Help with passwords

I will be traveling outside the US shortly, and I would like to password protect individual folders on my laptop Mac. Any suggestions will be most appreciated!

Move them to an encrypted .dmg, remove them to an encrypted USB stick and don’t put the password for either in the keychain. Alternatively, shut down the machine whenever it’s not being used and if FileVault is set they’re basically inaccessible as long as you have auto login turned off.

I’m sure there are more options…but without better info on what and why those are a few off the top of my head. For either of the first two options, delete them from your drive after copying. That won’t completely eliminate them from being found…but unless you’re a high value target the government there wants to get it’s probably good enough.

If you really need to be safe…reformat the drive, setup FileVault, and install only the apps and data you need and set UTO login off, and if you’re really paranoid set the login keychain password different from the login password.

It all depends on how secure you want the lock on the folders to be.

5 Likes

I concur with @neil1.

For basic security (e.g. worried about if it’s stolen from a hotel room), then you should:

  • Make sure File Vault is enabled.
    • Be sure to keep the recovery key off-line. Print it and store it in a file cabinet somewhere. Or store it on another computer that you don’t travel with. So if someone steals the computer, they won’t be able to decrypt the drive.
  • Shutdown (don’t just close the lid or put it to sleep) when you’re not using it.

This will mean that someone without a valid login password won’t be able to access anything.

If you use it in public (e.g. in a cafe’) don’t let it out of your sight. At all. Since you can’t practically shutdown every time you look away.

If this isn’t practical, then as @neil1 said: Move everything sensitive into an encrypted disk image and delete/empty trash the originals. Or move them to another device that you leave at home.

FWIW, I don’t keep sensitive information on my laptop - I have a desktop system at home for all that. The few things I do need to take with me (e.g. financial spreadsheets that I update every evening), I put in an encrypted disk image file, which I unmount whenever I’m not actively using it.

My employer’s laptop (for another reference point) is a Windows system. The storage is encrypted with Bitlocker, and the system is configured to lock the screen after about 30 minutes of idle time. We are strongly encouraged to shutdown between sessions when traveling, which I do. (The IT department retains a copy of the recovery key, in case something catastrophic happens that prevents me from accessing the storage.)

If you have a need for more security than this, then you should probably consult a professional.

See also (for quite a lot of good and detailed information):

6 Likes

How important is to shutdown the computer when FileVault is on? If it is in sleep mode, I have read that the encryption key is in the RAM but it is still encrypted with the login password. If that’s correct, wouldn’t having a strong user password make the data as safe as if the computer was shutdown?

1 Like

If the computer is asleep, the key is in memory (or at least in the T2 chip’s internal memory). It has to be otherwise macOS itself wouldn’t be able to access its own system files.

When the system is shut down, the key is protected in a way that can only be accessed via password (either a dedicated FileVault password or by logging in to an account authorized to unlock the volume). I’m not sure how it is protected, but I assume there’s some kind of encryption involved.

But in general, once macOS boots up, whether or not you put it to sleep, the volume is unlocked. So any software running on it can have file system access. Someone able to inject malware (USB stick, maybe?) will not be affected by File Vault. But if you shutdown, then none of that will be able to do anything until you unlock the volume (e.g. by logging in to an account authorized to unlock the system volume).

4 Likes

Thank you, David, for your explanations. Would it be correct to assume that, even though the volume is unlocked, it would still require a sophisticated attacker to access the file system (bypassing the need for the login password)? That is, someone using an unknown exploit?

1 Like

Most attacks don’t require the attacker to know a login password. They tend to use either use zero-day exploits that get them elevated privileges on your system or trick you into providing elevated privilege credentials through social engineering to install their malware. The attacker doesn’t need to be very sophisticated to do either of these.

1 Like

If you’re worried about someone just sitting down and typing in a password, sure. But those kinds of attacks are few and far between. And if someone has done the research necessary to make it possible, then File Vault won’t do a thing.

Far more attacks exploit bugs in system/application software. And they don’t necessarily require anyone to be logged on. Some possible exploits may include:

  • Buffer overrun on a network protocol (attack via compromised router)
  • USB HID device (e.g. keystroke logger via a USB device disguised as a flash drive)
  • Thunderbolt protocol explot (e.g. Thunderspy).

But these won’t work against a File Vault-protected Mac that is powered off, because there is no usable file system and no usable operating system until the drive is unlocked by the first login.

How likely is such a thing? Hard to say, but not insignificant. Nobody is going to send a hacker team to attack your computer unless you’re a high-value target. But exploit devices are often sold by the people who invent them. A petty thief with a little bit of knowledge may be perfectly able to buy and use one, even if he doesn’t understand what it’s actually doing.

3 Likes

Thanks so much to everyone for their very helpful comments. But since my MacBook requires a password to log in, I’m not sure I understand why I also need to turn on FileVault. Doesn’t the password login prevent anyone from starting the computer and accessing my files?

I guess I’m thinking of a scenario where somebody snatches my laptop while it’s running, after I’ve logged in. Does FileVault protect me against that risk?

My understanding is that FileVault encrypts your entire HD. When your computer is shut down, it’s completely encrypted. But when you start up, you enter the FileVault password and that allows on-the-fly decryption for as long as the computer is powered on (it won’t even boot up without the FileVault password to allow decryption of the System Folder). Once it’s booted up, you still need your account password to log into your account. So the answer to your question as far as I understand it is… No, FileVault doesn’t protect against that risk.

1 Like

Not completely. Someone could boot your Mac from another device (e.g. a bootable USB drive). Or they could power it on to target-disk mode and access it from another Mac. Or if your Mac is an older model that has removable storage and no T2 chip, someone could remove the SSD and install it in a USB enclosure.

Without File Vault, everything would be accessible. With File Vault, the would-be attacker would still need a valid password or your recovery key in any of these scenarios.

If the attacker doesn’t shut-down the system, then the storage device will remain unlocked, whether or not you’re logged in at the time. If he shuts down (or if the battery runs out before he can put it on a charger), then he’ll need File Vault credentials to unlock it again.

Correct. With FV running, the system will power-on to a “pre-boot” environment. This looks very similar to the normal Mac login screen, but it isn’t - macOS isn’t actually running at this point, and the rest of the file system is encrypted.

When you provide a File Vault password or attempt to log-in using an account authorized to unlock File Vault, then the credentials you provide will let the pre-boot environment access the File Vault encryption credentials, so it (or the T2 chip or the Apple Silicon SSD controller) can access the encrypted storage. It will then boot macOS from the now-unlocked drive. If you unlocked the drive via an authorized login, it will boot straight to that user’s desktop. If you used a non-user FV password (or recovery key), then it will (I think) boot to the system’s login screen.

Either way, once the volume is unlocked, it is accessible by any software running on the computer. Even if you lock the screen, log out or put the computer to sleep, it remains unlocked. The only way to “re-lock” it is to shutdown the system.

Depending on how you unlocked the drive. You can configure File Vault so certain users are authorized to unlock the drive. You can log-in to any of these accounts via the pre-boot screen and it won’t ask you to log-in again after the real system boots up. But if you want to use a different account, then you can use a File Vault password to unlock the drive, and then log in after the system boots.

4 Likes

Thank you all for your contributions and especially David for so many details. Now I also understand the full extent of your comment about “not keeping sensitive information on my laptop”.

In addition to taking this into account when traveling, I certainly don’t shutdown my laptop whenever I leave home. So although a burglary is (hopefully!) not very likely and I had always thought that using FileVault I was covered, now I realize that perhaps I should use encrypted disk images for the very sensitive folders (digital certificates, financial files…) as suggested by Neil. Time for experimenting a bit!

1 Like

My old employer (been retired over five years now) required a series of signatures reaching very high up in the organization to get permission to take a laptop owned by them out of the country — and strictly forbade taking any organization-owned device to any country on the US government’s “not friends” list. The assumption in the latter case was that one way or another, such devices would be compromised in those countries. For travel to those countries, it was suggested that the traveler buy a burner laptop on their own nickel — and dump it in the trash at the airport before leaving the country.

2 Likes

One time I had to make a presentation in a “not friends” country. (The program manager who would normally have gone had a conflict.) After a celebratory dinner that evening, I could not get back into my hotel room because of a “security check”. I was told I had left my door unlocked. (NOT likely!) After half an hour, they let me go to my room. Fortunately I didn’t have anything sensitive to worry about.

I can’t even remember if I had a laptop with me. Now that I think about it, those days pre-dated laptops. We would have had hard-copy presentation booklets!

2 Likes

You didn’t mention where you were going and who you wanted to protect your information from. In many countries, the authorities will make you login and decrypt things for their examination. The only protection here is to not have the information in the first place.

4 Likes

Okay…here is what I recommend. It’s dead easy, fast, and free.

You can instantly encrypt and password protect files or folders with:

Encrypto (free)
https://macpaw.com/encrypto
(Instantly encrypt and password protect your files or folders just by dragging them onto Encrypto’s icon. Decrypt them with a double-click and enter the password. Not even the FBI can break this encryption. There is also a free version of this product for Windows, so encrypted files can be shared across platforms!)

HOWEVER, if you are looking to hide files or folders from snooping customs agents, they have been known to insist on your password if they see encrypted files on your computer. So, I also recommend:

Hide Folders (free/$30)
https://www.altomac.com
(Instantly make a folder full of files invisible, including encrypted files. If your encrypted files are invisible, they won’t draw any unwanted attention.)

Easy peasy!

2 Likes

Is it possible for the ordinary user to hide and unhide folders without using a specialized app? Ideally, there would be checkbox in the Get Info window (I didn’t see one, and if it’s there, how would the ordinary user would get the Get Info window for a hidden folder?) or a terminal command.

Whether the folder is hidden by the ordinary user or by Hide Folders or other specialized app, would an entry in Apple Menu > Recent Items succeed in opening a file in the hidden folder? Would an alias succeed in opening a file in the hidden folder?

1 Like

There are terminal commands.
You can make a Folder in Finder hidden by putting a . in front of the name.
Or by chflags hidden <Name of folder>.
The open <Name of folder> command in Terminal will open the hidden folder and show its content.
The files will dissapear from Recents.
An alias will still work.
And the clever customs agent can find the hidden folders by using the Terminal command ls -la.

2 Likes

I was going to suggest Encrypto as well, but you beat me to it!
Another way to hide information in plain sight is to use steganography, with an app such as Outguess. A JPG in your Photos folder can hold some passwords and shows no sign of being anything other than a photo.

2 Likes

Although the meaning is implicit by the context, here is more information from the Wikipedia article on steganography for those who are as curious or ignorant as I.

Steganography (/ˌstɛɡəˈnɒɡrəfi/ ⓘ STEG-ə-NOG-rə-fee) is the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection.

1 Like