Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Easy encryption of home directories System
I've posted instructions on how to encrypt the entire home directory of any user on a Mac OS X system. The technique is new as far as I know, and involves no NetInfo or fstab hacking.

[robg adds: I have not tested this one.]
    •    
  • Currently 3.67 / 5
  You rated: 5 / 5 (3 votes cast)
 
[3,841 views]  

Easy encryption of home directories | 5 comments | Create New Account
Click here to return to the 'Easy encryption of home directories' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Easy encryption of home directories
Authored by: Cantus on Apr 01, '03 03:14:13PM

You haven't said anything about how decrypting the files in real time (like Mac OS X does) affects the overall system performance.

Is this an issue?



[ Reply to This | # ]
Easy encryption of home directories
Authored by: lincd on Apr 02, '03 07:38:19PM

Whether performance is an issue obviously depends on hardware ? how fast are the CPU and the drive. The HDI driver seems to be highly optimized.



[ Reply to This | # ]
re: encryption of home directories
Authored by: mclbruce on Apr 02, '03 01:40:38AM

I'm having a little trouble getting my head around this one:

The key seems to be mounting the encrypted disk image "over the existing home directory." Very cool, and I've never heard of that before. I'd like to know more about that.

The login process seems more complex than needed. What about this as an alternative?

Create a user called "login here first" with password "login".

Use your MountHomeVolume.hook script as the only login item of the "login here first" user, but have it ask the user for their name as well as their password. Your script could then mount the appropriate disk image for any user on the computer. The script then logs out as you have it now, and after logout the user logs into their own account instead of "login here first"

This way the user's own account will always be logged into with the appropriate volume already mounted. This means the various login items each user wants/needs can stay in their login items. Nothing needs to be changed there.

Because you don't have to login to the same account twice you can automate unmounting the home directory when the user logs out. Several ways of doing this have been discussed on the forums.

Does this make sense? Am I getting it?



[ Reply to This | # ]
re: encryption of home directories
Authored by: lincd on Apr 02, '03 07:53:45PM

The mount point of the disk image is the user's home directory. That's all there is to it. When the image is mounted, the existing node in the filesystem is replaced by the root of the HFS partition on the image.

There's no point in using another account to mount the image. It's still a double login. My way, the user logs in to his own account and mounts the image himself if he so desires, or he can cancel out and use his unencrypted home directory. The second login is necessary in order for the Login Items to work properly. If there are no Login Items, the second login is not strictly necessary, but the Finder and Dock would have to be relaunched.

The whole point is to avoid unmounting the disk image when the user logs out, so he doesn't have to enter the passphrase again, and can log in remotely. There is no security to be gained by unmounting the image while the system is running. Any user who has sufficient privileges to read your files can do so even when not logged in locally. The benefit of encryption is that someone who bypasses file permissions by rebooting the machine or removing the hard drive can't read your files.



[ Reply to This | # ]
re: encryption of home directories
Authored by: geekguy on Apr 04, '03 03:30:53PM

Great concept, unfortunately it fails on the mount command for me. Is the mount command trying to mount the image at the current directory "." , which I assume is the home directory?

Here is the relevant part of the script:

hdid -nomount "/Users/Shared/Disk Images/${USER}.dmg" > DevFile || exit 0
Dev=`cat DevFile`; rm DevFile
mount -t hfs $Dev . || exit 1

I tried adding -a to the mount command, no luck. Any ideas?



[ Reply to This | # ]