There are a few ways to accomplish on-the-fly encryption with OS X, of course, but none of them really fit my needs. FileVault has not been known to be exceptionally reliable (although I've never tried it in Leopard) and is totally unconfigurable. Whole disk encryption is a little overkill for me, so I don't feel like eating the CPU overhead that it entails. On the other end of the spectrum, casual security like an Open Firmware / EFI password, and a strong login password are easily defeated, and only deter those with no interest in your data anyway.
What I really want is a way to encrypt just a certain set of private data (like my email in Mail.app, contacts in Address Book, and calendars in iCal), with as little inconvenience as possible. The best solution? How about an encrypted sparse disk image that mounts and unmounts on login/logout? With symbolic links in the proper places, Mail, Address Book, and iCal are none the wiser, and you can be reasonably assured that your private data will stay secure.
Note: This process is a little involved. Compromises can be made, however, and the general method is valuable, so read on!
STEP ONE: Create an encrypted sparse(bundle|image)
You're going to want a good amount of growing room for your data, so think about a maximum size for the disk image. Keep in mind that sparse images and sparse bundles (Leopard-only) only take up as much space as the data that they contain, so you can think big here. Let's go with 80GB.
You're also going to want a good password to secure the image. This password should not be trivial, or this whole exercise will be useless. See Notes on Security, below, for some clever suggestions. The image can be created on the command line; the following command is for creating an 80GB encrypted sparse bundle with the name PRIVATE:
STEP TWO: Set custom mount points (optional)
Since we are going to be replacing our sensitive data directories with links to the new location of our files in the next step, it's a good idea to make sure that our new disk image "mounts" at a path that is both secure and invariable.
Normally, all external disks, images, and servers mount at /Volumes/, which is a "sticky" directory. This means that if you mount a volume called PRIVATE, it becomes available to you at /Volumes/PRIVATE and is inaccessible to other users. Nothing stops a malicious user, however, from mounting their own dirty volume, also called PRIVATE. In this case, your volume becomes mounted at /Volumes/PRIVATE 1, but your symbolic links do not change, and so your programs try to access data from the dirty volume, which our malicious user has graciously allowed you to access. We obviously want none of this.
This tremendous and underrated hint on setting custom mount points is the answer to this problem. You're going to have to use vi, so that's why this step is optional. Set the mount point, create the directory if it doesn't exist, unmount the image, and finally remount the image so that it is mounted at the desired directory. For this example, let's say that the image is now mounted at ~/Documents/PRIVATE.
STEP THREE: Migrate Data to Disk Image and create links
Now that you've set a mount point for your image (hopefully) we need to move the data that we're trying to secure to the encrypted image. In this example, we're concerned with data stored by Mail, Address Book, and iCal. Before you start, make sure these applications are not open!
Let's migrate Mail's data first: Mail.app stores it's data at ~/Library/Mail and ~/Library/Mail Downloads. Copy these two directories and their contents to your new disk image at its custom mount point: (the following assumes your mount point is at ~/Documents/PRIVATE; if you didn't complete step two, then your mount point for a volume called PRIVATE is /Volumes/PRIVATE).
$ cp -Rv ~/Library/Mail ~/Documents/PRIVATE/
$ cp -Rv ~/Library/Mail\ Downloads ~/Documents/PRIVATE/
Then delete your old copies:
$ rm -Rv ~/Library/Mail
$ rm -Rv ~/Library/Mail\ Downloads
Finally, link the old directories to their new locations:
$ ln -sv ~/Documents/PRIVATE/Mail ~/Library/
$ ln -sv ~/Documents/PRIVATE/Mail\ Downloads ~/Library/
You can launch Mail.app at this point to confirm that everything is gravy. Repeat these steps for Address Book and iCal:
$ cp -Rv ~/Library/Application\ Support/AddressBook ~/Documents/PRIVATE/
$ cp -Rv ~/Library/Calendars ~/Documents/PRIVATE/
$ rm -Rv ~/Library/Application\ Support/AddressBook
$ rm -Rv ~/Library/Calendars
$ ln -sv ~/Documents/PRIVATE/AddressBook ~/Library/Application\ Support/
$ ln -sv ~/Documents/PRIVATE/Calendars ~/Library/
Again, reassure yourself by launching Address Book and iCal. Note that this method can be used to secure any directory that you'd like, like your Documents folder, for instance.
STEP FOUR: Add encrypted image to Login Items, turn off automatic login
Now, we want to open our disk image upon login so we don't have to do it manually. This can be done quite simply by adding the file to the Login Items tab of the Accounts System Preferences pane. Log out and log back in to confirm that everything's working okay.
Finally, we need to secure the computer a bit so that this whole process isn't rendered a virtual Maginot Line. Go to the Security System Preferences panel, and check Require password to wake this computer from sleep or screen saver and Disable automatic login.
NOTES ON SECURITY
We can make this method even more secure with long passwords and clever control of the keychain.
If we allow the keychain to store the password to our encrypted disk image, we can make the disk image password as long as we like. One clever way of creating a long, but reconstructable password is by hashing a favorite poem or quote (or anything really, even an image) and combining it with a favorite password. For instance, if our favorite quote is "Et tu, Brute?" and our favorite password is "venivedivici", then our long password would be:
$ echo "Et tu, Brute?" | md5 # => 718a9508a9ce9695778eaedb9df851bc
$ echo 'venivedivici718a9508a9ce9695778eaedb9df851bc is our new password!'
Nice and long, and we can reconstruct it if necessary.
Of course, if that password is in the keychain, then our keychain password should be relatively secure. Just changing the login keychain's password is probably sufficient, but if you'd like more security, then:
- Create a new keychain with a password different from your login password, and set that as the default. OS X understands that this is not the login keychain, and will never attempt to "repair" the keychain by synchronizing its password with your acount password.
- Store this keychain on a USB key, and set it to mount at ~/Library/Keychains, as described above in step two.

