Security vs Convenience
08/02/08 19:29 Filed in: Computers
One of the things that appealed to me about the latest
Mac operating system - Leopard - is TimeMachine, the
Macs automated backup which for the first time at an
operating system level allows truly set-and-forget
backups to an external drive. The first backup which
takes a l o n g time is the biggie, where everything is
backed up - subsequent backups only copy any changes
you have made.
I also go one step further, in that I use a program called SuperDuper which creates a fully bootable clone of my entire drive on an external drive. Again, the first backup copies the entire drive - subsequent backups just copy the changes.
The other thing that I like is a Mac feature called FileVault - which allows you to encrypt your home folder with 128-bit (or 256-bit military if you're really anal) encryption. As I usually have working copies of client files on my Mac laptop, security is really important. Were my Mac to be stolen (touch wood etc) I want to know that all documents are safe from casual eyes.
And therein lies the rub - using FileVault does not mix well with doing backups. The reason is simple - if the entire user folder is encrypted, the backup program has no way of discovering what has been changed, since it is all encrypted!! The result is that, when using FileVault, all backups take as long as the first one, since the entire thing has to be copied over again. A further fly in the ointment is that (heaven forfend) you have some corruption in your encrypted file, well, you are well and truly up the creek and paddle-less since there is no way you can access a small part of the encrypted file - it is one BIG thing.
So we have a quandry - on the one hand we are concerned with security and want all client files to be encrypted - on the other hand we want the time taken for incremental backups to be as quick as possible.
Enter Knox - a neat Mac utility that makes encrypted disk images. What this allows me to do is to create secure folders for each client, which contains a 128-bit encrypted version of each folder.
As usual, its somewhat of a compromise in that if there is a small change inside of a client folder, that whole encrypted folder will be backed up - but at least it will be a lot better than if the entire user folder were backed up each time a small change was made in the client folder.
Additional security - the Mac asks for a password every time the screensaver goes away; Undercover software installed which when activated, sends an email to a central database notifying of the Mac IP address, along with snapshots of the thief taken via the inbuilt camera!
I also go one step further, in that I use a program called SuperDuper which creates a fully bootable clone of my entire drive on an external drive. Again, the first backup copies the entire drive - subsequent backups just copy the changes.
The other thing that I like is a Mac feature called FileVault - which allows you to encrypt your home folder with 128-bit (or 256-bit military if you're really anal) encryption. As I usually have working copies of client files on my Mac laptop, security is really important. Were my Mac to be stolen (touch wood etc) I want to know that all documents are safe from casual eyes.
And therein lies the rub - using FileVault does not mix well with doing backups. The reason is simple - if the entire user folder is encrypted, the backup program has no way of discovering what has been changed, since it is all encrypted!! The result is that, when using FileVault, all backups take as long as the first one, since the entire thing has to be copied over again. A further fly in the ointment is that (heaven forfend) you have some corruption in your encrypted file, well, you are well and truly up the creek and paddle-less since there is no way you can access a small part of the encrypted file - it is one BIG thing.
So we have a quandry - on the one hand we are concerned with security and want all client files to be encrypted - on the other hand we want the time taken for incremental backups to be as quick as possible.
Enter Knox - a neat Mac utility that makes encrypted disk images. What this allows me to do is to create secure folders for each client, which contains a 128-bit encrypted version of each folder.
As usual, its somewhat of a compromise in that if there is a small change inside of a client folder, that whole encrypted folder will be backed up - but at least it will be a lot better than if the entire user folder were backed up each time a small change was made in the client folder.
Additional security - the Mac asks for a password every time the screensaver goes away; Undercover software installed which when activated, sends an email to a central database notifying of the Mac IP address, along with snapshots of the thief taken via the inbuilt camera!