Setting International Options

Applying Account Security: Security

As you might expect, in the Security preferences pane, shown in Figure 8.12, you can configure a number of options regarding system security. You can specify whether a password is required to wake up from sleep or screen saver. If you are running a truly multiuser machine, or if your machine is located in a rather public place, this option is recommended. For all accounts, you can also disable automatic login, require a password to unlock each secure system preference, require that a user be logged out after a specified period of inactivity, or use secure virtual memory. Secure virtual memory is a mechanism by which the system encrypts the virtual memory being used by the applications you are running. Finally, you can enable FileVault protection in this pane.

Figure 8.12. In the Security pane, you can turn on FileVault protection and set other basic security preferences.

FileVault Protection

FileVault protection is a means by which users can encrypt their home directory data using their login password. Using FileVault protection allows a user to protect her files from anyone on the system, including administrative users. Under the FileVault protection system, a user's home directory is stored as an encrypted disk image. When the user logs in, her home directory is decrypted and mounted in the /Users directory. When the user logs out, her home directory is unmounted and again stored as an encrypted disk image. To use FileVault protection, the system must have at least as much free disk space as the size of the user's home directory; otherwise, the conversion cannot take place.

When a FileVault-protected user is logged in, her account looks to other users like an aliased network account, as shown in Figure 8.1. The batcat user is a FileVault user who is currently logged in. When you click on that account, the system says that it can't find the source of the alias, even for an administrator. However, via sudo, the administrator can see the contents of the directory of a logged-in FileVault user. When the user is not logged in, her home directory looks like a normal folder to other users, and the contents look like an encrypted disk image. There does not appear to be a convenient way for a FileVault user to use her account remotely.

Enabling FileVault Encryption

To enable FileVault encryption, an administrative user has to set the master password for the system. A master password is required so that if a user forgets his password, an administrative user can use the master password to reset that user's password. After the master password has been set, a user will need the administrator to help with the process. When you turn on FileVault, the system asks for an administrator user and password to unlock the Security preferences pane. The user then has to enter his password to start the FileVault encryption, and indicate that he really wants to enable it. While the encryption takes place, the user is logged out. No other users can be logged in at the console at the time. When the user logs back in, his home directory icon is replaced by a FileVault icon.

Disabling FileVault Encryption

The process for disabling FileVault protection is much like the process for enabling it. The user will again need the assistance of an administrator. When the option to Turn Off FileVault is clicked, the system asks for an administrator username and password to unlock the Security preferences pane. The user then enters his own password, and tells the system that he really wants to disable FileVault. The user is logged off while the decryption occurs. No other users can be logged in at the console while this takes place.

Overriding Encryption with the Master Password

For enabling FileVault on a given system, the administrator must provide a master password. This master password can assist with password issues for a FileVault protected account.

If a user forgets his password, the administrator can assist in resetting that user's password by using the master password. The user tries to log in. After three unsuccessful attempts, the login window displays the user's password hint. If the password hint doesn't help, the system requests the master password. If the user does not have a password hint, the system goes continues directly on to the request for the master password. After that has been entered, the login window forces a password change. The user changes his password and finishes the login process.

If a user already knows her password and would like to change it, she can do so in the Password section of the Accounts pane. However, if the user would like to have the administrator reset her password, the administrator cannot do so from within the Accounts pane. The administrator must attempt to log in as the user and then reset the password after the master password has been given.

If you need to delete a FileVault-protected account but archive it, the account is archived with the password of the user account. If the account contains sensitive material that must remain encrypted, make sure that you reset the password for the account via the master password mechanism before you delete and archive the account. If the account does not contain sensitive material, but does contain material that your organization might need, reset the password for the account and then disable FileVault before deleting the account.

If you need to change the master password, you can do so by using the Change option under the FileVault section. The system will ask for the old password, the new password, verification of the new password, and a hint for it.

If the administrator has forgotten the master password, reset it by deleting /Library/Keychains/FileVaultMaster.keychain and creating a new master password in the FileVault section. Changing the master password can have repercussions that might cause you to have to reset the passwords of the FileVault-protected accounts, but so far we have not experienced such a situation.