Two ways to encrypting your /home (i.e. /Users)
in MacOSX with truecrypt






This howto will allow you to have an (efficiently, no FileVault) encrypted /Users/username with a lot of privacy. I will explain you how to do it in two different ways. The first one is my favourite one and it has the advantage of obscurity. The second one requires that you physically carry the key with you whenever you want to log in and unveils the fact that your home is encrypted.

Background


I was recently given a macbook pro at work. I don't like it. I While I think that the hardware is still fine (even if apple's well know for their lousy hw, this laptop has a SSD, so the big problems of Apple's drives dying should be fixed), the software is trying to force me working its way and not the way I want.

On the other hand, I have been an OpenBSD user for years now, I buy the CDs etc. And I love the correctness of the project. But OpenBSD will not install well on the laptop.. I have tried also linux (even if I don't like it much), but it was as usual: random behaviour. They claim they support the hardware, but after a couple of lost days I found out that things were working randomly after a reboot. Sometimes they did, sometimes not. Probably the penguin is not ready or probably it's EFI (probably this "helped" too in the random behaviour).

While I wait that the brave OpenBSD developers write the code, I have to live with this "OS". But there are too many things I do not like. Specially the lack of privacy (why is apple store and itunes trying to constantly "communicate" with my laptop??), the stupid aqua interface and the lame "file encryption".

In this guide I provide you with a partial solution to some of these problems.

Why?

Because we can... and :

http://en.wikipedia.org/wiki/FileVault


That looks like the sort of encryption ware that the police would
recommend.

"We protect your data with AES-128 but protect your secret key
with rot13, for speed."

I like to use encryption ware that hasn't been hacked yet

Also, after a whole installation of the OS and a lof of software, I found out
that MacOSX defaults to a file system which is not case-sensitive!

I made a reinstall from scratch with care and realised that there's an option to
make it case-sensitive (is this a joke?)

And the best: when choosing this FS, FileVault cannot encrypt the drive because

"The home folder is located on a volume that isn’t in Mac OS Extended format"

And they call this user-friendly...

What?

TrueCrypt seems to be the only possibility out there

Where?

In Snow Leopard (MacBook Pro 5,5)

Note:

# is the prompt for root
$ is the prompt for user
username in this example is (strange enough) "pau"
I will assume that FileVault is not being used on the system



My way (probably better than the next one and my favourite one)

Create a big truecrypt file, "example.img". Mine was of 175GB (took some 1.5 hours with AES-twofish algorithm and SHA-512 for the hash). I chose MacOS extended as the filesystem but it does not matter actually, and the "I will only mount this on MacOSX", but it does not matter either, since we're going to give it another format, case-sensitive

Once it is done, mount it

  sudo mkdir /Volumes/example_volume

  sudo truecrypt --text --verbose --filesystem=none \
  --protect-hidden=no -k "" \
  /Users/pau/example.img /Volumes/example_volume


As you might have gathered, I do not like GUIs. Read the man of truecrypt to find out what I am doing here

Now go to disk utility and format the bitch on the left, the volume.dmg to : "Erase" tab and and Mac OS Extended (Case-sensitive, Journaled)

A new item should have popped up on the left, "Untitled"

Now unmount the thing by clicking on the right (find your way with the showy one-buttom apple pad!).

And unmount it from truecrypt.

  gumby% sudo truecrypt --text --dismount /Users/pau/example.img


Mount it again from truecrypt

  sudo truecrypt --text --verbose --filesystem=none \
  --protect-hidden=no -k "" \
  /Users/pau/example.img \
  /Volumes/example_volume

  Enter password for /Users/pau/example.img:
  Volume "/Users/pau/example.img" has been mounted.


And attach it to a partition (i.e. mount it):

  /usr/bin/hdiutil attach /tmp/.truecrypt_aux_mnt1/volume.dmg \
  -readwrite -owners on -mountpoint \
  /Volumes/example_volume


And verify that it is case-sensitive:

  gumby% cd /Volumes/example_volume
  gumby% ls
  gumby% touch Hello hello
  gumby% ls
  Hello hello


Great!

Now you restore your data into the volume and then make your life simpler by using two scripts. One to mount it, one to unmount it.

In the first script we will also link all sensitive data from the mounted volume to our home directory, so that we can work normally. In the second one, after unmounting the volume, we delete the links... we do not want to leave hints, do we.

Of course, you can be original about where you decide to locate the encrypted file:

  gumby% cat Mount.sh
  #!/bin/zsh
  # Definitions
  truecrypt=/Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt
  file_tc=/path/to/your/encrypted/file
  volume=/Volumes/where/you/want/to/mount/it
  home=/Users/username

  # Do it
  sudo mkdir $volume
  sudo $truecrypt --text --verbose --protect-hidden=no -k "" $file_tc $volume

  # Link the stuff
  ln -s $volume/* $home


  gumby% cat Unmount.sh
  #!/bin/zsh
  # Definitions
  file_tc=/path/to/your/encrypted/file
  home=/Users/username

  # Do it
  sudo truecrypt -t -d $file_tc

  # Make sure we do not leave any hints
  rm $home/link1 \
  $home/link2


This has the advantage that whilst your sensitive data will be protected, the "normal" stoopid mac stuff will still be in your home directory, so that nobody will notice that something is "missing".

More interestingly, in your .xinitrc you can define where your "new" $HOME is:

  HOME=/Volumes/where/you/want/to/mount/it


This means that X11 is told to take /Volumes/where/you/want/to/mount/it as your new home, instead of /Users/username!

Therefore, when you e.g. type "cd" in the terminal, you will end in the encrypted file, and your X programmes will store their hidden "." configuration files there, too...

I have also found out that you can tell the whole KDE environment to behave like that. I personally dislike KDE a lot (but compared to aqua is heaven... I am talking of kde 3.5, no compiz annoying things), but this is sure an advantage. All of your konqueror history (as compiled from macports) and cache (!!!) will be stored in the encrypted file. For that, parse the following option to .xinitrc:

  HOME=/Volumes/where/you/want/to/mount/it
  KDEHOME=/Volumes/where/you/want/to/mount/it/.kde
  exec $SHELL -l -c /opt/local/bin/startkde


Also, take into account that some programmes, like pidgin or epiphany, allow you to store the config files and history in a different location. In the case of pidgin and epiphany, just use

  pidgin --config /Volumes/where/you/want/to/mount/it/.purple
  epiphany --private-instance --profile /Volumes/where/you/want/to/mount/it/.gnome2/epiphany


As for firefox, you can simply define a new profile

  /Applications/Firefox.app/Contents/MacOS/firefox-bin -P


Use a folder in the encrypted file to store it. When the file is unencrypted, everything will work as usual. If your file is encrypted and somebody launches firefox, it will look as if it was the first one that it is been launched. It will ask you whether you want to import the safari bookrmarks etc...

While Apple claims to play fair etc, I have a very warm, nice feeling to know that Apple will know nothing about all of my surf and chat history (but then, if you are using gtalk, forget about any privacy)

If you are using this trick, then Mount.sh and Unmount.sh should read

  #!/bin/zsh
  # Definitions
  truecrypt=/Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt
  file_tc=/path/to/your/encrypted/file
  volume=/Volumes/where/you/want/to/mount/it
  home=/Users/username

  # Do it
  sudo mkdir $volume
  sudo $truecrypt --text --verbose --protect-hidden=no -k "" $file_tc $volume

  # Start our secret life in X

  ln -s $volume/xinitrc_kde_macosx \
  $home/.xinitrc


  #!/bin/zsh
  # Definitions
  file_tc=/path/to/your/encrypted/file
  home=/Users/username

  # Do it
  sudo truecrypt -t -d $file_tc
  # Keep our X-identity secret!

  rm -f /Users/pau/.xinitrc


I am now using another approach: I do use aqua but only X applications on it, with a firefox profile living in the encrypted file, and my Mount.sh and Unmount.sh look pretty different, but then you are free to come up with your own scenario.

At shutdown, the shutdown routine will deconfigure the tc and dismount the filesystems mounted on $volume

This allows you to lead two parallel lifes: In one you are a stoopid macosx user who has a history in safari and a couple of pdf in your /Users etc... then you have your personal life in X (kde). It's a bit like being Klark Klent and Superman :)

Manual deconfiguration (Caramba! The Secret Police are elbowing their way through the cyber cafe waving guns and shouting in coarse, bestial language). You quickly type:

  sudo Unmount.sh


System is then secure. Later, in the cellar of the Commissariat of Love, you may decide to share the password with the nice man with the Taser, but that's a different problem.

A clever lad might have those commands in a cron job requiring the user to touch a file of magickal name every ten minutes, (or ten seconds for delicate work) or they are executed. But this is getting a little Hollywoodish.




Second way (based on a page by Sebastian Köttinger)

Step 1

We love the command line :

  # ln -s /Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt /usr/local/bin/tc

We'll be using a flash pen to decrypt /Users/pau WITHOUT a password.
(paranoia ist great)

The last point is extremely important, because the way of encrypting your /Users I will describe now does only work if you use a keyfile, without a password.

This is so because the tricky part of this guide is that we'll be using something called the loginhook and logouthook of apple, which allows you to run a script before anything else happens when logging in and out of a session, but that has to happen without any interaction from your side. Since typing a password would require that, we have to use the keyfile and leave the encryption without a password.

For this, mount a flash drive which in my case has been formatted as vfat for historical reasons
(useful for sharing with OpenBSD, linux and mac computers and windows users).

It is called in my case "256MB":

Create a randomised file, the key for TrueCrypt to mount the encrypted file:

  # dd if=/dev/random of=/Volumes/256MB/.tc/keyForHome.img count=1 bs=4096


4kB = 4096 Byte = 32768 Bit -- This is enough, because the encryption is "only" 256 Bit

Create now a TrueCrypt volume home.pau.img and use a Keyfile the keyForHome.img...
 
I have used the GUI because it's easier to generate random numbers with  the mouse than the 320 characters.

My volume is of 120GB and it took it some 55 minutes on a SSD drive with plenty of RAM (8GB).
Probably on a hard "spinning" drive with less RAM it'll take much longer.

Once it's done, move it to /Users and mount it:

  # mv home.pau.tc.img /Users


  # tc -t --filesystem=none /Users/home.pau.tc.img

Now we have to give the volume a new HFS+ partition (please case-sensitive!) with "Disk Utility"

At that moment a new icon will automagically (I hat this word) pop up in the Desktop: It's the new "disc". Unmount it.

We will also have to unmount the truecrypt volume:

  # tc -t -d /Users/home.pau.tc.img

Then we mount it like this (note the "non-interactive" part, that's crucial and the reason why this will not work if you have to be prompted for a password) :

  # tc - t --filesystem=none --non-interactive -v -k /Volumes/256MB/keyForHome.img /Users/home.pau.tc.img 
 Volume "/Users/home.pau.tc.img" has been mounted.

Assign it a mount point on the table:

  # /usr/bin/hdiutil attach /tmp/.truecrypt_aux_mnt1/volume.dmg \
                  -readwrite -owners on -mountpoint /tmp/tc_pau

and copy all of our home directory into it after setting the right permissions

  # chown -R pau /tmp_tc_pau
 $ cp -Rp /Users/pau /tmp/tc_pau
 $ rm -rP /Users/pau

Umount everything:

  # hdiutil detach /tmp/tc_pau
 # tc -t -d /Users/home.pau.tc.img

And then purge your home carefully with -P
(man rm ... you'll realise that the userland has been taken from a BSD) :

     "-P  Overwrite regular files before deleting them.  Files are overwritten three times,
         first with the
byte pattern 0xff, then 0x00, and then 0xff again, before they are
         deleted.
"

  # rm -rP /Users/pau

Now you wil have to copy the three following files to the correct place:

  # cp loginhook logouthook mounttconstartup.sh /Library/Management

after setting KEYFILEPATH, KEYFILEMOUNTDIR, TCIMAGEPATH, TCIMAGEMOUNTPATH,
KEYFILEDEVICEFS, MOUNTCHOWN, STANDARDUSBSTICKMOUNTPOINT and USERNAME
to your needs

 #!/bin/sh
 # loginhook
 /Library/Management/mounttconstartup.sh start $1


 #!/bin/sh
 # logouthook
 /Library/Management/mounttconstartup.sh stop $1


 #!/bin/sh
 # mounttconstartup.sh
 KEYFILEMOUNTDIR=/tmp/KEYFILEMOUNTDIR/
 KEYFILEPATH=.tc/keyForHome.img
 TCIMAGEPATH=/Users/home.pau.tc.img
 TCIMAGEMOUNTPATH=/Users/pau
 KEYFILEDEVICE=/dev/disk1s1
 KEYFILEDEVICEFS=msdos
 MOUNTCHOWN=pau:staff
 MOUNTCHMOD=755
 PATHTOTC=/usr/local/bin/tc
 LOGPATH=/var/log/truecrypt/
 STANDARDUSBSTICKMOUNTPOINT=/Volumes/USBSTICK
 USERNAME="pau"

 StartService() {

 umount -f $STANDARDUSBSTICKMOUNTPOINT >> $LOGPATH/tc.log

 mkdir $KEYFILEMOUNTDIR
 mount -r -t $KEYFILEDEVICEFS $KEYFILEDEVICE $KEYFILEMOUNTDIR >> $LOGPATH/tc.log
 $PATHTOTC -t --filesystem=none --non-interactive -v -k $KEYFILEMOUNTDIR$KEYFILEPATH $TCIMAGEPATH >> $LOGPATH/tc.log

 /usr/bin/hdiutil attach /tmp/.truecrypt_aux_mnt1/volume.dmg -readwrite -owners on -mountpoint $TCIMAGEMOUNTPATH >> $LOGPATH/tc.log

 /usr/sbin/chown $MOUNTCHOWN $TCIMAGEMOUNTPATH

 /bin/chmod $MOUNTCHMOD $TCIMAGEMOUNTPATH

 umount -f $KEYFILEMOUNTDIR
 rm -r $KEYFILEMOUNTDIR
 }


 StopService() {
  /usr/bin/hdiutil detach -force $TCIMAGEMOUNTPATH >> $LOGPATH/tc.log
  $PATHTOTC -t -v -d $TCIMAGEPATH >> $LOGPATH/tc.log

 }


 echo >> $LOGPATH/tc.log

 if [ "$2" = "$USERNAME" ]
 then
 echo "`date`: $2, $1" >> $LOGPATH/tc.log
 case "$1" in
  "start") StartService;;
  "stop") StopService;;
 esac
 fi

And tell your showy mac what it should do next time it boots:

  # defaults write com.apple.loginwindow LoginHook /Library/Management/loginhook
 # defaults write com.apple.loginwindow LogoutHook /Library/Management/logouthook






And a couple of final suggestions...

  $ defaults write com.apple.Terminal FocusFollowsMouse -string YES
    $ defaults write com.apple.x11 wm_ffm -bool true
    $ defaults write com.apple.dock no-glass -boolean YES
    $ defaults write com.apple.finder _FXShowPosixPathInTitle -bool YES
    $ defaults write org.x.X11 wm_click_through -bool true
    $ defaults write org.x.X11 app_to_run /usr/bin/true

Have a look at http://mactips.dwhoard.com/

To conclude, if you do not want to commit suicide waiting for the cursor to think faster than a macuser, I recommend you to set this option to the maximum:


Last modified on Apr 10/2010 by Pau Amaro-Seoane             (Please be sure to read the LEGAL NOTICE)