[Mac_crypto] Encrypting a users's home directory on Mac OS X
R. A. Hettinga
mac_crypto@vmeng.com
Fri, 3 Jan 2003 16:00:01 -0500
--- begin forwarded text
Status: RO
To: rahettinga@earthlink.net
From: Fearghas McKay <fm@st-kilda.org>
Date: Fri, 3 Jan 2003 15:25:25 +0000
Sender: <usual@espace.net>
Reply-To: "Usual People List" <usual@espace.net>
Subject: Encrypting a users's home directory on Mac OS X
http://josh.tumaz.com/info/encdisk.php
HOWTO: Encrypting a users's home directory on Mac OS X
Author: Joshua Gitlin
This document has been viewed 7844 times
This document explains how to place a user's home directory on an encrypted
device image (DMG) under Mac OS X 10.1 or later. This is useful to ensure
that all the files for the user you decide to encrypt are safe from prying
eyes. This document will be of interest to attorneys, doctors, programmers,
or anyone else who has sensitive documents (personal files, tax documents,
secret or classified documents, etc). Placing the entire user's folder on
an encrypted disk ensures that every file belonging to that user will be
encrypted (as long as it is saved within their home directory). This
includes many log files, preference files, email, AIM or ICQ logs, internet
history and cache, etc.
Encrypting a user's home directory consists of two major steps. These steps
are pretty complicated but only need to be executed once for each user.
Afterwards the process of logging into the encrypted user is simple.
I've tried to make this document fairly simple... please don't complain if
it's over-simplified :) I added some technical information at the end.
Please note: After posting this on the Apple side of Slashdot, I received
many comments. One was from Paul, a Curriculum Developer at Apple. He posed
an alternative way to get the same result... however, I prefer my method
because his method does not encrypt the Library folder of teh user's home
directory, which contains log files, preferences, caches, and other data
which probably should be encrypted. Just for completeness, however, I added
Paul's Solution at the bottom of this page.
Setting up the encrypted disk:
The first step in encrypting home directories for Mac OS X users involves
creating an encrypted device image (DMG) and setting up your system to
mount the device image. These steps only need to be preformed once per
device image. Each device image can contain as many users as you like, as
long as it is large enough to contain all the users' files. Therefore, you
only really need to go through this step once even if you have multiple
users (unless you want to put multiple users on different device images)
To set up the user, you will need an administrator user. This user will be
used to set up the device image, but will also be required to mount the
device image each time you wish to log into your encrypted user. These
steps cannot be executed as a regular user.
These instructions are for Mac OS X 10.2, and may differ slightly for OS
10.1. (Specifically the parts dealing with Disk Copy)
1. The first step is setting up the encrypted disk. To do this, first
open the Disk Copy application, located in the Utilities folder. Then
create a new blank device image. (File => New => Blank Image in OS 10.2 or
Utilities => New Blank Image... in 10.1) You will now need to decide on a
name for your image file and the volume which it contains. (These names do
not have to be the same, although it is convenient). Specify the size of
the volume, and make sure that it is Mac OS Extended format and that the
encryption menu says "AES-128". Save the image somewhere convenient and
enter a password for the image when prompted.
2. Once you have created your image, it will mount on the desktop. Now,
open the Terminal (/Applications/Utilities/Terminal.app) and execute the
following commands: (replace VOLUME_NAME with the name of the encrypted
volume)
1. cd /Volumes
This changes the current working directory to /Volumes
2. sudo ln -s VOLUME-NAME VOLUME-NAME-1
This creates an alias of The encrypted volume and names the
alias VOLUME-NAME-1.(That's a one after VOLUME-NAME, not an L) Enter your
password when prompted to.
You have now set up this image and it is ready to have users added.
Setting up an encrypted user:
Now that you have an encrypted volume set up, it is time to create the
user. Repeat these steps for each user you wish to put on this volume.
1. Create the user. Do this using the System Preferences application.
2. Open NetInfo manager (/Applications/Utilities/NetInfo Manager.app).
Unlock the application (using the lock in the corner of the window).
NetInfo Manager is an application which manages configuration and
settings for Mac OS X. We will use it to move the new user's home directory
to the device image.
3. Select "Users" from the middle list. find the short name of the new
user in the right list and select it. The user's information appears in the
bottom pane of NetInfo Manager.
4. Find the property that says "home". Double-click the associated value
(Most likely it says /Users/username) and change it to
/Volumes/VOLUME-NAME-1/USERNAME where VOLUME-NAME is the name of the
encrypted volume, and USERNAME is the name of the user. Again, that's a one
after the name, not an L.
For example, if my user was named "bob" and my volume was named
"disk", I would set the home directory to /Volumes/disk-1/bob
Please note: the path is case sensitive. Ensure that you type it
properly.
5. Click on another user in the list of users. This causes NetInfo
manager to prompt you to save changes. Do it. Then close NetInfo Manager.
6. Return to the terminal. Enter the following command:
sudo ditto -rsrcFork /Users/USERNAME /Volumes/VOLUME-NAME/USERNAME
Replace USERNAME with the short name of your user and VOLUME-NAME
with the name of your encrypted volume.
Enter your password when prompted.
This command copies the user's files to the encrypted disk.
7. Enter the following command into the terminal:
sudo rm -rf /Users/USERNAME
Replace USERNAME with the short name of your user. Enter your
password if prompted.
This command deletes the new user's files from the hard drive.
If you are done adding users, unmount the encrypted volume.
Logging into the User:
Once you have preformed the setup steps above, logging into the user is
simple. You will need an administrator account to mount the encrypted disk,
and you will also need a utility I wrote called SuperMounter. (Alternately,
you can use the terminal)
SuperMounter is required because when you log out of a user, all the device
images you mounted are unmounted. SuperMounter mounts the device image as
the root user, thus the system does not dismount it when you log out. The
source code is publicly available.
1. Log into your administrator user.
2. Make sure the device image isn't mounted.
3. Open SuperMounter. Enter your password and select the device image in
the open box that appears. (Under 10.1 you may have to enter your password
twice). Then enter the password for the device image. The device image
should mount on your desktop.
Alternatively:
If you would prefer not to use SuperMounter, you can perform the same
operation in the Terminal. Execute the following command:
sudo hdid /path/to/encrypted/image.dmg
Where /path/to/encrypted/image.dmg is the path to the encrypted
image. (You can drag the image file onto the terminal window and this will
be filled in for you)
hdid is the program which mounts device images.
4. Once you have mounted the device image, you can proceed to log out of
your administrator user and log into the encrypted user.
Technical Information:
Why the symbolic link (ln -s)?
The symbolic link serves a simple purpose: if you forget to mount the
device image before trying to log into the user, the system can get
confused. If you do not create the symbolic link, the system will actually
create a directory under the /Volumes/ directory and set up the user's
files there. Then, you will not be able to mount the image and log into the
user... the image will mount with a different name and you will need to
manually remove the user's files from the Volumes folder (which is a pain)
With the symbolic link, the system sees the symbolic link even if the disk
isn't mounted, and refuses to destroy it. Instead, it will warn you that
the home directory of the user cannot be found in the usual place, and you
can simply log out, mount the image, and log in again.
Why SuperMounter?
As previously mentioned, if you mount a device image, the system will
unmount it for you when you log out. I'm not sure if this is because all
your user processes are killed and thus the hdid process which is created
for the device image is killed, or if the Finder explicitly umounts all
volumes you mounted. Either way, there has to be a workaround...
My first attempts at this were to try to mount the disk at the logon
screen. That didn't work... I'm not sure why, but apparently the
WindowServer either isn't launched yet or isn't accepting connections, even
from root. I also tried to mount the image from the Console (Logging in
with >Console), which didn't work. Mounting the image at startup failed as
well.
My first thought was to mount the image as a regular user and then make it
be in use so that the system couldn't access it. To do this I touched a
temporary file on the disk and launched a tail -f process on that file. The
tail process was killed when I logged out. So I started the tail process as
root, and that worked. However, that was overly complicated, as I later
learned, and I reverted to simply mounting the image as root, which works
just as well.
SuperMounter is a very simple application which authenticates itself via
the Authentication Services, and then calls hdid.
What is hdid?
hdid (man 8 hdid) is the "HDI driver backing store service". Supposedly it
is not intended to be called directly but rather from a utility like
hdiutil or Disk Utility.app. It is actually the hdid program which displays
the prompt for the disk's password. Starting in OS 10.2, you could specify
the password on the command line vie the -passphrase option, but that is
very insecure since other users can see the password using ps or similar
utilities.
Paul's Solution:
Below is the post made by Paul on Slashdot. Paul offers an alternative but
less complete way of encrypting a user's home directory.
Think different -- a better way to do it (Score:5, Informative)
by plsuh (129598) <plsuh@goodNETBSDeast.com minus bsd> on Sunday December
29, @03:39PM (#4977966)
This is actually something that is covered in the new Mac OS X
Administration and Integration sysadmin technical training course from
Apple that will be going live in January. As the author of that section of
the course, let me give you a bare bones outline here.
1. Log in as the user whose files you want to secure.
2. Create an encrypted disk image using Disk Copy at the top level of
the user's home directory. When it asks for the disk image password, be
sure that the "remember password" option is checked -- this saves the disk
image's password on the user's default keychain.
3. Use ditto to copy over the following directories from the user's
home folder onto the encrypted disk image:
~/Desktop
~/Documents
~/Library/Mail
~/Application Support/Addresses
~/.ssh
These are the important ones; you can copy over other items as
well, but definitely don't do the entire ~/Library folder, and don't do the
~/Library/Keychains or ~/Library/Preferences folders.
4. Set the disk image to automount on login by dragging it into the
Login Items preferences pane.
5. Use mv to shift the directories aside (e.g. mv ~/Documents
~/Documents.save) and set up symlinks onto the disk image (e.g. ln -s
/Volumes/Secure/Documents ~/Documents).
6. Log out and log back in again. The disk image will be automounted
at login, using the password stored on the default keychain which also
unlocks on login. Everything should just work! :-D
7. Now for the housekeeping: delete the .save directories you created
earlier, and be sure to turn off automatic login in the Accounts
preferences pane.
Why do it this way instead of the way that Joshua Gitlin wrote up? First,
you don't need admin access to a machine to make it work. You may not have
admin access on a company machine, or as a sysadmin you may not want to
give admin access to most of your users.
Second, using Joshua's method, once the disk image is mounted it's open to
anyone who has admin access on that machine, whether or not you are logged
in at the console. By using an automounted image with the password stored
on the keychain everything is secure until you actually log in, and
everything is secured once you log out.
Third, this way is a lot more convenient. If you make security too
inconvenient, users will circumvent it. Instead of two logins, you only
have to do one. Techincally unsophisticated users (secretaries, lawyers,
vice-presidents, etc.) don't need to do anything different.
<BLATANT PLUG>
Go to Apple Training [apple.com] and sign up for a course or two. They're
well worth the money and help me keep my job. :-D
</BLATANT PLUG>
--Paul
psuh at apple dot com
Curriculum Developer
Techincal Training and Certification
Apple Computer
This document is a work in progress. Please bear with me as I update it. If
you have comments, suggestions, or questions, please feel free to email me
at josh@gitlinfamily.com.
Thanks to Andrew for pointing out the correction that I meant "Disk Copy"
instead of "Disk Utility".
Thanks to the slashdot people for pointing out that I should have used the
ditto utility instead of cp -R.
This page was last modified on Tue, Dec 31, 2002 4:17:55 pm EST (-0500)
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah@ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'