It’s good to be secure, or at the very least, to make it as difficult as possible for someone to compromise your security.
Apple’s FileVault disk encryption technology exists to solve a straightforward security problem: your machine is stolen or accessed without your permission and you don’t want your files exposed. By encrypting your home directory, FileVault makes it difficult (although not impossible) to access your private files.
But FileVault has issues. There plentiful anecdotal reports of decreased performance, general system instability, lost preferences, and so forth. I’ve experienced as much myself, with the additional fun of lost Spotlight indexes, which screws up Spotlight-dependent applications like Yep. Backup is also complicated by FileVault. A run of ol’ reliable SuperDuper after enabling FileVault failed for the first time since ever.
Beyond bugs, FileVault’s strategy to disk encryption sits oddly in the middle between two more standard approaches. One school of thought suggests encrypting one’s entire disk; the other suggests that only sensitive files need to be encrypted, saving precious cycles. FileVault, encrypting one’s home directory as it does, ends up encrypting both sensitive files and generic support files, but not all of the system caches and cobwebbed corners of one’s disk.
Taking these peculiarities into account, it’s clear that an alternative to FileVault would be nice. But what to use? I asked on Twitter yesterday, and here’s what I learned.
The most thorough approach to securing one’s files is to secure all of one’s files. The most-recommended solution in this category was PGP Whole Disk Encryption, which provides pre-boot password protection in addition to encrypting arbitrary disks. One review reports that PGP WDE drastically impacts performance and provides numbers, while another casually says it does not. I’m inclined to believe the review with numbers.
While it’s possible to use TrueCrypt to encrypt an entire disk on other operating systems, the open source encryption suite doesn’t cover the Mac in this regard.
File & Directory Encryption
Any Mac running OS X has a built-in, free solution to encrypting specific files or directories. The Disk Utility application can be used to create password-protected encrypted disk images. Move your files onto such an image, securely delete the originals, and you’re done. Unfortunately, mounting and un-mounting your collection of disk images will quickly become a hassle.
To lubricate the use of encrypted disk images, there’s Knox. Knox keeps track of your “vaults” (still Apple standard disk images under the sharp suitcase icon), and will automatically mount them and back them up on a schedule. It’s essentially a very polished wrapper around what Apple already provides, but it came highly recommended.
The other tempting option for encrypting just a few files is Espionage, which looks to be part of the so-called “Delicious Generation” of high-gloss single-purpose apps. Unfortunately, this detailed review suggests that Espionage is more style than substance, as there’s a number of scenarios in which the protection it provides is rendered moot.
Of course, there’s a zillion other “secret folder” shareware apps out there, but I’m just attending to what was recommended to me. Again, TrueCrypt is an option, but reviews suggest that its interface needs a lot of work to compete with other Mac solutions. I always prefer to use something purpose-built for my operating system when possible.
What I Picked
Needing only to secure work-related files and a small selection of personal files, I decided to give Knox a try. I’ve created a vault for each of those needs, securely deleted the old content from my drive, and set Knox to keep two daily backups of each vault around. Setup was easy and painless, and I’ve found the briefcase icon in my menu bar comforting throughout the work day.
The only issue I’ve run into was Knox claiming that the vaults were in use when it came time to run the backup; I closed all applications and the complaint remained, puzzlingly. I manually un-mounted the vaults and ran the backup, which worked just fine. If this bug comes up again, I’ll investigate with under-the-hood tools, but it’s fairly minor.
An advantage of using Knox is that I can continue to back up with SuperDuper, which simply treats the Knox vaults as big files and carries on. I’m going to give it my requisite two week minimal trial, but I think Knox will be getting my $30 before long.