Section 136. Secure Your Files with FileVault

Previous page
Table of content
Next page

136. Secure Your Files with FileVault

BEFORE YOU BEGIN

118 Add a New User


SEE ALSO

115 Require a Password When Reactivating the Computer

121 Change a User's Password


FileVault is a feature that encrypts all the files in your Home folder so that they can be accessed only by someone who knows your login password. When you have FileVault turned on, you won't notice any difference in how the system worksby the act of logging in, you've unlocked the FileVault and gained access to your files for the duration of your login session. But if someone else comes along and tries to access your fileseven by tearing the computer apart and prying into the hard disk itselfwithout your password to unlock the files, they'll be beyond the reach of those with ill intent.

NOTE

Remember that even with FileVault enabled, someone who knows your login password can still access your files. Always be sure to keep your password secret and unguessable, and change it every few months at least!


NOTE

FileVault is designed with corporate laptop users in mind; if a laptop computer full of trade secrets and confidential documents is stolen, the thief could have a gold mine on his hands. But with FileVault, those files are locked up without your login password available to access them.


136. Secure Your Files with FileVault


The tricky part about FileVault is that if any user forgets her password, even the system's Admin user won't be able to restore access to that user's files, because they are all encrypted using that user's forgotten password. Changing the user's login password does not decrypt or re-encrypt the files; they're locked up for good.

Fortunately, FileVault has a safety feature built in: a "master password" for all the FileVault-protected accounts on the computer. If you know the master password, you can regain access to a locked Home folder and turn off FileVault so that the user can access her files again.

Before you turn on FileVault for your account, it's very important (and required) that you set this master password. Your users' data depends on it!

One final thing to remember about FileVault is that once it's enabled, everything in your Home folder is inaccessible to anyone or any application that doesn't know your login passwordand that includes web browsers or other Macs. This means that your Public folder (which contains items that others can access from other Macs, as described in 36 Allow Others to Share Your Files ) and your Sites folder (which contains items that others can access using Personal Web Sharing) will no longer be readable. But then, if you're concerned enough about the privacy of your data that you're choosing to enable FileVault, you shouldn't be sharing files publicly from your Mac anyway. Be sure that you absolutely need FileVault protection, and won't miss the ability to share files, before you enable the feature!

NOTE

You must be logged in as an Admin user, or able to authenticate as one using the lock icon in the Sharing Preferences pane, to set a master FileVault password or enable FileVault protection for an account.


1.
Open the Security Preferences

Open the System Preferences application (under the Apple menu); click the Security icon to open the Security Preferences pane.

2.
Set a Master "Safety Net" Password

Click the Set Master Password button. In the sheet that appears, type a password and type it again in the Verify field.

The master password setting can contain a hint; be sure to take advantage of this. Make sure that the hint doesn't give away the game! Your master password should be something that an intruder won't be able to guess, even with the hint. Remember, anybody who can guess the master password can unlock any user's FileVault-protected Home folder!

3.
Turn On FileVault for Your Account

When you click OK to set the master password, you are automatically prompted to turn on FileVault for your current user account. Click Turn On FileVault to begin this process; alternatively, if you're not ready to do so yet, you can click Cancel and then click Turn On FileVault in the Security Preferences pane at a later time.

TIP

On the warning sheet that appears when you turn on FileVault, the Use secure erase check box enables an additional security feature you might find useful: When a file in the FileVault-protected account is deleted (by emptying the Trash), Mac OS X ensures that its contents can't later be recovered by writing successive streams of random garbage onto the disk location where the file was. This takes longer than normal deletion, but is crucial for sensitive business data.

NOTE

Because the act of turning on FileVault involves changing all of your files as they are written on the disk, the process must take place while you're logged out of your account so that you don't touch any files that Mac OS X is working on. For the same reason, any other users must be logged out as well, or Mac OS X will not allow you to turn on FileVault. When you give the command to turn on FileVault for your account, Mac OS X logs you out and prevents you from logging in until all your files have been encrypted. The process might take an hour or longer, depending on how much data you have in your Home folder.

Enter your login account password when prompted, to verify that you are who you say you are. (If you are not an Admin user, you are prompted to enter the name and password of an Admin user before you can proceed.) Mac OS X gives you a final warning, reminding you that if you lose your password and can't remember the system's master password, you will never again be able to access your files ever.

Save all your open files and quit all your applications. When you're ready, click Turn On FileVault .

Mac OS X logs you out of your account and encrypts your Home folder. After the process is complete, you can log back into your account and use the system as you normally would.

NOTE

After your Home folder has been secured with FileVault, the icon for it in the Finder changes from a regular house to the "safe house" icon representing FileVault. Furthermore, other users can no longer browse the contents of your Home folder at allnot even your Public folder.

4.
Recover a Lost FileVault Password

If you try three times to log in at the login window and can't remember the correct password for your account, Mac OS X presents you with your password hint. If the hint doesn't help you remember your password, and you enter it incorrectly one further time, Mac OS X presents the hint for the master FileVault password. Enter this password to be given the opportunity to unlock your account by entering a new login password for the account.

NOTE

Only the administrator of the computer should know the master system password. If you've forgotten your password for a FileVault-protected account, ask the computer's administrator to enter the master password for you.

After you enter the master password correctly and set a new password for your account, you will see a notice that your Keychain is still locked using your old login password. You won't be able to access your Keychain unless you remember your old password, but the original Keychain still exists in the new FileVault-protected Home folder, in case you remember the old password and want to extract its contents. Otherwise, a new Keychain is started using your new account password.


Previous page
Table of content
Next page
MAC OS X Tiger in a Snap
Mac OS X Tiger in a Snap
ISBN: 0672327066
EAN: 2147483647
Year: 2001
Pages: 212
Authors: Brian Tiemann
BUY ON AMAZON
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
Introduction to 80x86 Assembly Language and Computer Architecture
MySQL Cookbook
An Introduction to Design Patterns in C++ with Qt 4
Information Dashboard Design: The Effective Visual Communication of Data
Microsoft WSH and VBScript Programming for the Absolute Beginner
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy