andrew burke





Protecting Your OS X Mail With Encrypted Volumes

Posted on: 2007-10-03

After reading this interview with security expert Dino Dai Zovi, I started looking into better ways of protecting my files on my computer. I'm worried about someone grabbing my PowerBook - not just for the cost value of replacement (it's an old machine) or even for the lost files (I'm pretty good about backing up), but for the chance that someone might be able to go through my personal information.

Dino mentioned that his main security measures are to do most of your work as a non-admin user (check!) and to keep sensitive information in encrypted drive images. I took a look at how this works and it's actually pretty cool. OS X's "Disk Utility" program lets you create drive images of any size, and when you make them you can set them up with AES 128-bit encryption, which is good enough for government SECRET documents. I've put my programming work and my personal documents into DVD-R-sized 4.6GB drive images, and as long as they're closed, all of my information is pretty secure. This is a more flexible solution than encrypting the entire user with FileVault, since the regular data isn't secured. Also, if I'm changing machines, I can just copy the disk images over to the new machine and all of my work and personal files are available. Backing up is simpler too, since I just drag the images to my backup disk, or burn them to their own DVDs. The only big downside is that encrypted volumes can't be compressed, so they end up taking the full 4.6GB of space, even when they're not being used.

The volumes are password-protected, and as long as I make sure not to let the system include them in the personal Keychain, they can only be accessed by typing in the password each time.

The missing link in my security was my mail files - the OS X program keeps all of my mail in a 'Mail' folder within my user profile's "Library" folder, and there doesn't seem to be an official way to have the mail program look anywhere else. To solve this, I made a new encrypted disk image, copied my mail folder into it, and then went into the unix shell and created a symlink in the library folder, pointing to the new encrypted mail volume. I had originally tried a finder-level Alias, but it didn't work - the lower-level symlink did, however.

The only downside is that if I open my mail program without opening the disk image, it asks if I want to import mail from elsewhere - but simply clicking on 'Cancel' closes the program and then I can open up the disk image and try again.

Now, as long as I remember to close these disk images when I've finished with them and before going out, I can keep my data safe.

Previous: Fake Steve Jobs hits it
Next: John C. Dvorak Misses It