Share this Page URL

Chapter 13. Security Basics > Filesystem Security - Pg. 402

Filesystem Security Even with protections in place preventing unauthorized account access, your Mac is still prone to intrusion as long as there's no filesystem protection in place. FileVault Your entire filesystem can become accessible to anyone able to mount it as an ex- ternal drive on a second system. This can occur, for example, if your Mac is put into target disk mode and mounted, or more drastically, if your hard drive is removed and placed in another machine. One way to keep at least your home directory safe from intrusion, even in these cases, is to use FileVault, as discussed in Chapter 4. FileVault also protects your Home directory from intrusion by other users with ad- min accounts on the same Mac as yours, who could otherwise use su or sudo to gain access to any file. As long as you're not logged in, your home directory contents stay encrypted and inaccessible to anyone without your account password or the master password. While a FileVault protected account is logged in, however, its home di- rectory resides unencrypted on the drive, subject to access by anyone with an admin account. Enabling FileVault does incur some risk, however, because the entire Home direc- tory (when not in use) exists as a single encrypted image file on the hard drive. If that single file becomes corrupted, that image and all the files within can be lost. For this reason, you might want to keep a separate account, used for only sensitive work,