Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encrypting a User's Home Directory Under Mac OS X

Posted by CmdrTaco on from the now-ya-see-it-now-ya-don't dept.

jnetsurfer writes "A friend of mine challenged me to see if I could place a user's home directory on a device image (DMG) under Mac OS X. Well, I decided to post my solution to the problem on the web and here, in case anyone is interested. This can be useful if you want to encrypt a user's home directory, or if you wanted to limit a user's home directory to a certain size."

7 of 87 comments (clear)

  1. Cool article--one concern/question: by vegetablespork · · Score: 3, Interesting
    Is the handling of encrypted DMG files part of the open source Darwin, or is it possible that there is a crippling of or backdoor into this encryption that Apple was forced to insert at the behest of some three letter government or four letter lobbying agency, a la Lotus' having fixed part of the encryption key, effectively reducing key length in international versions?

    --

    Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.

  2. Encrypted files systems... by tvadakia · · Score: 3, Interesting

    This brings up a point. A friend of mine has been researching a way for an entire operating system (a widely used one like MacOS or Microsoft Windows) to use, exploit, and be fully functional on top of a completely encrypted file system. Or, for a file system such as NTFS or HFS+ to reside as a sub-file system, being contained within an encrypted file system, with which if you enter the system with the correct password (or biometrics or card key or combination) you'll enter the system, and the OS which resides on the system doesn't even notcie the underlying encrypted-FS and only sees the contained NTFS/HFS+/etc... Is this possible? If so, how?

    --
    Unique.
    1. Re:Encrypted files systems... by hdurdle · · Score: 3, Interesting

      While I'm thinking about this... you could even run aVMWare virtual machine using a disk image on a PGPDisk encrypted volume. That way you can run any kind of Windows or Linux on a machine where the OS will have no clue that it's entire underlying file system is encrypted.

  3. What's the point? by zzen · · Score: 2, Interesting

    Maybe I am missing something, but I don't see a point in doing this. As the hint is described, it is apparent the image is mounted permanently, even after the users log out. It is mounted by root.

    I don't see how this can make things more secure - since anybody with proper permissions can access the contents of the mounted image via the mount point just as well as when the data was in /Users.

    It would make some sense if the image would be mounted only at login (and unmounted at logout), but this is not possible with this hint either. Out of top of my head, I can't think of a way to do this.

    1. Re:What's the point? by mac-diddy · · Score: 2, Interesting
      In conjunction with a LoginHook to mount the drive, you could use the LogoutHook to unmount it. You could even write the script to make sure that only drive X is made available to user X.

      That way, you, your S.O. and the kids could have their own private porn collections.

  4. Re:Do it automatically? by mac-diddy · · Score: 2, Interesting
    What about a LoginHook?

    The LoginHook is run as root and is passed the user name as $1. We use it to create dynamic AFS mounts on login now, so I don't see why it would work in this case.

  5. Re:Think different -- a better way to do it by tbmaddux · · Score: 3, Interesting

    Since you're putting the password in the keychain, and most user passwords are the same as their keychain passwords, doesn't this present a potential weak point? (I've often read not to put AES-128-encrypted .dmg passwords into the Keychain) How secure is the password database in MacOS X?

    --
    Can't you see that everyone is buying station wagons?