Encrypt your homedir on your mac without FileVault | Comments (5)
Posted in Apple on 5th April 2007, 1:29 pm by Stuart
I used FileVault for about a month and I found it really degraded the overall experience of using my mac. Basically using filevault caused a huge slowdown in performance. In addition I quickly found the repeated prompting to compact the filevault every time I shutdown annoying especially as this process took nearly 20mins each time it was all too easy to get into the habit of skipping it.
This isn’t to say FileVault is a dead duck, I have a colleague who has used it for 18months on a powerbook and has never had a problem, but that could simply be a difference to using FileVault on PPC vs Intel architecture.
My solution is to selectively encrypt only the files that I need to be encrypted (in my case) from my home directory into an encrypted disk image. The way I do this is to alias/symlink the files/directories that are sensitive into the encrypted disk. That way you can still access all of your information via the links in your home directory but the real files sit safe and snug inside the encrypted disk image.
This approach will also work for things like mail too, so you can move your mail inside of the encrypted disk image and link it to it’s current location so that mail’s protected.
The difference between aliases and symbolic links
An alias is a special link created by finder that points to a specific file. However if the file the the alias points to moves around, the alias will continue to work. Where symlinks are different is that they are created at the unix os level. So if you are shell scripting, carrying out a task via bash, or using software that doesn’t grok aliases, the symlink should always work. However the downside is that symlink will only ever point to one specific path.
For the purposes of linking into your encrypted file I would recommend always trying an alias first. If you find that the software you are using has issues with accessing files via the alias then try a symlink instead. E.g: ln -s /path/to/adir thesymlink Will create a symlink to /path/to/adir called thesymlink in the current directory.
Points to consider.
- Don’t store the password to the encrypted drive in your login keychain. This defeats the purpose very quickly.
- Do backup regularly. If the encrypted drive was to become corrupt you will need to restore it.
Creating a encrypted image using disk utility
Open disk Utility. Click “new image”. Then in the options select the following:
- Size
- Select custom and then set the max size of your disk
- Encryption
- Select AES-128
- Format
- Sparse image (this will grow as you add files rather than taking up all of the space in one go)
Next set your password and un-tick “Remember password (add to Keychain)”
Now to mount the encrypted drive just double-click the drive and enter the password. Now move the files you want to be encrypted into the mounted images and alias them back to where you want to normally access them from.
Knox
I use a piece of software called Knox which is essentially the missing interface to creating and managing disk images. One could argue it’s expensive given that it doesn’t do that much more than wrap the image creation process. However, personally I find it useful for providing quick access to my encrypted drives and also adds some extra features such as backups and spotlight control per disk image. I would say it’s well worth a look if you are regularly using encrypted images but if not, it’s probably not worth shelling out for.
In fact, Mac OS X supports mounting dmgs directly onto a folder. man hdiutil for more info.
@Yuhong Bao: This is true. However, I’m pretty sure if you tried this with your homedir it would crash finder.
[...] my solution will suspend the use of Filevault, see a guide on Encrypt your homedir on your mac without FileVault by Stuart [...]
I tried this approach just now but I think there’s some information missing:
I put my ~/Library, ~/Desktop, ~/Documents and some other stuff on an encrypted disk image with symlinks in my homedir. It was all fine until I logged off and on again. I can’t get the encrypted disk image to mount at login. When I double click it it gives me an Authentication Error (never asks for a password). The only way to access the files was to login as root and double click the image. When logged in as root I don’t get the Authentication Error but a password prompt as usual.
So… how do I make my mac ask for the encrypted disk image password at login and make everything work as it should?
@Marco: I think putting ~/Library into the image in it’s entirety is the problem here. Try removing it and just linking the things you need to be encrypted and see if that helps.