc image with Disk Utility. It works, but it's kind of a nuisance, depending on how big the volume is and how long it takes the operating system to mount it. So instead, I'm using a third-party encryption program to encrypt individual files. Very fast and convenient because I only decrypt the file I need to use at the time. Works good. Is there a Mac software program that will encrypt individual files instead of whole discs or whole volumes? Is that BoxCryptor?

Re: Apple techies. I asked a kid in the Apple store about this once and he said "Well, I could get fired." I'm sure that's true, but he could be fired and living on a beach in Argentina with my money.

Cheers.

 

[killawat]

External Disks are dirt cheap. Keep your cherished photos and bitcoin keys on external devices. If not a backup, the whole thing. (and then back THAT up to something else)

1Password can make a local vault just not sure of the steps (I do not synch to the cloud,only local sync).

A lot of vendors are moving away from third party crypto. I used to use PGP Whole Disk Encryption back before FV was only doing user directory encryption. PGP was actually pretty good because it covered MacOS and Bootcamp (Windows) if you had it.

As I mention they are moving away from this. PGP (now Symantec) took over a year to support 10.11 and I dont even know if 10.12 is supported. I doubt 10.13 is supported because of the new file system. It's not about BIOS vs EFI (as i've seen it be mentioned).

Apple doesn't appear to be a big fan of third part solutions.......

However FV is extremely fast (AES-XTS), most macs after 2010 will support this in hardware via AES-NI. Free and most of all supported.

We dont have two factor authentication at preboot or those types of good things available to us on MacOS however we have to keep in mind, Microsoft only offers Bitlocker on Win10 Pro, wheras Apple includes it free and by default.

 

[Samuelsan2001]

Thanks, guys. I'm a long-time PC user trying to get answers before I switch to the Dark Side. The solution is trivial in the Windows world because I can physically remove the hard drive myself. It seems to be a sticky wicket on the Apple side however and I'll bet there is a lot of interesting data sitting unprotected on hard drives and SSDs in Apple labs. That's undoubtedly true in Dell and HP labs as well, of course.

By the way, wiping and restoring the system as suggested wouldn't work because of wear leveling in the SSD. You'd have to do a reset instead and flush all stored electrons causing the SSD to forget all data. That would remove the operating system too, which is no big deal. Of course, if you had a problem where the computer wouldn't even boot, you couldn't do the reset and you'd be back to square one.

Macs have a built in secure erase for your SSD in the disk utility app erasing the disk to unrecoverable is very easy open disk utility and choose secure erase.

 

[underattack]

1 - Encrypt the drive as soon as possible.
2 - Setup a "Guest" account. Guests can log in and use the system, but can not read the encrypted disk. (they are essentially limited to using Safari).

or

3 - Erase the disk and reinstall before handing the device over (as suggested above). Since the data was encrypted, any remnants left behind will not be readable as long as the key was over-written

 

[ideal.dreams]

Is it possible to make 1Password not sync to other devices? That is, keep the encrypted password file just on my computer and not store it on 1Password's server for syncing to other devices. That's what I'm doing now with RoboForm on my Windows machine because I don't like the idea of a single file with access to every single bank account living on someone's cloud. Encrypted or not, it's still vulnerable.

I've also used VeraCrypt and TrueCrypt in the Windows world and they are similar to creating a disc image with Disk Utility. It works, but it's kind of a nuisance, depending on how big the volume is and how long it takes the operating system to mount it. So instead, I'm using a third-party encryption program to encrypt individual files. Very fast and convenient because I only decrypt the file I need to use at the time. Works good. Is there a Mac software program that will encrypt individual files instead of whole discs or whole volumes? Is that BoxCryptor?

Re: Apple techies. I asked a kid in the Apple store about this once and he said "Well, I could get fired." I'm sure that's true, but he could be fired and living on a beach in Argentina with my money.

Cheers.

Yes, syncing is a feature but not a requirement. 1Password allows you to keep your vault stored locally/internally. Fine if you only want to use it on your Mac, but personally I love the syncing feature as it keeps my vaults up to date on my iPhone, iPad, and MacBook.

As far as looking to encrypt individual files, I seriously think you'll be better off either using an encrypted external drive, encrypted disk image, or using FileVault 2. There are so many solid encryption options already built into macOS -- no need to go looking for a third party method. An encrypted disk image is probably going to be your best bet because unlike your experience on Windows, it's not a nuisance to set up, use, or mount.

Just make the disk image, set up the encryption, mount it, store your sensitive files inside, and then unmount the disk image when you're done/no longer need access. Simple as that.

I've been doing this for 8 years now and it's worked beautifully. I even created a service using Automator and mapped it to a keyboard shortcut so every time I use the keyboard shortcut, no matter which app I'm in, it launches the disk image, asks me for my password, and then mounts the disk image. It's that easy.

 

[Fishrrman]

I think this is what the OP needs:

 

[Toutou]

A machine with the SSD encrypted by FileVault and with the firmware password set is basically impenetrable by your everyday thief.
While an Apple technician would be able to reset the firmware password, rest assured that nobody can really bypass the encryption, that's kinda its purpose. (unfortunately, "nobody" means even you if you forget/lose the key)