Encrypting home directories in Mac OS 10.2

Two different approaches to encrypting user data on a disk image have been posted on the web. One approach is to encrypt only the most sensitive files, and symlink them back to their default locations as required for applications with hard-coded file paths. The user mounts the image after logging in, and it's unmounted when she logs out. This was what I did myself until recently. There are quite a few problems with this method. It's a lot of work to set up and maintain, as sensitive data can be stored in many different places, and the links tend to get overwritten by installer scripts. Some applications can't be launched at login because their default files are not yet available. Some Carbon apps just don't resolve symlinks or aliases, and files in their hard-coded paths can't be encrypted this way.

A more advanced method involves changing the entry in the NetInfo database for the user's home directory to an encrypted image. Then the user can't log in unless the image is already mounted. An admin user has to log in first and mount it as root. If she doesn't have admin privileges, the encryption user has to trust someone who does with her passphrase.

Here's how I set up encryption on my systems. Any user can have her entire home directory on an encrypted disk image. When she logs in to her first Aqua session since the last system startup, she is prompted to enter the passphrase. If she does so, the image is mounted and she is logged out automatically after a warning. When she logs back in, her home directory is replaced by the one on the image. She can then log in and out in as usual without having to enter the passphrase again, until the system is rebooted or the volume is manually unmounted by her or an admin.

This procedure is posted for information only. Use it at your own risk. No system configuration files are modified. All changes are confined to the /Users directory.

The procedure is for protecting data from an attacker who gains physical access to the computer (e.g., by stealing it) and can bypass file permissions by rebooting or removing the hard drive. It's not a substitute for restrictive permissions. Unmounting an encrypted image when the user logs out does little or nothing to protect the data from other users, if they have sufficient privileges. They can log in remotely or install a script to snoop data while they're not logged in. The machine must not be left unattended while logged in with the screen unlocked. A login password must be required to unlock the screen or wake from sleep. When an encryption user logs out without rebooting, her encrypted home volume will still be mounted, so automatic login must be disabled.

The implications of encrypting data are far from clear to many people. If a user wants to use his login password as an encryption passphrase, if he wants to save it in the Keychain, or if he's otherwise unequipped to create and protect a strong passphrase, he should not encrypt his data.

Always mount any encrypted disk image by entering the passphrase in the authorization dialog presented by Disk Copy or hdid. Never call hdiutil or hdid from a shell with the passphrase in standard input. If you have to do this in an emergency, retire the passphrase, re-encrypt the data with a new passphrase, and securely erase the original image as soon as possible. A user with an encrypted home volume won't be able to mount it securely from a ">console" or remote login. She will have access to her original, unencrypted home directory.

Don't put much trust in encryption on any platform that, like Darwin, has a plaintext backing store for virtual memory. Anything you load in memory may be written to disk in the clear. If you need real security, run OpenBSD, which can encrypt its swapfiles with random, volatile keys.

First create a simple shell script to be installed as a Login Item by any user with an encrypted home volume. This only has to be done once, if you're encrypting more than one user's data. The script mounts the volume over the existing home directory, then notifies the user and logs her out. Login Items are opened rather than executed, so the script must be saved as a double-clickable document. This can be done with the Terminal or AppleScript, but I prefer the open-source application iHook from Research Systems Unix Group at the University of Michigan. The script below needs iHook to run. You can easily modify it for a different front end.

In your admin account, open a root tcsh shell; if tcsh is your default shell, this is

sudo -s

All shell commands below this line are to be issued as root.

Open a text buffer as follows:

mkdir /Users/Shared/Scripts
cd /Users/Shared/Scripts
pico MountHomeVolume.hook

Now input this text to the buffer:

#! /bin/sh
echo %ENDPOLE
echo %WINDOWSIZE 320 200
echo "Enter the passphrase for your home volume"
echo %RESIGNKEY
cd $HOME
hdid -nomount "/Users/Shared/Disk Images/${USER}.dmg" > DevFile || exit 0
Dev=`cat DevFile`; rm DevFile
mount -t hfs $Dev . || exit 1
echo "You will now be logged out"
sleep 2
echo "Log in again to access your data"
sleep 2
ps -cx | grep -w loginwindow | awk '{ print $1 }' | xargs kill
exit 1

Close the buffer by entering control-X, enter 'y' at the save prompt, then just hit the enter key again to save the file. Then set permissions:

chmod 755 MountHomeVolume.hook

Now let's say that a user whose home directory is to be encrypted has the LOGNAME "Squeeze". Substitute the name of your user wherever this string occurs. Her existing home directory will be denoted by ~Squeeze; this is /Users/Squeeze by default. If you have changed the user entry in NetInfo to put the home directory on a disk image, change it back now.

Launch Disk Copy and create a new blank image large enough to hold the contents of ~Squeeze with room for growth. Name the image file "Squeeze.dmg" and save it in /Users/Shared/Disk Images, creating this folder if necessary. Make the volume name "Squeeze", the image format default, and encryption selected. Squeeze should choose a passphrase that matches the strength of the encryption algorithm.

Correct permissions for the directory Disk Images, the file Squeeze.dmg, and the volume Squeeze:

set theUser=Squeeze
set theVol=/Volumes/$theUser
vsdbutil -a $theVol
cd /Users/Shared/Disk\ Images
chown 0 .
chown ${theUser}:staff $theVol ${theUser}.dmg
chmod 755 $theVol
chmod 600 ${theUser}.dmg

Optionally, make the volume invisible so it will not show up on the Desktop. This can be done most easily using the SetFile command included in the Developer Tools. Many shareware utilities can do the same thing.

/Developer/Tools/SetFile -a V $theVol

If you haven't already done so, back up all Squeeze's data — twice, to different media. Clone her home directory to the image, then unmount it:

ditto -rsrcFork ~$theUser $theVol
hdiutil info | grep -w $theVol | awk '{ print $1 }' | xargs hdiutil detach

Now wipe — do not trash or rm — the contents of ~Squeeze, but not ~Squeeze itself. Use fwipe, PGPmail, or some such tool that makes the data unrecoverable. You can spare any files that don't need to be encrypted and that Squeeze wants to be able to access without mounting her disk image. If you want to be creative, you can make the old home directory a honeypot for thieves. Put in fake ID data, such as credit card and Social Security numbers, and record these data elsewhere. This might help the police to recover the computer if it's stolen and the perp also tries to steal what he thinks is Squeeze's ID.

Log in as Squeeze, and open the Login Items preference pane. If there are any remaining entries, remove them. Add MountHomeVolume.hook. Log out. The setup is complete. Have Squeeze log in to test it.

Submit comments

Posted Saturday, March 29, 2003
Last updated Wednesday, April 2, 2003