Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

FileVault Lite System
Several people want to use FileVault-type protection on less than their entire home folder. I do this to use the same type of protection but for a single folder.

1. Using Disk Utility (in Applications > Utilities), create a sparse disk image using AES-128 encryption. I made mine the size of a DVD so it would never become too large to back-up to a DVD. Also, I saved mine at the top level in my home directory.

2. When creating the password, be sure to leave "Remember Password" checked, so that your keychain can open your disk.

3. Go to the Accounts preference pane (in Applications > System Preferences), and under Login Items, click + to add a login item.

4. Navigate to your 'xxxx.sparseimage' file and add it to the login items list. Now it will auto-mount every time you login.

The only down-side to this hint that I can come up with is that the user must be proactive about where he or she places files. Also, if you place a file in the wrong space, be sure to use 'Secure Empty Trash' to dispose of the non-encrypted version.

[kirkmc adds: There have been several hints about FileVault and other ways to achieve the same functionality, including this hint. It is obvious that if you just want a single folder, or disk image, it's simple to create it from Disk Utility. (In fact, I wrote it up back in 2004 for Macworld.) It's useful to know about this, though, whether you want to use it for many files, or simply to lock down a selection of files.]
  • Currently 2.25 / 5
  You rated: 4 / 5 (4 votes cast)

FileVault Lite | 10 comments | Create New Account
Click here to return to the 'FileVault Lite' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
FileVault Lite
Authored by: eagle on Oct 03, '07 08:56:40AM

Or, leave the "Remember Password" box unchecked for added security. I use a similar solution with my Quicken data, and I don't want anyone to be able to double-click on my Quicken data disk image and have it mount - I want it to require the password every time. For me, having it auto-mount would defeat the purpose of having it on an encrypted disk image.

[ Reply to This | # ]
FileVault Lite
Authored by: mantrid on Oct 03, '07 09:38:19AM

Also, as the hint stands, on a multi-user machine, other users might suddenly be pleased to find a bonanza of your sensitive files appearing in "/Volumes", where disk images, which already have default permissions with read access for everyone, are mounted by default with "Ignore ownership" checked.

A step 1b and 1c could be added to take care of that, but the security conscious might also have reservations about having a disk image of sensitive files unnecessarily mounted during the entire time the user is logged in, or with the password added to the login keychain. By default, encrypted disk image passwords appear to be added to the keychain in a way that allows someone with momentary access to the machine to obtain the actual disk image password.

[ Reply to This | # ]
FileVault Lite
Authored by: mantrid on Oct 03, '07 09:41:26AM

Sorry, in the last sentence, I meant momentary access to the user's account, not "momentary access to the machine".

[ Reply to This | # ]
FileVault Lite
Authored by: peragrin on Oct 03, '07 12:32:10PM

I do this now. my only difference is that I use a 200mb image size.

A side effect. If you store files in the sparse image, that image doesn't need to be accessed before hand. OS X will attempt to mount the volume (asking for the password) and then let the file load.

my primary application I use with this was a shareware app called MacJournal. macjournal entries themselves can be encrypted. I set the app to save files, and settings on the mounted sparseimage. now whenever the app is launched OS X asks for the password as it mounts the image file. once mounted the application loads normally.

This gives me decent security(two different passwords & two different kinds of encryption) for my passwords yet I can still access that information in under 60 seconds.

I have tried this with several other apps, as long as OS X knows the file is located on the sparseimage it will attempt to mount it whenever the application calls for it.

I thought once I was found but it was only a dream

[ Reply to This | # ]
FileVault Lite
Authored by: DougEdwards47 on Oct 03, '07 01:11:50PM

If you are using this for security (and why else would you use it) you should NOT check the "remember password" box. If you allow the password to be added to your keychain you have no more security than your normal login/password.

[ Reply to This | # ]
FileVault Lite
Authored by: dhoit on Oct 03, '07 02:06:09PM

This is just an encrypted disk image, while FileVault is much more than that. The big thing missing from this is the recoverability with your MasterPassword. If you choose not to remember the password for the encrypted disk image in your keychain, and later forget the password, you are out of luck. Also, as mentioned elsewhere, mounting in /Volumes is not the best idea.
To fix this, forget DiskUtility, and behold the power of hdiutil!
The man page for hdiutil is quite a read, but it outlines the options that will allow you to wrap the image with your filevault certificate (-certificate), use a sparse disk image (-type SPARSE), use encryption (-encryption), set the default permissions (-mode, -uid, -gid) and more.
Hdiutil also lets you mount the finished volume somehwere other than /Volumes using a command like: "hdiutil attach ~/mydisk.sparseimage -mountpoint ~/Encrypted"
That command can be wrapped up in a double-clickable applescript to make mounting an easy process.


[ Reply to This | # ]
FileVault Lite
Authored by: jasg on Oct 03, '07 03:36:01PM

Hmm... you might want to be careful about what kind of data you put on the image. Some issues

When you just move or copy data to the encrypted image, the original file is not securely erased. As a result, the non-encrypted data may be recoverable. Also, cache files and the like will still be unencrypted and accessible, which for some applications may render data accessible. Also, you will want to be sure to enable encrypted virtual memory. The great thing about filevault, is that it ensures that all user files are protected (although you still need to enable safe VM).

If you keep the key in the keychain, you will want to make sure it is stored in another keychain other than the automatic login keychain, which can be accessed simply by resetting the password for the user.

[ Reply to This | # ]
FileVault Lite
Authored by: brett_x on Oct 04, '07 05:23:47AM

You cannot access the login keychain by resetting the password on the account. The keychain will retain the old password as the encryption key. That is the best feature of keychain.

[ Reply to This | # ]
FileVault Lite
Authored by: jdw2004 on Oct 05, '07 12:50:51PM
I've done something like this. If you don't want your private filesystem to show up under /Volumes, you can mount it like so:
hdiutil attach -encryption CEncryptedEncoding -stdinpass image.dmg -mountpoint /path/to/mount/point
To detach it, use
hdiutil detach /path/to/mount/point
Also very cool is that you can union-mount an encrypted filesystem over your existing home directory, which lets things in both the encrypted filesystem and your pre-existing home directory remain accessible, but any new files go into the last-mounted filesystem. You can do that like so:
hdiutil attach -encryption CEncryptedEncoding -stdinpass image.dmg -mountpoint ~ -union
To detach a union-mounted home directory, cd out of your home directory, make sure nothing is accessing it, and run
hdiutil detach ~
I'm not sure if you can actually do that when logged in at the graphical console, though; it may only work for SSH logins.

[ Reply to This | # ]
FileVault Lite
Authored by: osxpounder on Oct 08, '07 03:33:52PM

Now that's a fascinating comment. I'll try that first bit.

I've used the encrypted disk image trick for years [several of them], and I thought I'd submitted the same hint before [can't recall for sure].

Anyway, here's another warning, in addition to the ones above:

If you have an encrypted image mounted, and your Mac crashes [as in, kernel panic, or, as happened with me once, the FireWire cable gets disconnected while an image on the external FW drive is mounted], you may lose all the data in the encrypted disk. It won't mount again. Happened to me.

Sure, you could send it to some company to let them try reconstructing it, but then it's not secret stuff anymore, is it?

It bugs me that Disk Utility, by default, assumes I want the password added to my keychain. I must remember to uncheck that box every time I create an encrypted image.

[ Reply to This | # ]