Security Beat: Safeguard Your Sensitive Documents

by Chris Foley on February 25, 2009

I get this one a lot. Security. More and more of us have portable computers now. What if my computer gets stolen? How can I protect myself. What is this FileVault thing that Apple offers? Should I use it?

These are complex questions without simple answers. The fact is that it depends on what you’re doing, what sort of data you have on your computer, etc. I’m not a big fan of FileVault, because I’ve seen it fail as often as I’ve seen it work. I’ve conferred with other consultants in my field, who feel comfortable recommending FileVault to their clients. Well, I don’t. (For those who do not know what FileVault is or what it can do for you – or to you, Click HERE to find out about it. Scroll down to the end of this article for some recommendations should you decide to use it.)

First off, you most definitely need to have automatic login disabled. Most laptop thieves are more interested in getting a nice new laptop for themselves, or selling yours after they’ve relieved you of it than they are in stealing your data. If they turn on your computer, and can’t login because you’ve protected yourself with a decent password, they will often simply erase your hard drive, reinstall the operating system (thusly destroying your data) and sell or use your computer. Any of you who have come to me after forgetting your login password (!! You know who you are…) know that breaking into a password protected Mac is not impossible for those of us with software tools. Usually, however, thieves are lazy.

There is the danger, however, that your laptop thief is enterprising, and hopes to profit from valuable data on your computer. There is stuff on there you do not want falling into the wrong hands. Like, for example, that Word document you have with all of your internet passwords on it, including the logins to your bank accounts. Or the file containing your credit card numbers. Yeah, that’s what I’m talking about.

I’m going to show you how to create an encrypted Disk Image, inside of which you can store sensitive documents, images, etc.
I have one of these myself in my Documents Folder. It’s called “Safe” and it contains scans of my passport, driver’s license, Social Security card, tax documents, etc. If someone steals my computer, OR my backup drive, they might get to my other data but they can not get inside of this encrypted Disk Image. Period.

Ready? Here’s what to do.

Open up Disk Utility, which lives in Applications>Utlilities.

Click New Image up on Disk Utility’s toolbar.

Now we have to name the Disk Image File. I’m going to call this one “LockBox.”

Next we select a location to save it. I’ve selected Desktop.

Now we have to name the Volume, which resides inside the Disk Image (scroll down for an explanation of this). I’m going to name the Volume “Personal.”

Next we decide how large to make this Volume. I’m going to stay with 100MB on this one, because I only intend to put documents into it. You can make these Disk Images as large as you like, depending on what sorts of files you might want to put inside of them. I’ve made 20GB Disk Images before. The larger you want it, the longer it will take to create.

Format: Mac OS Extended (Journaled) is fine here.

Encryption: I use 128-bit AES encryption. This is almost impossible to crack, and would require the computing power of the NSA to do. If you’re extra worried, you can select 256-bit, but it’s WAY overkill.

Leave the Partition option alone, Single Partition is good.

Image Format: read/write.

Here’s a screenshot of how your Save As window should look:

Click Create.

Okay, Disk Utility is now creating your Disk Image, you can see it show up on the Desktop, but we’re not done. A window will pop up, and this is where you select your password for your Disk Image.

NOTE:
1. Do not use the same password as your login password. Make this password unique.

2. Do not forget or lose this password. If you forget this password, even you will be unable to recover your data later.

3. Notice that the “Remember password in my keychain” box is selected by default. Be sure to deselect this option. If you fail to do this, your password will be remembered by your Mac’s keychain, and all a thief will need do is double-click on your LockBox file, and it will open without the need for the password. Not very secure. Un-check that box.

Now click “OK.”

Your Disk Image is created, and the Volume named “Personal” will mount on your Desktop. The Volume named “Personal” acts like a CD or an external hard drive, except that instead of existing in the world as a physical object, it lives inside of the Disk Image (.dmg) file, waiting for you to invoke it.

Now that the Volume named “Personal” is mounted on the Desktop, you can drag documents, photos, mp3s, whatever you like into it. These files will be copied into the Volume, and once this happens, you can delete the files from their various homes on your computer.

Drag the Disk Image (in this example, called LockBox.dmg) to wherever you want to store it. Mine is stored in my Documents folder.

Once you’ve moved all of your files into the Volume, you can drag it toward the trash. Notice that as soon as you grab hold of the Volume, the trash icon transforms into an EJECT icon. Yes, you’re actually “Ejecting” the Volume, just as you would a CD, DVD, or external Hard Drive.

Do this now.

Okay, now let’s go to wherever you have stored your new Disk Image file, locate it, double-click on it. You will be prompted to enter your password (you haven’t forgotten it already, have you…). Put your password in correctly, and your Volume will mount.

If you’re using Time Machine, your encrypted Disk Image will be backed up with the rest of your data, which is good.

That’s it. Think about the different uses for an encrypted Disk Image. As I mentioned earlier, I have one with all of my vital statistics documents in it, I have another with all of my web purchase receipts stored in it. I think I might eventually get really motivated and scan every document in my file cabinet, and store them in an encrypted Disk Image. That time hasn’t come yet, but it’s been pressing on my mind.

Hope this helps! If you’ve got any further questions, feel free to leave a COMMENT below, and I’ll respond publicly so that others can benefit from the dialog. If you have a private concern, email me: chris@foleypod.com.

———————————

Some notes on FileVault.

I normally do not recommend FileVault. FileVault is great for people who
1. Spend more time on tour than at home
2. Can ensure that their backups run regularly without fail
3. Can run regular maintenance tools while traveling. This involves traveling with gear: Backup drive, Drive Genius software, OSX restore disks, etc.
4. Understands that technology is fallible!
5. Performs a full-backup of everything before leaving home, and leaves that backup drive at home.

Learn about FileVault HERE.
Read FileVault horror stories HERE.

Email, call or email with further questions.

http://www.concentsus.com Online File Backup

Yeah my laptop has almost my whole life on it… which is why it never leaves my sight! But yeah, it’s best to take defensive measures and safeguard your business and home computers.
-Fack
http://anjani-music.com anjani

hi christopher!
great walk in the hood last night..so peaceful and relaxing.
i was wondering around the sites Pausha directed me to and i found this, which was SO helpful.
Thanks for putting it up!
Best,
anjani
Jim J

Hey Chris – If I want to do this to password protect files on an ext. hard drive, should I put the disk image on the ext. drive when I create it or should I drag it to the external drive after I’m done copying files to the Volume? Is this the best way to password protect files to an ext. drive or can you recommend third party software? Great tweets and articles–thanks!

Jim (we met at SHVH)
http://www.foleypod.com Chris Foley

Hi Jim,
I normally create the disk image on my local hard drive, fill it with files, and then copy it over to an external. It doesn’t really matter at all whether you do it like this, or create the .dmg directly on the external drive, because the encryption is burned into the .dmg file. I create it locally out of habit, in case I make a mistake, I’ll have it in two places after I’ve copied it over to my external drive.

As for the 2nd part of your question, regarding if there are better ways to encrypt info over on an external drive, the answer is both yes and no. It really depends on whether you want 100% of your contents encrypted, or only a handful of really sensitive files. If the latter is true for you, the method I’ve described will suit you well. If you’re concerned about protecting a lot of data on an external drive, it’s best to look into an encrypted drive model. I do NOT recommend software-based encryption tools over hardware encryption.

A good model to go with is this Seagate BlackArmor model HERE.
Another one I’ve used is this LaCie drive HERE, which requires your thumbprint to work.

Great to hear from you, and thanks for the question.
Jim J

Hey Chris – Many thanks for the info. I’ve asked five or six times at Apple Stores about encrypting a folder on an ext. drive and I’ve never gotten such a clueless bunch of “answers” from those guys.

On a scale of 1 to 10, 10 being the highest level of security, how would you rate the following:

1) encrypted disk image
2) encrypted ext. drive (hardware)
3) a password on a Word or Excel file
4) a login password on a laptop (I know it’s weak, I want it for comparison)
5) Time Machine on an ext. drive

Any thoughts on securing email in Apple Mail, either the Mail folder or individual emails? How about an individual email in the Sent mail folder?

You’re an endless source of great Mac tips. Thanks again.

Jim
http://www.foleypod.com/ Chris Foley

Hi Jim,

I can’t really give you a 1-10 on these things, as they’re not really related items, though I can weigh in on them.

so let’s start from the bottom and go up.

6) Time Machine is not secure at all. It’s reliable as a backup drive, but it’s in no way encrypted. If I were to steal your backup drive, I can access your backup files.
5) Login password on your Mac can be subverted by booting your Mac up into Target Disk mode and plugging it into another computer, or by resetting your password with an install disk. Not many people know about these, but a quick Google search will turn them up quickly enough.
4) Login passwords on Excel and Word documents are great, but obviously localized only to those files. Recommended.
3) Encrypted external hard drive. Great, almost unbreakable (except for NSA technology) but again, that doesn’t protect the files on your computer, only your backup drive.
2) Encrypted disk image. I love this one, because I can protect only the files I want to, without fuss.
1) You didn’t mention this, but if you’re really concerned about security, you might consider activating File Vault on your Mac. This basically turns your hard drive into a giant disk image.

There are issues inherent with using File Vault, the most common of which involves forgetting your File Vault password, and possible file corruption if your drive crashes, etc. I don’t normally recommend File Vault (well, actually, I hate it) but it is the most secure of all options here. Sometimes that security comes with compromises.

I hope this helps.

~ Chris
Jim J

Hey Chris

Thanks for the reply. And my final questions, for a million dollars:

When I asked at an Apple Store I was told that if my ext. drive using Time Machine was stolen, the dirtbag would need the login password for my computer to gain access (no disrespect to dirt, I occasionally play in the stuff). True or false?

Any suggestions for securing email, either individual emails or the entire Apple Mail folder (can you stick the folder in an encrypted disk image)?

Jim
http://www.foleypod.com/ Chris Foley

Absolutely false.

I can get around the permissions issue using nothing more exotic than OSX’s built-in Disk Utility app and/or Terminal.

It IS true, if you’re Time Machining a FileVault protected volume however. Not much one can do to break into a FileVault protected volume.
http://www.foleypod.com/ Chris Foley

Securing Mail.
no, you don’t want to put the mail in an encrypted folder, because Mail.app will not know where to look for it. You cannot, as yet, choose your own location for the Mail files and database to live, as you can in iPhoto and iTunes.

The only way to properly secure your Mail, is to use FileVault on your home folder.
Jim J

Alrighty then, Chris, great stuff, thanks and keep it coming.

Jim
http://www.foleypod.com Chris Foley

Anjani,
It was super to meet you yesterday.
Thanks for visiting!

Keep coming back, we’re almost ready to launch our next “issue”

Are you a Mac user?
~Chris

Previous post: PixelPainter: How to Create a Motion Avatar

Next post: Creating Multiple Libraries in iPhoto

Security Beat: Safeguard Your Sensitive Documents

What People Are Saying

Get Your Free Digital-Life Crash Course

Recent FoleyPod Articles

Tags

Stalk Us Socially!

Authors

Blog Categories

Resources

We Recommend

	Chris is a godsend to anyone doing business on the web. Oh, and his wife Pausha, is a beyond brilliant web designer. What a team!
Stephen Simon, Film Producer (What Dreams May Come, Somewhere in Time), Author (The Force is With You, Bringing Back The Hollywood) Site: www.theoldhollywood.com
		View More Testimonials