views:

570

answers:

1

I've had a need to create an encrypted volume on my mac for the company source code. The requirements are not terribly stringent: If someone can log into the machine as me, they win, but otherwise, they should lose. With that set of requirements, you can make it so that the disk is automatically mounted at login.

+3  A: 

Follow these steps:

  1. Open the Disk Utility and click the 'new image' button. You want to make a new GUID partition map based, case insensitive, journaled HFS sparse image with 128 bit AES encryption. Tell it you want a 10 GB image (should be plenty). Give it a name and save it in your home directory. Give it whatever password you want and tell it to store that password in the keychain.
  2. Open up the system preferences, accounts, then select login items and add an entry to open the disk image at login: just drag the disk image to the login items list. Since you saved the disk image's password in the keychain, it won't ask you before it mounts it. That is by design.

No one else can open the keychain without your login credentials (by default the login keychain has the same password as your account). No one else can mount the volume without breaking either your account, keychain or the password on the volume.

If someone steals your machine and changes the password using a Mac OS X install DVD you are still protected since the keychain password will not be changed and the disk will no longer auto-mount.

This technique doesn't make your account any more secure, but protects the contents of the encrypted volume from techniques that bypass account credentials to get at the disk - such as removing the disk (or booting in target mode) and mounting it as an external drive on some other machine, or booting single-user, or what not.

erickson
So, this is a bit harsh. I originally wrote that answer and had it as part of the question. I don't *think* that erickson's intent is to steal credit for the answer, but that's naively what it looks like.
nsayer
Not at all. It was just extremely jarring to see a "question" with the answer right in the question. As far as I'm concerned, the only "credit" on SO is rep score, but this is a community wiki, so I'm not getting any. However, if you'd like to copy your answer into one with your name on it, I'll delete this one.
erickson
Ok. I figured that was likely what was going on (which is why I said I didn't think you were doing that). I was similarly unclear about the rep score implications behind it being community wiki (my only intent was to share the technique and perhaps gather additional input from everyone). So it's all good.
nsayer