Mac Security: Privacy
OS X’s Privacy Tools
Encryption software can ensure the privacy of data you’re storing on your hard drive or sending to other people, by making it essentially impossible for anyone else to read. OS X itself has some built-in encryption tools that address part of the problem, and third-party software can help with the rest.
Protecting Your Files To protect yourself against people who have physical access to your Mac, you should consider encrypting at least some of the data on your hard disk. You can encrypt anything from a single file to the contents of an entire volume. Unless you’re protecting state secrets, one of the many off-the-shelf encryption tools available for the Mac, combined with a good password, should be good enough to keep your data safe.
OS X’s FileVault feature encrypts the entire contents of your user folder (/Users/youruserfolder). To activate FileVault in Leopard, go to the Security preference pane and click on the FileVault tab. If you haven’t already done so, click on Set Master Password and specify a password that you can use to unlock FileVault if you forget your regular login password. Make it a good one but one that you’ll remember—and be sure not to lose it. Then click on Turn On FileVault. (The process of encrypting your user folder takes time.) Remember that, before you start, you’ll need at least as much free space on your disk as your user folder currently occupies. Once FileVault is on, logging out will encrypt all your files, and logging in will decrypt them again.
While you’re at it, you should consider encrypting your virtual memory (select Use Secure Virtual Memory on the Security preference pane’s General tab). Then if someone examines the virtual memory files written to disk as you use your Mac, they won’t find any unencrypted copies of your data.
If encrypting your entire user folder with FileVault seems like overkill, you can instead store important files in an encrypted disk image created with Disk Utility.
To do so, open Disk Utility (in /Applications/Utilities). Choose File: New: Blank Disk Image. Enter a name for the disk-image file and choose a location; also enter (in the Volume Name field) the name you want the mounted image to have. From the Volume Size pop-up menu, choose the maximum size you want your disk image to have. Select Mac OS Extended from the Format pop-up menu, choose 128-bit AES Encryption from the Encryption pop-up menu, leave Partitions set to Single Partition - Apple Partition Map, and choose Sparse Bundle Disk Image from the Image Format pop-up menu. Then click on Create. When prompted, enter and repeat a password and click on OK.
To use your new disk image, simply double-click on the file. Enter your password when prompted, and the volume will mount in the Finder. You can then copy files to it and open them directly from the image. When you eject the image, log out, or shut down, the files will be inaccessible to anyone who doesn’t have the password.
Protecting Your Communications To protect your e-mail, you can use one or more forms of encryption. Similarly, you can encrypt live chats in iChat or other instant-messaging clients to protect them from interception. (For more advice on securely transferring files, see Transferring files securely.)
The easiest way to start ensuring secure communications is to use SSL (Secure Sockets Layer). Almost all modern e-mail services (including, naturally, MobileMe) offer SSL as an option for receiving mail (using IMAP, POP, or Exchange) and for sending mail (using SMTP). SSL encrypts e-mail as it travels between your computer and your e-mail provider (in either direction); though, messages will still be stored unencrypted on your mail server and the recipient’s mail server.
In most cases, you just need to turn on this option in your e-mail program—but before you do, confirm that your e-mail provider supports SSL, and find out if it requires the use of a special mail server address or other configuration changes.
To activate SSL in Mail, choose Mail: Preferences, click on Accounts, and select your e-mail account in the list on the left. To use SSL for incoming mail, click on the Advanced tab and make sure the Use SSL option is selected. To use SSL for outgoing mail, click on the Account Information tab and choose Edit Server List from the Outgoing Mail Server (SMTP) pop-up menu. Select the SMTP server associated with this account, click on the Advanced tab, and make sure the Use Secure Sockets Layer (SSL) option is selected. Click on OK.
If you use another e-mail program, consult its documentation to learn how to turn on SSL. If your e-mail provider doesn’t support SSL, you can opt to encrypt your entire Internet connection with a VPN instead.
SSL protects your messages during just part of the journey between sender and recipient. To make sure that no one but you and your correspondents can read your messages, even when those messages are sitting on a mail server, you need to encrypt their contents. Apple Mail has built-in encryption capabilities. (Again, see this month’s Mobile Mac, page 86, for more.) If you use another e-mail program, or if you want a simpler setup procedure, you can use third-party software (described just ahead) to encrypt e-mail.
Instant-messaging (IM) sessions in iChat or another client are also vulnerable to snooping. If you use IM mainly for small talk, this risk might not bother you at all. But if you exchange business plans, passwords, or other confidential information via IM, you should consider encrypting your chats.
Some IM programs (such as Skype) encrypt chats automatically. iChat can encrypt chats if you’re a MobileMe member. To set this up, open iChat and choose iChat: Preferences. Select your MobileMe account in the list on the left, click on Security, and make sure the message at the bottom of the window indicates “iChat encryption is enabled.” If it reads “iChat encryption is disabled,” click on the Enable button to enable it.