This isn’t the usual post about some nincompoop making yet another foolish security mistake. It’s about a guy who does (almost) everything right and almost loses it all. Over at the White Hat Security Blog, Jeremiah Grossman tells a chilling tale about the day he forgot a password.
Grossman works in security and deals with a lot of sensitive material, much of which he keeps on his MacBook Pro. As a result, he’s extremely paranoid about his data protection protocols. His protocol involves two layers. First, his entire hard drive is encrypted with FileVault, the OS X full disk encryption utility that provides 128 bit AES encryption. This is already more security than most users have but he has a second layer that creates encrypted disk images (another OS X feature) each of which is encrypted with 256 bit AES. Thus, even if an attacker is able to breach the full disk encryption, there are still encrypted disk images that contain especially sensitive information. The images are mounted while needed and then unmounted so that their data is rarely available in plane text. Grossman also changes all his passwords on a regular basis. All those passwords are kept in one of the disk images and are protected by a master password.
This is doing security right. The data is always secure because of the full disk encryption and especially sensitive data is hidden away in virtual disks images that look like normal files and are easy for an attacker (or government agent, for that matter) to overlook. There’s only one thing missing: a backup for the master password. Some people will tell you to never write your password down. Grossman’s story is about what happens when you take that advice and then forget your password.
Follow the link for how he recovered and how hard it was. He only succeeded because he remembered most of the password. His story is interesting and enlightening but the post is valuable for another reason: it lays out a way to secure your data against most attackers (those that don’t come with 3 letter initials or a $5 wrench). If you’ve wondered how to secure your laptop against loss or other breach, this is a post you need to read. If you have a Mac and want to know how to set up encrypted virtual disks, Scott Jordan has a post that gives you the full explanation. If you’re working on another platform (or want another option on the OS X) take a look at TrueCrypt. It’s portable and can do everything described here.
Finally, I should mention that Jordan’s post on setting up virtual disk images shows you how to use it with Dropbox in a transparent and flexible way. If you use Dropbox and store sensitive information you need this because, as I’ve written many many times, if you store sensitive information in the cloud you better be encrypting it.