The Files in the Crypt

For the first time in a while i’m going to have to travel with a laptop containing a work environment. This means that it’s time for some more security fun! As work involves code and (potentially) data that is HIPAA sensitive, it makes sense to not carry at around unencrypted. Just for once this is practical security instead of paranoia–if the machine were to be lost or stolen i need to be sure that neither the code or data are visible.

The most obvious thing to do would be to enable OS X FileVault. There are a couple of issues with this:

  • the disk in this laptop isn’t particularly large
  • and (heretically) i’m not entirely sure that Apple are completely trustworthy

Which isn’t to say that turning on FileVault is a bad idea, but that if my solution is going to involve another disk, then perhaps there is another way. One simple method would be to create an encrypted disk image (via Disk Utility -> File -> New -> Disk Image) on an external drive, mount it, and sym link to it from my home dir.

This feels like it would work well, and would be manageable enough. It does suffer from the same (imagined?) flaw of requiring me to trust that Apple’s implementation hasn’t been back-doored for the US Government (not that i’m doing anything that they’re interested in, just a back-door is a back-door, is a back-door…)

Another approach would to be a third party tool, preferably something open source, which has been reviewed by third parties. There are actually limited options out there – which isn’t a surprise–the more i’ve looked into this security stuff the more i’ve realised that it’s of limited interest to most people.

The encfs user-space (FUSE) file-system has been ported to OS X, but as you might imagine the integration is a little primitive–it comes from Linux-land… More promising is TrueCrypt, which ticks all of the open-source boxes, in cross-platform, and has nice administration tools. The only downside is that there is no 64bit implementation… none of my machines are actually new enough to run a complete 64bit environment, so perhaps i probably shouldn’t worry about it!

My plan is therefore to:

  • turn on FileVault for my home dir
  • temporarily set a boot password for the machine while travelling (don’t yet know how to do this in OS X… like this)
  • setup an external drive as a TrueCrypt volume to contain all code and data
  • attempt not to lose or have the laptop stolen
  • avoid all american airports like the plague

I’d be interested in hearing theories as to why nobody seems to care enough about all this stuff. My expectation would have been that by now it would be in demand enough that such features were pushed back into the OS, and that vendors cared enough about their reputations to open source those parts of the system such that they could be reviewed by trusted third parties. Why isn’t it happening?