Tuesday, February 12

Do you carry sensitive data on your laptop?

Do you carry sensitive or confidential data on your laptop on a daily basis? Have you ever thought what would happen if you got it robbed?

Despite the obvious loss of the laptop, it's the data loss that matters. Because I usually carry source code and other information that is supposed to be confidential on my laptop, I use Mac OS X's Filevault to keep the contents of my home folder encrypted. In Apple's marketing dept. words:
FileVault secures your home directory by encrypting its entire contents using the Advanced Encryption Standard with 128-bit keys. This high-performance algorithm automatically encrypts and decrypts in real time, so you don’t even know it’s happening.
Although Filevault uses 3DES effective 112bit, AES-128, and RSA-1024, it has some limitations. Firstly, it is vulnerable to dictionary attacks. But you probably are using a 'secure' password, don't you? Secondly, some proof-of-concept Filevault attacks have been developed by hackers, although certain special conditions must be met and it would be very rare for a thief to have enough knowledge to use them on your laptop.

If you want to know more about he internals of Filevault and how good it is from a security standpoint, be sure to check the following resources:

Unlocking Filevault: An analysis of Apple's disk encryption system
http://crypto.nsa.org/vilefault/23C3-VileFault.pdf

Secure Your Mac workshop at METALAB
http://metalab.at/wiki/SYMWorkshop

2 comments:

Pogacha said...

This is quite interesting.
I wonder if the data is in a shared space where two different OS should have access, let's say Windows and Mac Os X on a Mac-Intel.
I imagine there isn't any way to make it work.
It would be pretty good to have a solution like this one in a system independant way.

Julio Gorgé said...

That's not actually possible, because OS X is installed on an HFS+ partition which Windows can't read. You'd need to write an HFS+ partition plugin for Windows and then reverse engineer FileVault encryption scheme... which is not impossible, but just too messy ; )