MacOSX comes with a built-in encrypted filesystem: FileVault. Its purpose is to protect private data stored on your computer. It does its job quite nicely, but far from perfect. Me, coming from the linux world, was quite put off by its limitations, so I started looking for an alternative that would make me happy.
FileVault is an encrypted filesystem. This means that is doesn't encrypt files, it encrypts partitions. How it works is when you hit the button 'Turn on FileVault' in the security preferences, it creates a dynamically growing file in your home that contains the encrypted contents of your original home. When you log in, this is mounted, using your login password. The whole operation is seamless. In the background, it is relying on the diskimages framework. If interested, check
man hdiutilfor details and more options.
In earlier releases of FileVault, the whole encrypted home was a single huge file on the filesystem. Whenever growth was necessary, it increased the encrypted file size. However, this caused problems for Time Machine, Apple's built-in backup tool. Since the file is encrypted, it was not possible to make incremental backups, so Apple decided to implement a feature called 'sparsebundle', that splits this huge file in 8MB chunks, so that Time Machine can make incremental backups of the encrypted home.
You can see how problems stack up. It's not only FileVault, but how it works with other applications, most importantly Time Machine.
This HOWTO was written on a Mac OS X 10.5. Other versions may or may not work - you'll have to figure it out yourself. The idea and the commands are the exact same once you get encfs installed properly.
FileVault: pros and cons
- Long waiting times at logout
- No shrinking while logged in
- Doesn't work well with Time Vault
+ Well worked out and tested
+ Encrypts you entire home for better privacy
For example, if you have a 300GB disk, and you copy 50GB into your home temporarily, MacOS will expand the sparsebundle to accommodate the extra 50GBs. However, after you've removed it, it will not shrink it, and it will be recovered only after you log out. Until then, 50GBs will be gone from your 300GB disk, and only be available in your encrypted home dir.
EncFS is a file-based encryption, and it relies on the existing file system for storage, so this issue simply does not exist; the encrypted and decrypted directory share the same partition, and thus, disk space.
FileVault is very slow. In the before example, it takes FileVault about 20-30 minutes to recover the disk space it has allocated to the encrypted filesystem earlier. This of course is done when you are logging out, waiting for the laptop to reboot, shut down, etc..., so basically, from your own time.
EncFS stores its encrypted files in the same partition, and thus, it has no such problems whatsoever.
With FileVault, there are no backups made while you're logged in. This is again caused by the bad design of filesystem-in-a-filesystem. Data is backed up when you logout - but then it takes quite a while.
Take for example the case when you copy 100GB in your homedir, and then erase 50GB. On logout, FileVault will take 20-30 minutes to recover disk space, and then Time Machine will take another 20-30 minutes to back the extra data up.
Using EncFS, backups are done on-the-fly, while you are logged in. This means you can stay logged in as long as you like, there is no need to log out just to make a backup of your homedir, like you had to do with FileVault.
EncFS is fully open source. You know what's going on in the background. You can fine-tune the encryption to your needs. You can even have more than just your home encrypted. You can use different encryptions on different parts of your system (a 128bit for your pictures and a 256 bit for your emails, for example). You don't have to encrypt your home, only the parts that you need. It's all up to you.
You can also have better interoperability with other tools. Since it is fully file-based, you have the ability to process the encrypted directory to your liking, in your own way.
FileVault is a lot more tested than EncFS. There are known problems with EncFS, as it only support basic POSIX operations (no locking, extended attributes, etc...). This works well for simple file storage or multiplatform applications, like MacPorts, Firefox, Thunderbird, etc..., but encrypting your whole homedir is known not to work. As a consequence, you are losing some privacy, leaving parts of your home unencrypted. If you are sensitive about this, or you are unsure whether you won't leave important data uncrypted, don't go ahead.
Because EncFS encrypts on file level, the number and size of files will be exposed in the encrypted dir. This is not a big deal, just go check out the contents of the encrypted directory for yourself. You'll probably keep wondering what the heck is in there, even though you know what you are storing there.
You also need to spend some time to evaluate what and how you want to protect. Setting up EncFS will take some time, it's not just clicking a button and going for lunch while it finishes.
If you are not a geek, don't do this - it's not meant for you. I would say the baseline is setting up and using macports - if you can do that, this will not be a problem, either.
How - the easy way
You can use macfusion to set up encfs via GUI. I won't go into details, as I observe this method to be inferior to command line.
It is a good tool for non-geeks to encrypt their data, though, if you don't mind some click-click now and then.
How - the geek way
Once you have macports installed, set up encfs:
$ sudo port install encfs
The next step is to organize your mounts. How I did it was I've created /e and /e.crypt and chown'd it for my user:
$ sudo mkdir /e /e.crypt
$ sudo chown llama /e /e.crypt
Of course, you can create multiple directories for multiple users if needed.
The next step is to set up the encrypted directory. This can be done by:
$ encfs /e.crypt /e
On the first run, encfs will guide you through the setup options. If unsure, just pick the default options (by simply hitting enter) for every question, they are well defined.
Now you have your encrypted directory in /e.crypt and your decrypted directory in /e. The next step is to decide what you want to encrypt. It's fully up to you. I went with the configuration directory of ssh, Thunderbird and Firefox.
Don't forget that encfs doesn't support fancy filesystem operations, so don't just throw your whole homedir in there - it won't work.
The next step is to copy your stuff there and create a softlink on the original location:
$ mv .ssh /e
$ ln -s /e/.ssh
$ mv Library/Thunderbird /e
$ ln -s /e/Thunderbird Library/
So, now you have the final setup. The next step is to make mounting/unmounting automatic on logon/logoff. For this, we are going to use the so-called login hook. This is a special Apple feature; in short, it lets you define an executable that is executed after login, but before changing UID to the user - so, practically at the point when all login-related tasks have been done by root, and we are about to change UID to the user. We will use this to mount our encrypted directory.
Now, we want an automatic mount of the encrypted volume on login. This is handy if you have Firefox and Thunderbird started up on login.
How I've solved this was putting the password in the user's keyring. That's a safe storage for passwords. So open the Keychain Access application (easiest is from the little lock in the menubar), pick the Login keychain, category Passwords, and add a new key in there. Set the keychain item name and account name to 'EncFS', and the password to the password that you given to encfs during the first-time initialization.
Now let's create the script that is to be executed as login hook. Create file
/usr/local/sbin/loginhook, and copy the following into it:
# $1 = logged in username
# try to mount /e using encfs entry in keychain
su - $1 -c "security find-generic-password -ga EncFS" 2>&1 >/dev/null | cut -d'"' -f2 | sudo -u $1 /opt/local/bin/encfs -S /e.crypt /e
What it does is grabs the password you've added to the login keychain using the command-line tool 'security', and pipes it into encfs executable, using the '-S' flag to tell it to fetch the password from standard input.
Next we create the logout hook. It is the exact same as loginhook, but executed at logout. So create the file
/usr/local/sbin/logouthook, and copy this into it:
# $1 = logged out username
# try to unmount /e
Yes, it simply unmounts the encrypted directory on logout.
Don't forget to set the executable bit on these scripts:
sudo chmod +x /usr/local/sbin/log*hook
Now, instruct the login window application where the login and logout hooks are:
sudo defaults write com.apple.loginwindow LoginHook /usr/local/sbin/loginhook
sudo defaults write com.apple.loginwindow LogoutHook /usr/local/sbin/logouthook
That's it, you're done.
If you would need to use encfs for more than one users, it is a pretty straightforward change to the above - remember, the first argument of the login and logout hooks is the username. Also, remember to store the 'EncFS' key in the login keychain, because that is specific to each user, so each of them can have different password.
There are a lot more things that you can do with this, just use your imagination. For me, this does the job, and is perfectly extensible would the need for anything else arise.
The biggest mistake Apple did with FileVault is storing the encrypted home directory on a virtual file system. All of FileVault's drawbacks originate from this. The implementation is brilliant, free of bugs, fast and well thought over. But why they decided to have all the trouble with a filesystem in a filesystem remains a mystery.
For me, until Apple manages to come up an encryption that is not based on a broken idea, EncFS really gets the job done. Leave a comment if this short howto helped you too.