Sunday, July 18, 2010

Mac OS X laptop and TimeMachine whole disk encryption with successful restore

At some point, if you work with sensitive information, you realize it's time to get serious about protecting the data from theft.

I'll assume you already have firewalls in place, surf the web safely and keep your software up to date. That should help reduce the risk the data is accessed while you are using your computer, but since MacBookPro laptops are portable and valuable, and TimeMachine backup drives are also portable and valuable, there is the real risk that they are physically stolen, putting your sensitive data at risk.

The solution to this is multi-part - first you need to make sure that your machine asks you for a password when it resumes from sleep or wakes up from a screensaver, and that it goes to sleep or to the screensaver quickly when unattended. This makes sure that someone can't just open the lid or move the mouse and get your data.

Now they are going to try to reboot, the second part is to make sure that you don't have auto-login enabled, so they'll have to enter a password to login after rebooting.

You are mostly safe at this point, but did you know that Mac OS X install DVDs have a feature which let you reset the root password on a laptop, if you boot from the DVD? They do. It is quite useful really - I've needed to use it - but it means that the password protection isn't worth much at this level, a thief that wants your data can easily access it.

The last part of the solution handles this problem, by using encryption to make sure your data is inaccessible even if someone has physical access to your machine. The goal is to have your whole disk encrypted, with a pre-boot password required to decrypt it and get the OS running. I use PGP Whole Disk Encryption ("PGP WDE") for this purpose - it is commercial software but doesn't cost too much compared to exposing the sensitive data, and it is easy to use.

Assuming you have installed PGP WDE and have your laptop hard drive encrypted at this point, you are mostly secure, but what about your TimeMachine backups? That little external drive next to your computer still holds all your sensitive data, but it is not encrypted - you have moved the problem around but not solved it completely yet.

The next step then is to use PGP WDE on the TimeMachine drive, so it is encrypted as well. Now your data is fully protected, but you have a new problem - if your laptop dies for some reason and you need to restore from your TimeMachine drive, you can't - the Mac OS X install DVD you would use for the restore can't access the TimeMachine drive to restore from it, because it is encrypted!

Luckily, this is a solved problem. In a nutshell, what you want to do is to re-partition your TimeMachine drive and put an OS X install on it that you can use as a rescue, and you want a copy of the Mac OS X install DVD on that rescue install. Use TimeMachine to backup to a second partition on the TimeMachine drive, and now following these excellent instructions you have a tested and working self-contained encrypted backup of your laptop with all the tools you need to restore your computer if you have problems.