Unencrypted SSD - KeePassX and Truecrypt Safe ?

[fredfrog]

EVO 850 SSD. Just installed it. I've used both KeePassX and Truecrypt to store stuff that needs to be secure encrypted rather than encrypting a whole disk for a few years now.

On a rotating platter I've not worried too much about whether unencrypted cache contents from these apps might be left lying around on disk because its likely that if any unenctrypted data from these two apps left in any disk cache will be overwritten quickly - and there is always the possibiity to secure-erase. But on an SSD the picture may be different because of the unit of erasure meaning deleted data may stick around longer. Anyone know whether KeepassX and Truecrypt use any kind of disk cacheing of unencrypted content while they are in use (or have a file mounted in the case of TC) ?

Is there any real cause to worry here ?

I know that TrueCrypt is discontinued and no longer updateable but I was up to date just before they did that and am not worried about it except for this potential disk cache issue (I don't use it much, mostly I use KPX instead now)

Andy

 

[steve62388]

Why don't you just use FileVault? It's easy and transparent to use.

Unless your Mac is ancient you shouldn't see any performance degradation, I have a 2012 rMBP with SSD and I don't.

 

[mfram]

If you really want security, the only answer is FileVault. It's the only solution with built-in operating system support and it's easy to use. Once you turn it on and the conversion is complete, none of your data will ever hit the disk in unencrypted form. Therefore, you don't have to worry about disk caches or data left behind from wear leveling, etc. Even your pagefile and hibernation image will be encrypted. Any other solution will have holes.

If you want addition places to hold data with a separate password in a more controlled fashion, you can create encrypted disk images using the disk utility. You can turn on AES256 on that image for the ultimate in protection if you feel you must have it.

 

[maflynn]

Another vote for using Apple's delivered encryption feature

 

[fredfrog]

Why don't you just use FileVault? It's easy and transparent to use.

Unless your Mac is ancient you shouldn't see any performance degradation, I have a 2012 rMBP with SSD and I don't.

It *is*, its 2010. I'm not interested in encrypting whole disks (only a few things need keeping secure) and when I established this system there were reported issues with Filevault and making disk clones.
[doublepost=1475752761][/doublepost]

If you really want security, the only answer is FileVault. It's the only solution with built-in operating system support and it's easy to use. Once you turn it on and the conversion is complete, none of your data will ever hit the disk in unencrypted form. Therefore, you don't have to worry about disk caches or data left behind from wear leveling, etc. Even your pagefile and hibernation image will be encrypted. Any other solution will have holes.

If you want addition places to hold data with a separate password in a more controlled fashion, you can create encrypted disk images using the disk utility. You can turn on AES256 on that image for the ultimate in protection if you feel you must have it.

Filevault is a sledgehammer for a nut (see my other response on this too). But I like very much the idea of creating an encrypted iso since I would have thought that there won't be leakage to caches or other disks unless I manually copy from it (still not totally sure though). Sounds like a really good solution for many people. I'm not into defense at the level of CIA or MI6, just everyday defense against theft or hacking. Leaving unencrypted bank passwords and similar lying around on my laptop while connected in wild places like airports is not the best of ideas, though its unlikely they get stolen as data that way (more likely by keyloggers tracking logins to banks). I would advise *anyone* to use some encryption for storing *critical* passwords. There is some advantage to using cross-platform apps such as I have used so far for this because its easy then to store fallback backups of critical passwords and similar on other non-mac systems.

Now you are going to tell me I can read encrypted iso's on any system ?

andy

 

[maflynn]

and when I established this system there were reported issues with Filevault and making disk clones.

The first version of FV had some issues, because it was not a whole disk encryption, but now that FV2 has been out (for several years), its been rock solid, and I clone my drive all the time as a means of backup.

Filevault is a sledgehammer for a nut (see my other response on this too)

Yes, and that's the beauty of it, see, you don't have to think what's been encrypted, or forgetting to encrypt. Plus its seamless into the system, which means its one of those fire and forget type of set ups.

To each his own but by going the whole disk method you guarantee all of your data is protected.

Also you're relying on developers to continue to close security holes and keep everything tight. For instance, you reference TrueCrypt, well the developers closed down shop and walked away without nary a word back in 2014. Link:
TrueCrypt development stopped amid a cloud of mystery

AFAIK, KeepPassX is a password manager and not full encryption application.

KeePassX saves many different information e.g. user names, passwords, urls, attachments and comments in one single database. For a better management user-defined titles and icons can be specified for each single entry. Furthermore the entries are sorted in groups, which are customizable as well. The integrated search function allows to search in a single group or the complete database.
KeePassX offers a little utility for secure password generation. The password generator is very customizable, fast and easy to use. Especially someone who generates passwords frequently will appreciate this feature.

 

[KALLT]

I have a 2008 MacBook with an SSD and have been using FileVault since Lion. The performance penalty is absolutely negligible.

 

[steve62388]

I have a 2008 MacBook with an SSD and have been using FileVault since Lion. The performance penalty is absolutely negligible.

OP,

There you go. FV is worth a try. If the performance hit is virtually nil then you achieve what you want more simply with more robust protection. If there is a big performance penalty you can turn it off again (make sure the disk has finished encrypting before you assess speed, the initial setup always causes some delays).

 

[fredfrog]

Yes, and that's the beauty of it, see, you don't have to think what's been encrypted, or forgetting to encrypt. Plus its seamless into the system, which means its one of those fire and forget type of set ups.

But its of value to think what needs to be encrypted.

To each his own but by going the whole disk method you guarantee all of your data is protected.

Also you're relying on developers to continue to close security holes and keep everything tight. For instance, you reference TrueCrypt, well the developers closed down shop and walked away without nary a word back in 2014. Link:
TrueCrypt development stopped amid a cloud of mystery

Well no. I'm aware that TC isn't being developed now. For the time being its fine though. I am gradually moving material over to KPX. In the old days I used to have info in text files in directories etc.

AFAIK, KeepPassX is a password manager and not full encryption application.[/QUOTE]

Yes it is but it has many fields including a free-text notes field and also hierarchical categorisation of entries which act like directories so its fine for my purposes - most information that needs encrypting can be stored in it. What the complications are with whole disk encryption and the kind of diff-like cloning that SuperDuper does (only change what's changed - which is great if you have slow old hardware to external drives) I don't know. I may be wrong but I thought small changes in unencrypted data led to big changes after encryption, implying that a whole disk must be written every time - if this isn't true then encryption would be more easily broken because there would be a closer mapping between unencrypted and encrypted form. Ok, so if you have Thunderbird and USB3 (I don't on mid 2010) and don't mind whole disks at a time .... if it doesn't work that way please someone explain how it *does* work with whole disk encryption - is it by block or file or what ?

andy
[doublepost=1475759660][/doublepost]You know I hate when I ask a question and people answer the question they want to answer not what I asked. "No, don't use that, change every practice you have developed over years and do what I do instead".

andy

 

[KALLT]

What the complications are with whole disk encryption and the kind of diff-like cloning that SuperDuper does (only change what's changed - which is great if you have slow old hardware to external drives) I don't know. I may be wrong but I thought small changes in unencrypted data led to big changes after encryption, implying that a whole disk must be written every time - if this isn't true then encryption would be more easily broken because there would be a closer mapping between unencrypted and encrypted form. Ok, so if you have Thunderbird and USB3 (I don’t on mid 2010) and don’t mind whole disks at a time .... if it doesn’t work that way please someone explain how it *does* work with whole disk encryption - is it by block or file or what ?

It is block-by-block. It happens underneath the HFS+ layer, the ‘actual’ file system. Unless you have a backup solution that goes much deeper, FileVault is completely transparent. ‘Diff-like’ cloning is not impeded, hence Time Machine.

You know I hate when I ask a question and people answer the question they want to answer not what I asked. "No, don't use that, change every practice you have developed over years and do what I do instead".

You know the answer, you just do not want to accept it. Selective encryption brings all kinds of problems, as you noted. Data can stay in RAM and data can be cached elsewhere. The whole point of FileVault 2 is to dispense with these problems, even though it might be considered overkill for the data you want to protect.

 

[fredfrog]

It is block-by-block. It happens underneath the HFS+ layer, the ‘actual’ file system. Unless you have a backup solution that goes much deeper, FileVault is completely transparent. ‘Diff-like’ cloning is not impeded, hence Time Machine.



You know the answer, you just do not want to accept it. Selective encryption brings all kinds of problems, as you noted. Data can stay in RAM and data can be cached elsewhere. The whole point of FileVault 2 is to dispense with these problems, even though it might be considered overkill for the data you want to protect.

Thanks KALLT. Strong argument I know. Too late to easily switch without a clone, reformat and unclone on my SSD tho.

andy
[doublepost=1475768722][/doublepost]I think my last post on this for the time being. You have all convinced me. However, I think my best option for now for these small databases, because I'm already set up and running well and don't want any more mucking about (I need to work, also with Mid 2010 I bet there *would* be a performance penalty) is to put them on an encrypted disk image then when I get a new mac or replace the current SSD to use Filevault 2 and have the entire disk encrypted. That way I only get the performance penalty with these files. For now I will live with potential data cacheing issues.

Thanks

andy