This document explains how to place a user's home directory on an
encrypted device image (DMG) under Mac OS X 10.1 or later. This is useful to
ensure that all the files for the user you decide to encrypt are safe from
prying eyes. This document will be of interest to attorneys, doctors,
programmers, or anyone else who has sensitive documents (personal files, tax
documents, secret or classified documents, etc). Placing the entire user's
folder on an encrypted disk ensures that every file belonging to that user
will be encrypted (as long as it is saved within their home directory). This
includes many log files, preference files, email, AIM or ICQ logs, internet
history and cache, etc.
Encrypting a user's home directory consists of two major steps. These
steps are pretty complicated but only need to be executed once for each
user. Afterwards the process of logging into the encrypted user is simple.
I've tried to make this document fairly simple... please don't complain
if it's over-simplified :) I added some technical information at the end.
Please note: After posting this on
the Apple side of Slashdot, I received many comments. One was from Paul,
a Curriculum Developer at Apple. He posed an alternative way to get the same
result... however, I prefer my method because his method does not encrypt
the Library folder of teh user's home directory, which contains log files,
preferences, caches, and other data which probably should be encrypted. Just
for completeness, however, I added
Paul's Solution
at the bottom of this page.
Setting up the encrypted disk:
The first step in encrypting home directories for Mac OS X users
involves creating an encrypted device image (DMG) and setting up your
system to mount the device image. These steps only need to be preformed
once per device image. Each device image can contain as many users as you
like, as long as it is large enough to contain all the users' files.
Therefore, you only really need to go through this step once even if you
have multiple users (unless you want to put multiple users on different
device images)
To set up the user, you will need an administrator user. This user will
be used to set up the device image, but will also be required to mount the
device image each time you wish to log into your encrypted user. These
steps cannot be executed as a regular user.
These instructions are for Mac OS X 10.2, and may differ slightly for
OS 10.1. (Specifically the parts dealing with Disk Copy)
The first step is setting up the encrypted disk. To do this, first
open the Disk Copy application, located in the Utilities folder. Then
create a new blank device image. (File => New => Blank Image in
OS 10.2 or Utilities => New Blank Image... in 10.1) You will
now need to decide on a name for your image file and the volume which it
contains. (These names do not have to be the same, although it is
convenient). Specify the size of the volume, and make sure that it is
Mac OS Extended format and that the encryption menu says "AES-128". Save
the image somewhere convenient and enter a password for the image when
prompted.
Once you have created your image, it will mount on the desktop. Now,
open the Terminal (/Applications/Utilities/Terminal.app) and execute the
following commands: (replace VOLUME_NAME with the name of the encrypted
volume)
cd /Volumes
This changes the current working directory to /Volumes
sudo ln -s VOLUME-NAMEVOLUME-NAME-1
This creates an alias of The encrypted volume and names the alias
VOLUME-NAME-1.(That's a one after VOLUME-NAME, not an
L) Enter your password when prompted to.
You have now set up this image and it is ready to have users added.
Setting up an encrypted user:
Now that you have an encrypted volume set up, it is time to create the
user. Repeat these steps for each user you wish to put on this volume.
Create the user. Do this using the System Preferences application.
Open NetInfo manager (/Applications/Utilities/NetInfo Manager.app).
Unlock the application (using the lock in the corner of the window). NetInfo Manager is an application which manages configuration and
settings for Mac OS X. We will use it to move the new user's home
directory to the device image.
Select "Users" from the middle list. find the short name of the new
user in the right list and select it. The user's information appears in
the bottom pane of NetInfo Manager.
Find the property that says "home". Double-click the associated
value (Most likely it says /Users/username) and change it to
/Volumes/VOLUME-NAME-1/USERNAME where VOLUME-NAME is the name of the
encrypted volume, and USERNAME is the name of the user. Again, that's a
one after the name, not an L.
For example, if my user was named "bob" and my volume was named "disk",
I would set the home directory to /Volumes/disk-1/bob
Please note: the path is case sensitive. Ensure that you type it
properly.
Click on another user in the list of users. This causes NetInfo
manager to prompt you to save changes. Do it. Then close NetInfo
Manager.
Return to the terminal. Enter the following command:
sudo ditto -rsrcFork /Users/USERNAME /Volumes/VOLUME-NAME/USERNAME
Replace USERNAME with the short name of your user and
VOLUME-NAME with the name of your encrypted volume.
Enter your password when prompted. This command copies the user's files to the encrypted disk.
Enter the following command into the terminal:
sudo rm -rf /Users/USERNAME
Replace USERNAME with the short name of your user.
Enter your password if prompted. This command deletes the new user's files from the hard drive.
If you are done adding users, unmount the encrypted volume.
Logging into the User:
Once you have preformed the setup steps above, logging into the user is
simple. You will need an administrator account to mount the encrypted
disk, and you will also need a utility I wrote called
SuperMounter. (Alternately, you can use the terminal)
SuperMounter is required because when you log out of a user, all the
device images you mounted are unmounted. SuperMounter mounts the device
image as the root user, thus the system does not dismount it when you log
out. The source code is publicly available.
Log into your administrator user.
Make sure the device image isn't mounted.
Open SuperMounter. Enter your password and select the device image
in the open box that appears. (Under 10.1 you may have to enter your
password twice). Then enter the password for the device image. The
device image should mount on your desktop.
Alternatively:
If you would prefer not to use SuperMounter, you can perform the same
operation in the Terminal. Execute the following command:
sudo hdid /path/to/encrypted/image.dmg
Where /path/to/encrypted/image.dmg is the path to the
encrypted image. (You can drag the image file onto the terminal window
and this will be filled in for you)
hdid is the program which mounts device images.
Once you have mounted the device image, you can proceed to log out
of your administrator user and log into the encrypted user.
Technical Information:
Why the symbolic link (ln -s)?
The symbolic link serves a simple purpose: if you forget to mount the
device image before trying to log into the user, the system can get
confused. If you do not create the symbolic link, the system will
actually create a directory under the /Volumes/ directory and set up the
user's files there. Then, you will not be able to mount the image and
log into the user... the image will mount with a different name and you
will need to manually remove the user's files from the Volumes folder
(which is a pain)
With the symbolic link, the system sees the symbolic link even if the
disk isn't mounted, and refuses to destroy it. Instead, it will warn you
that the home directory of the user cannot be found in the usual place,
and you can simply log out, mount the image, and log in again.
Why SuperMounter?
As previously mentioned, if you mount a device image, the system will
unmount it for you when you log out. I'm not sure if this is because all
your user processes are killed and thus the hdid process which is
created for the device image is killed, or if the Finder explicitly
umounts all volumes you mounted. Either way, there has to be a
workaround...
My first attempts at this were to try to mount the disk at the logon
screen. That didn't work... I'm not sure why, but apparently the
WindowServer either isn't launched yet or isn't accepting connections,
even from root. I also tried to mount the image from the Console
(Logging in with >Console), which didn't work. Mounting the image at
startup failed as well.
My first thought was to mount the image as a regular user and then
make it be in use so that the system couldn't access it. To do this I
touched a temporary file on the disk and launched a tail -f process on
that file. The tail process was killed when I logged out. So I started
the tail process as root, and that worked. However, that was overly
complicated, as I later learned, and I reverted to simply mounting the
image as root, which works just as well.
SuperMounter is a very simple application which authenticates itself
via the Authentication Services, and then calls hdid.
What is hdid?
hdid (man 8 hdid) is the "HDI driver backing store service".
Supposedly it is not intended to be called directly but rather from a
utility like hdiutil or Disk Utility.app. It is actually the hdid
program which displays the prompt for the disk's password. Starting in
OS 10.2, you could specify the password on the command line vie the -passphrase
option, but that is very insecure since other users can see the password
using ps or similar utilities.
This is actually something that is covered in the new Mac OS X
Administration and Integration sysadmin technical training course from
Apple that will be going live in January. As the author of that section of
the course, let me give you a bare bones outline here.
1. Log in as the user whose files you want to secure.
2. Create an encrypted disk image using Disk Copy at the top level
of the user's home directory. When it asks for the disk image password, be
sure that the "remember password" option is checked -- this saves the disk
image's password on the user's default keychain.
3. Use ditto to copy over the following directories from the user's
home folder onto the encrypted disk image:
~/Desktop
~/Documents
~/Library/Mail
~/Application Support/Addresses
~/.ssh
These are the important ones; you can copy over other items as
well, but definitely don't do the entire ~/Library folder, and don't do
the ~/Library/Keychains or ~/Library/Preferences folders.
4. Set the disk image to automount on login by dragging it into the
Login Items preferences pane.
5. Use mv to shift the directories aside (e.g. mv ~/Documents ~/Documents.save)
and set up symlinks onto the disk image (e.g. ln -s
/Volumes/Secure/Documents ~/Documents).
6. Log out and log back in again. The disk image will be automounted
at login, using the password stored on the default keychain which also
unlocks on login. Everything should just work! :-D
7. Now for the housekeeping: delete the .save directories you
created earlier, and be sure to turn off automatic login in the Accounts
preferences pane.
Why do it this way instead of the way that Joshua Gitlin wrote up? First,
you don't need admin access to a machine to make it work. You may not have
admin access on a company machine, or as a sysadmin you may not want to
give admin access to most of your users.
Second, using Joshua's method, once the disk image is mounted it's open to
anyone who has admin access on that machine, whether or not you are logged
in at the console. By using an automounted image with the password stored
on the keychain everything is secure until you actually log in, and
everything is secured once you log out.
Third, this way is a lot more convenient. If you make security too
inconvenient, users will circumvent it. Instead of two logins, you only
have to do one. Techincally unsophisticated users (secretaries, lawyers,
vice-presidents, etc.) don't need to do anything different.
Go to Apple Training [apple.com] and sign up for a course or two. They're
well worth the money and help me keep my job. :-D
--Paul
psuh at apple dot com
Curriculum Developer
Technical Training and Certification
Apple Computer
This document is a work in progress. Please bear with me as I update it.
If you have comments, suggestions, or questions, please feel free to email
me at josh (at) gitlinfamily (dot) com.
Thanks to Andrew for pointing out the correction that I meant "Disk Copy"
instead of "Disk Utility".
Thanks to the slashdot people for pointing out that I should have used the
ditto utility instead of cp -R.
