Introduction
This article covers the different options available on the Mac to secure confidential data.
The only way to secure data is encryption: I will not discuss the options available to hide files and folders in an insecure way.
Apple FileVault
This is probably the easiest solution, as the FileVault technology comes with OS X. You activate FileVault at the user level: if a user enables this option, all data in that user's home folder are stored in an encrypted disk image. As long as the user is not logged in, the data are secure and there is no way to get access to it without the user's password, or the administrator master password (OS X allows you to set a master password at system level, to recover encrypted data if users forget their password). As all the data are stored into a disk image bundle, this technology adds some overhead and the system performance takes a noticeable hit. Another drawback is an increased difficulty to back up data: if you use Time Machine, encrypted data are backed up only when the user is not logged in (the backup itself is encrypted). Last, there is a risk of corrupting the file-system on the disk image if the system crashes while the user is logged in. If you use FileVault, it is important to do periodic maintenance and to backup regularly.
Encrypting specific folders
If FileVault's overhead is not acceptable for you, a simpler solution consists in encrypting only the sensitive data. This can be achieved using the tools provided by the OS (i.e. Disk Utility), creating encrypted disk images. Another option is to use an external tool, like Espionage from Tao Effect: this application makes it very easy and transparent to the user to encrypt single folders. With this utility, you can encrypt a folder in a transparent way: the tool takes care of mounting the disk image and creating a symbolic link in the place of the original folder. Espionage also installs a kernel extension which intercepts all access to the encrypted folders, and prompts the user for the password to access the data. This is a good option, but the security is not as good as with FileVault: most temporary data used by applications are stored in other folders (Caches, Application Support, etc.), and these are not encrypted. If you want to encrypt these folders as well, FileVault is a better option.
Full Disk Encryption
This is the most radical solution: the disk is totally encrypted, data as well as free space. There are two options for the Mac presently:
- PGP Whole Disk Encryption
- Check Point Full Disk Encryption
I haven't tried Check Point's solution, as the company targets corporate users only, but I use PGP WDE (it is possible to get a single user license for this product). WDE encrypts every sector of the hard disk, all partitions included. The process takes a considerable amount of time for a big disk, but a positive point is that the system is perfectly usable during the process. You can work, shutdown and restart the machine, even use the energy saving functions (i.e. sleep). This solution has a few drawbacks:
- If the system is booted, data are accessible (you need to lock the screen to avoid unwanted access);
- You lose the hibernation function (hard sleep): Mac OS X stores the memory image in the filesystem, but the file-system is encrypted and not accessible when you turn the machine on. The "normal sleep" still works, as the memory is maintained;
- No selective protection of data, if somebody has your password, they have access to everything. This is not a real limitation, as this solution does not preempt the use File Vault or encrypted images. You can use the solutions described above in addition to WDE.
The hit on performance of WDE is quite limited, mainly because the only overhead is the encryption, and the OS does not have to manage a disk image. Another interesting point is that all maintenance utility can be used on an encrypted disk, as long as WDE is installed on the boot disk (if you boot from an external disk with maintenance utility, you need to install WDE on that disk as well). WDE can be used not only on the boot disk, but also other disks, like backup destination of Time Machine.
Conclusion
I have used extensively the three solutions described above, and I am now using WDE only. My main system is a laptop, I am the only user, and my main concern is to protect data if the laptop is stolen, so I do not need additional levels of protection for some particular data. If you do need additional layers but still want a good protection in case somebody gains physical access to the machine, you can use a combination of WDE and File Vault, or encryption of selected files and folders.
If you need more advanced options, like plausible deniability, other tools are available. An example, available for the Mac platform, is TrueCrypt, an Open Source framework. Important note: currently, TrueCrypt does not allow you to encrypt a boot volume on the Mac. I will not cover these tools, as I have never used them on the Mac.