Mac Security 101
http://www.applemacpunk.com
applemacpunk@cox.net
by Kale Feelhaver
FileVault: What does it do
and why do I need it?
One of the questions I constantly
hear is, “what does FileVault do and why do I need it?” FileVault is an
encryption service built into Mac OS X that encrypts the contents of your home
folder. However, just turning it on won’t necessarily increase your security.
There are a few things you should know first.
I constantly hear… “…but
nobody can get into my home folder anyway because OS X protects it.” This is
true to a degree, but not entirely. Mac OS X uses the Unix permissions model to
ensure only an authorized user has access to their own home folder. So if you
have two users on the same Mac, they can not see the things inside the other’s
home folder (with the exception of the Public directory).
Permissions are one
thing, but encryption is another thing entirely. Think of permissions as
security guards, and encryption as a lock box. Security guards are useful, but
you can sneak past them, or trick them and get to the restricted area.
A lock
box is different. Once the box is locked, nobody can view the contents except
the person who has the key. Even if they steal the lock box from you… they
still can’t open it. This is exactly how FileVault works. It assigns a
cryptographic key to each user. When that user logs in, the box is opened. When
they log out, the box is locked.
So why is this useful? Let’s
say you’re traveling with your MacBook, and let’s say you’re a security
conscious Mac user, so you have your system set not to allow automatic login
(many Mac users have automatic login enabled which is a bad security practice).
Now… let’s say your laptop is stolen. The perpetrator runs home and starts your
laptop to try to steal your data. He gets dumped at a login screen and can’t go
any further because he doesn’t know your password. However, if he is a savvy
Mac user, he can still get to your data. He can pull the hard drive out of your
Mac and put it into a USB enclosure. Then he can access the data on the disk
without the permissions and passwords inhibiting him. If he’s an advanced Mac
user, he probably understands target booting. Connect 2 Macs with a FireWire
cable, then boot the first Mac with the T key held down. Then boot the second
Mac normally. The second Mac will be able to access all of the data on the
first Mac’s hard drive. While this is a convenient feature, and it is often
useful, it is also a major security flaw.
In both of the above
scenarios… FileVault would have made all the data in you home folder
unreadable. For those of you who understand encryption, FileVault uses the
AES-128 algorithm to encrypt. This algorithm yields 3.4 X 10^38 possible
128-bit keys. To put that in perspective, if you could crack a 56-bit DES key
in 1 second, it would take you approximately 149,000,000,000,000 years to crack
AES-128.
In order for FileVault to
work though… a few other factors have to be taken into consideration. First,
you must disable automatic login, or it completely defeats the purpose of
FileVault. If your computer logs in automatically, it essentially “unlocks the
box” without any input, which completely circumvents the encryption. Also, you
must have a password set, and it must be hard to guess.
I know a lot of Mac
users that have a blank password, or set it to something simple like
“password”. Again, the account password is what “locks and unlocks the box”, so
a weak or blank password will compromise the encryption. By the same token, do
not store your password anywhere near your Mac.
I have met Mac users that write
their password on a piece of tape and put it on the bottom of their laptop.
Obviously, this compromises the encryption as well. Here’s the bottom line, if
you’re going to use FileVault… you MUST protect your password. It is the key to
the kingdom so to speak. Your password should be complex and secret, and do not
share it with anyone (see Security 101: Secure Building Blocks, MacCompanion
April 2006).
Also remember, FileVault only
encrypts your home (/Users/your_user_name) folder and everything beneath it. I
know several users that will create a folder on the root of their drive called
“projects” (or something similar), and store everything in that folder.
FileVault will NOT protect these files. It only protects things in your home
folder. Make sure everything you need to keep secret is in your home folder
before enabling FileVault.
Last but not least, do not
leave your Mac logged in all the time. I know many Mac users that do this.
Remember, when the Mac is logged in, the box is unlocked. So when you’re done
working, either log off, or set your Mac to require a password to unlock from
sleep or screen saver. Encryption does not work by itself. It also requires
some user intervention, and a little education.
Is FileVault for you? It all depends on what data you
store on your computer and what value you place on that data. If you store
business critical data and financial information on your system, it may be
worth it to you. If you store nothing of importance on your system and still
make frequent backups just in case, it may be a nothing more than a hindrance.
If you like having blank (or simple) passwords, FileVault really won’t protect
anything. If you in a creative field and are protective of your work, FileVault
might be a necessity. Every person’s needs are different. The most important
thing to keep in mind is this… just turning on FileVault does not make it work.
You must also be using a secure computing methodology in general. If you are
already doing this, turning on FileVault will cause little impact to the way
you work. If changing to a more secure methodology will be big change for you…
you might want to take it one step at a time.