Privacy and encryption go hand-in-hand these days. With the increased insecurity of web sites, applications (both on the web and local), and rapidly declining privacy, the use of encryption is on the rise. Protecting sensitive files and folders makes as much sense as protecting communication.
Mac OS X comes with FileVault, a means of encrypting your home folder and all of its contents, transparently. FileVault takes your on-disk home directory and converts it into an encrypted disk image. It does this using the sparse image format, which allows the disk image to be expanded as required, without being set to a fixed size (the limitation being how much real disk space is available, of course). However, the larger the size of the home directory, the more OS X has to work to find all the bits that belong there across the disk image. And unless you're working for the military, do you need to have web caches, temporary files, and your iPhoto library encrypted? It makes more sense to encrypt the stuff that needs it, and leave the rest alone. This will lead to a definite increase of speed as not every little thing is encrypted, and as a result also needs to be decrypted -- just the important bits that need it.
To that end, a really useful tool called Espionage exists that will encrypt individual folders rather than the entire home directory. Espionage stays out of your way when it isn't needed, and is there when you do. For instance, if you have financial information stored in your Documents/Financial folder, you can have Espionage encrypt that folder, and that folder alone. When you need access to that folder, simply click on it in the Finder as you normally would and Espionage is there, asking for a passphrase to unlock it, and mounting the disk image transparently for you so that you can get right to your data.
Like FileVault, Espionage uses AES-128 for encryption. Unlike FileVault, you can also elect to use AES-256 for encryption (military-grade encryption). Espionage can also be associated with applications: if you wanted to encrypt your Mail data, Espionage can make it available when Mail starts, and tuck it away again when Mail exits. It comes with numerous application templates to make this as easy as possible, such as templates for Firefox, iCal, Mail, iChat, OmniFocus, Safari, Thunderbird, QuickBooks, and more.
So to encrypt your Mail data:
- Launch Espionage and from the File menu and select Application Templates. Templates for applications on your system will be shown.
- Select Mail and click Next.
- On the next screen, type in the password you want to use to encrypt the folder, and also select the folders to encrypt.
Espionage will pick the defaults for that application (such as ~/Library/Mail/ and ~/Library/Mail Downloads/). You can also choose which type of encryption you want for each individual folder: AES-128 or AES-256, and either a sparse image or a sparse bundle (the sparse bundle is best). Once this is done, Espionage will begin the work of encrypting the folder and creating the sparse bundle images.
Now, when you launch Mail, you will be prompted for the password to unlock the disk images. You can elect to have the folders auto-unlocked at login if you wish; this allows for you to have password-less access to the encrypted folders, but if your computer is lost or stolen, the data stored there will be unavailable to anyone who may come across it -- provided they don't know your password to log in. When you close Mail, the folders will be locked automatically.
Finally, if you use Dropbox, sometimes it seems to want access to these encrypted folders that it has no business accessing. For instance, with Mail encrypted, and none of the folders have any relation to Dropbox whatsoever, a UI prompt will come up indicating that Dropbox wants access to the folder.
This can be avoided by blacklisting Dropbox so that it is auto-denied access, preventing the pop-up. This can be done by opening the Tools menu option and selecting Ignore List, and adding it to the list to auto-ignore. From this point, any attempted access by Dropbox to any of the encrypted folders will be automatically denied.
If you need or want certain folders or application data encrypted, Espionage is a great way to accomplish it. It works seamlessly, is very responsive, and very reliable. The application associations work extremely well also, and the templates make it easy to protect commonly used applications.
Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.