I will be traveling outside the US shortly, and I would like to password protect individual folders on my laptop Mac. Any suggestions will be most appreciated!
Move them to an encrypted .dmg, remove them to an encrypted USB stick and donât put the password for either in the keychain. Alternatively, shut down the machine whenever itâs not being used and if FileVault is set theyâre basically inaccessible as long as you have auto login turned off.
Iâm sure there are more optionsâŚbut without better info on what and why those are a few off the top of my head. For either of the first two options, delete them from your drive after copying. That wonât completely eliminate them from being foundâŚbut unless youâre a high value target the government there wants to get itâs probably good enough.
If you really need to be safeâŚreformat the drive, setup FileVault, and install only the apps and data you need and set UTO login off, and if youâre really paranoid set the login keychain password different from the login password.
It all depends on how secure you want the lock on the folders to be.
I concur with @neil1.
For basic security (e.g. worried about if itâs stolen from a hotel room), then you should:
- Make sure File Vault is enabled.
- Be sure to keep the recovery key off-line. Print it and store it in a file cabinet somewhere. Or store it on another computer that you donât travel with. So if someone steals the computer, they wonât be able to decrypt the drive.
- Shutdown (donât just close the lid or put it to sleep) when youâre not using it.
This will mean that someone without a valid login password wonât be able to access anything.
If you use it in public (e.g. in a cafeâ) donât let it out of your sight. At all. Since you canât practically shutdown every time you look away.
If this isnât practical, then as @neil1 said: Move everything sensitive into an encrypted disk image and delete/empty trash the originals. Or move them to another device that you leave at home.
FWIW, I donât keep sensitive information on my laptop - I have a desktop system at home for all that. The few things I do need to take with me (e.g. financial spreadsheets that I update every evening), I put in an encrypted disk image file, which I unmount whenever Iâm not actively using it.
My employerâs laptop (for another reference point) is a Windows system. The storage is encrypted with Bitlocker, and the system is configured to lock the screen after about 30 minutes of idle time. We are strongly encouraged to shutdown between sessions when traveling, which I do. (The IT department retains a copy of the recovery key, in case something catastrophic happens that prevents me from accessing the storage.)
If you have a need for more security than this, then you should probably consult a professional.
See also (for quite a lot of good and detailed information):
- Apple Platform Security - Apple Support
- macOS-Security-and-Privacy-Guide | Guide to securing and improving privacy on macOS
- NIST SP 800-219 Rev. 1: Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP)
- NIST: macOS Security Compliance Project. An implementation of SP 800-219.
How important is to shutdown the computer when FileVault is on? If it is in sleep mode, I have read that the encryption key is in the RAM but it is still encrypted with the login password. If thatâs correct, wouldnât having a strong user password make the data as safe as if the computer was shutdown?
If the computer is asleep, the key is in memory (or at least in the T2 chipâs internal memory). It has to be otherwise macOS itself wouldnât be able to access its own system files.
When the system is shut down, the key is protected in a way that can only be accessed via password (either a dedicated FileVault password or by logging in to an account authorized to unlock the volume). Iâm not sure how it is protected, but I assume thereâs some kind of encryption involved.
But in general, once macOS boots up, whether or not you put it to sleep, the volume is unlocked. So any software running on it can have file system access. Someone able to inject malware (USB stick, maybe?) will not be affected by File Vault. But if you shutdown, then none of that will be able to do anything until you unlock the volume (e.g. by logging in to an account authorized to unlock the system volume).
Thank you, David, for your explanations. Would it be correct to assume that, even though the volume is unlocked, it would still require a sophisticated attacker to access the file system (bypassing the need for the login password)? That is, someone using an unknown exploit?
Most attacks donât require the attacker to know a login password. They tend to use either use zero-day exploits that get them elevated privileges on your system or trick you into providing elevated privilege credentials through social engineering to install their malware. The attacker doesnât need to be very sophisticated to do either of these.
If youâre worried about someone just sitting down and typing in a password, sure. But those kinds of attacks are few and far between. And if someone has done the research necessary to make it possible, then File Vault wonât do a thing.
Far more attacks exploit bugs in system/application software. And they donât necessarily require anyone to be logged on. Some possible exploits may include:
- Buffer overrun on a network protocol (attack via compromised router)
- USB HID device (e.g. keystroke logger via a USB device disguised as a flash drive)
- Thunderbolt protocol explot (e.g. Thunderspy).
But these wonât work against a File Vault-protected Mac that is powered off, because there is no usable file system and no usable operating system until the drive is unlocked by the first login.
How likely is such a thing? Hard to say, but not insignificant. Nobody is going to send a hacker team to attack your computer unless youâre a high-value target. But exploit devices are often sold by the people who invent them. A petty thief with a little bit of knowledge may be perfectly able to buy and use one, even if he doesnât understand what itâs actually doing.
Thanks so much to everyone for their very helpful comments. But since my MacBook requires a password to log in, Iâm not sure I understand why I also need to turn on FileVault. Doesnât the password login prevent anyone from starting the computer and accessing my files?
I guess Iâm thinking of a scenario where somebody snatches my laptop while itâs running, after Iâve logged in. Does FileVault protect me against that risk?
My understanding is that FileVault encrypts your entire HD. When your computer is shut down, itâs completely encrypted. But when you start up, you enter the FileVault password and that allows on-the-fly decryption for as long as the computer is powered on (it wonât even boot up without the FileVault password to allow decryption of the System Folder). Once itâs booted up, you still need your account password to log into your account. So the answer to your question as far as I understand it is⌠No, FileVault doesnât protect against that risk.
Not completely. Someone could boot your Mac from another device (e.g. a bootable USB drive). Or they could power it on to target-disk mode and access it from another Mac. Or if your Mac is an older model that has removable storage and no T2 chip, someone could remove the SSD and install it in a USB enclosure.
Without File Vault, everything would be accessible. With File Vault, the would-be attacker would still need a valid password or your recovery key in any of these scenarios.
If the attacker doesnât shut-down the system, then the storage device will remain unlocked, whether or not youâre logged in at the time. If he shuts down (or if the battery runs out before he can put it on a charger), then heâll need File Vault credentials to unlock it again.
Correct. With FV running, the system will power-on to a âpre-bootâ environment. This looks very similar to the normal Mac login screen, but it isnât - macOS isnât actually running at this point, and the rest of the file system is encrypted.
When you provide a File Vault password or attempt to log-in using an account authorized to unlock File Vault, then the credentials you provide will let the pre-boot environment access the File Vault encryption credentials, so it (or the T2 chip or the Apple Silicon SSD controller) can access the encrypted storage. It will then boot macOS from the now-unlocked drive. If you unlocked the drive via an authorized login, it will boot straight to that userâs desktop. If you used a non-user FV password (or recovery key), then it will (I think) boot to the systemâs login screen.
Either way, once the volume is unlocked, it is accessible by any software running on the computer. Even if you lock the screen, log out or put the computer to sleep, it remains unlocked. The only way to âre-lockâ it is to shutdown the system.
Depending on how you unlocked the drive. You can configure File Vault so certain users are authorized to unlock the drive. You can log-in to any of these accounts via the pre-boot screen and it wonât ask you to log-in again after the real system boots up. But if you want to use a different account, then you can use a File Vault password to unlock the drive, and then log in after the system boots.
Thank you all for your contributions and especially David for so many details. Now I also understand the full extent of your comment about ânot keeping sensitive information on my laptopâ.
In addition to taking this into account when traveling, I certainly donât shutdown my laptop whenever I leave home. So although a burglary is (hopefully!) not very likely and I had always thought that using FileVault I was covered, now I realize that perhaps I should use encrypted disk images for the very sensitive folders (digital certificates, financial filesâŚ) as suggested by Neil. Time for experimenting a bit!
My old employer (been retired over five years now) required a series of signatures reaching very high up in the organization to get permission to take a laptop owned by them out of the country â and strictly forbade taking any organization-owned device to any country on the US governmentâs ânot friendsâ list. The assumption in the latter case was that one way or another, such devices would be compromised in those countries. For travel to those countries, it was suggested that the traveler buy a burner laptop on their own nickel â and dump it in the trash at the airport before leaving the country.
One time I had to make a presentation in a ânot friendsâ country. (The program manager who would normally have gone had a conflict.) After a celebratory dinner that evening, I could not get back into my hotel room because of a âsecurity checkâ. I was told I had left my door unlocked. (NOT likely!) After half an hour, they let me go to my room. Fortunately I didnât have anything sensitive to worry about.
I canât even remember if I had a laptop with me. Now that I think about it, those days pre-dated laptops. We would have had hard-copy presentation booklets!
You didnât mention where you were going and who you wanted to protect your information from. In many countries, the authorities will make you login and decrypt things for their examination. The only protection here is to not have the information in the first place.
OkayâŚhere is what I recommend. Itâs dead easy, fast, and free.
You can instantly encrypt and password protect files or folders with:
Encrypto (free)
https://macpaw.com/encrypto
(Instantly encrypt and password protect your files or folders just by dragging them onto Encryptoâs icon. Decrypt them with a double-click and enter the password. Not even the FBI can break this encryption. There is also a free version of this product for Windows, so encrypted files can be shared across platforms!)
HOWEVER, if you are looking to hide files or folders from snooping customs agents, they have been known to insist on your password if they see encrypted files on your computer. So, I also recommend:
Hide Folders (free/$30)
https://www.altomac.com
(Instantly make a folder full of files invisible, including encrypted files. If your encrypted files are invisible, they wonât draw any unwanted attention.)
Easy peasy!
Is it possible for the ordinary user to hide and unhide folders without using a specialized app? Ideally, there would be checkbox in the Get Info window (I didnât see one, and if itâs there, how would the ordinary user would get the Get Info window for a hidden folder?) or a terminal command.
Whether the folder is hidden by the ordinary user or by Hide Folders or other specialized app, would an entry in Apple Menu > Recent Items succeed in opening a file in the hidden folder? Would an alias succeed in opening a file in the hidden folder?
There are terminal commands.
You can make a Folder in Finder hidden by putting a . in front of the name.
Or by chflags hidden <Name of folder>
.
The open <Name of folder>
command in Terminal will open the hidden folder and show its content.
The files will dissapear from Recents.
An alias will still work.
And the clever customs agent can find the hidden folders by using the Terminal command ls -la
.
I was going to suggest Encrypto as well, but you beat me to it!
Another way to hide information in plain sight is to use steganography, with an app such as Outguess. A JPG in your Photos folder can hold some passwords and shows no sign of being anything other than a photo.
Although the meaning is implicit by the context, here is more information from the Wikipedia article on steganography for those who are as curious or ignorant as I.
Steganography (/ËstÉÉĄÉËnÉÉĄrÉfi/ â STEG-É-NOG-rÉ-fee) is the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection.