Securing sensitive data

Many of us now have both moral and legal responsibilities to look after some of the information we use on our Macs. Thankfully, there’s now a wide range of different methods to secure data. This article presents a short summary of what you should consider using.

Laws and practices of data protection vary with different legislation around the world, but in general expect you to comply with two principles when it comes to storing sensitive data: it must be secured from access by anyone who isn’t entitled, and it must be safeguarded from loss or damage. A lot of emphasis has been placed on encryption as a means of preventing others from access, but far less on the need to safeguard.

There’s another important issue in how you might need to demonstrate compliance. In many situations, simply being able to justify to yourself that you have exercised due diligence isn’t sufficient, and your equipment, procedures and practices need to comply with accepted standards. Ask yourself if something did go wrong and someone else were to scrutinise what you did, how could you justify that, perhaps in a court or to an enquiry?

Encrypted sparsebundle or image

These are convenient and essentially free of cost. I’ve explained their basics here, and there are two excellent tools for working with them: C-Command’s excellent DropDMG for Disk Images, and my own free Spundle for sparsebundles from here.

Although I’ve no reason to suspect that their encryption has been broken, one snag with these is that someone can make off with your encrypted data and use brute force and other techniques to decrypt it. In the case of a state or government agency, that may well be a feasible proposition with their existing tools. You also need to make separate provision for safeguarding the data by means of a robust backup system, which again exposes it to the potential for theft.

For modest amounts of data of fairly low sensitivity, this is a cheap option, but you’ll find it hard to demonstrate compliance, and existing standards and codes may not accept that.

Encrypted volume

Unlike HFS+, APFS has native support for encryption, and you can easily enable this when creating any new APFS volume, by selecting its format as APFS (Encrypted) rather than plain APFS. This is different from FileVault whole-disk encryption* used, for example, in Intel Macs with a T2 chip and M1 Macs on their internal SSDs, as it’s not performed in the disk controller, so comes at a performance cost.

If you decide to store your sensitive data on an external SSD in APFS Encrypted format, it should be safe from all but the most serious attacker. Don’t rely on this to be safe from state/government agencies, for example, but this is going to defeat the casual or criminal.

As with encrypted sparsebundles and images, this doesn’t address safeguarding the data from loss or damage, and you’ll have to be very careful if you need to demonstrate compliance. For example, one common requirement is that passwords satisfy criteria on length and content, and may need to be changed periodically: there’s nothing in APFS encryption to ensure those are met, or to provide evidence that they met those criteria.

Encrypted SSD – in-disk

Several models of SSD offer encryption which is built into the SSD itself, and seems a more transparent alternative to APFS encryption. Unfortunately it’s also a real gamble, and the odds aren’t in your favour. Several researchers have assessed this type of encryption, and found it’s often extremely easy to bypass. As a consequence, Microsoft’s BitLocker equivalent of FileVault stopped trusting in-disk encryption in 2019.

Apple’s T2 and M1 systems include a secure enclave, which is designed to store keys securely. These aren’t trivial, and add significant cost. I’m not aware of any SSD which has a built-in secure enclave which can compare, and some models have been found to store encryption passwords insecurely.

There’s also the problem of Mac compatibility to consider. The overwhelming majority of these encrypting SSDs are aimed at the Windows market, and don’t appear to have been tested against current versions of macOS. As with previous methods, in-disk encryption doesn’t address safeguarding of data or compliance. I don’t recommend this as a solution.

Encrypted SSD – specialist unit

I’ve been reviewing one of the few specialist SSDs which is designed to meet all the criteria above, including compliance with established standards. iStorage offers a range of external storage including its DiskAshur M2, which is a physically hardened external SSD with its own secure enclave processor. It’ll survive crushing, contaminated environments and water, and meets appropriate security standards. It’s fully compatible with Intel and Apple Silicon Macs, and performs well so that you can use it to store working documents.

My major concern with such specialist storage is that it would turn out to be prohibitively expensive, but iStorage products work out at around twice the price of regular SSDs, roughly the same as ‘pro’ quality. That’s around $229/£249 for a 1 TB SSD, and they’re are available in sizes from 120 GB to 2 TB. They also support a great deal more than basic encryption. For full details of their performance and features with macOS, please read my forthcoming review in Mac|Life or MacFormat magazine.

If I had to work with sensitive documents, this would now be my first choice.

* Thanks to Thomas Tempelmann for pointing out that this isn’t in fact whole-disk, but macOS determines what is encrypted. It’s therefore different from the whole-disk encryption offered by the last two options, from FileVault on HFS+, and from APFS encrypted volumes on external disks.

11Comments

Add yours

1

Michele Galvagno on December 29, 2020 at 7:53 am

Very interesting article, thank you. The topic of compliance is so delicate as a good lawyer who wants to frame someone will always find a way to distort the law against them. I didn’t know of the iStorage company, good to know! Now for a delicate question: what does qualify as “sensitive data”? Let’s assume one doesn’t work for the government or any company of that level (otherwise this question would be completely superfluous): what kind of “sensitive data” could an ordinary user have on their machines? For example: if a creative is working with files from and for a customer, do they count as such?

LikeLiked by 1 person
- 2
  
  hoakley on December 29, 2020 at 8:04 am
  
  Thank you, Michele.
  There are many kinds of sensitive data. The most obvious are those which are classified as such by the law, particularly in Europe GDPR. Other laws covering ‘state secrets’ may also be significant for those working for state organisations. Then there is data that is sensitive to a commercial or other organisation for which you might do work – which they would be upset if a competitor discovered it. Finally there are your own secrets such as your tax details, bank accounts, etc.
  On way to check is to ask yourself what might happen if a document or database were to fall into the hands of someone who’s not supposed to see it. If there could be adverse consequences to you or anyone else, then that is sensitive.
  Howard.
  
  LikeLiked by 1 person
  - 3
    
    Michele Galvagno on December 29, 2020 at 8:19 am
    
    Thank you!
    I guess then it would be wise to at least keep a copy of the finished working files on an encrypted disk (probably working from it is not going to be good).
    Thanks for clarifying!
    
    LikeLiked by 1 person
    - 4
      
      hoakley on December 29, 2020 at 12:44 pm
      
      You certainly can work from the DiskAshur M2 SSD – that’s exactly what it’s designed for.
      Whether you need to depends on the security of where the working copies are stored. If they’re on a laptop which travels and doesn’t have a T2 chip (or an M1), then I don’t think that many experts would consider that secure.
      Howard.
      
      LikeLiked by 1 person
    - 5
      
      Michele Galvagno on December 29, 2020 at 12:46 pm
      
      I’ll have to check with the one customer who’s kind of bigger.
      I have a T1 chip (MBP 2016).
      Not travelling a lot though now 🙂
      
      LikeLiked by 1 person
6

Michael Bach on December 29, 2020 at 11:24 am

Thank you!
“… passwords … may need to be changed periodically.” I have never understood why. Of course, if they’re compromised, but if they are _really well chosen_ I see no need to change them. Do you?

LikeLiked by 1 person
- 7
  
  hoakley on December 29, 2020 at 12:45 pm
  
  Thank you.
  No, I’ve never subscribed to that policy. However, I worked much of my career in an organisation which forced me to change password at regular and frequent intervals. However silly I might think that was, unfortunately it is written into many sets of rules and standards, so it’s an important feature to consider if you need compliance.
  Howard.
  
  LikeLike
- 8
  
  Tony on December 30, 2020 at 6:32 pm
  
  “Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts.”
  That’s a quote from the UK National Cyber Security Centre (https://www.ncsc.gov.uk/collection/passwords/updating-your-approach).
  
  They recognise the real-world problems that users have in remembering ever-changing passwords; they do go on to say that passwords must be changed when there is a real or suspected compromise. Elsewhere (https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0) they recommend creating strong passwords by running together three unrelated words. This creates a very strong password that users can actually remember and type easily.
  
  The NCSC advice is two or three years old now but so few organisations follow it. I preach it at every opportunity!
  
  LikeLiked by 2 people
  - 9
    
    hoakley on December 30, 2020 at 7:21 pm
    
    Thank you, Tony.
    I agree completely. Having lived and worked for years under a tyranny which enforced password changes, I well know all the problems it causes. Like it or not, though, there are many regulatory regimes which still require it.
    One useful feature which APFS encrypted (for example) doesn’t and can’t enforce is the use of sufficiently long and unguessable passwords. That can be a shortcoming when others are allowed to choose their own passwords, of course.
    Howard.
    
    LikeLiked by 1 person
10

Javier Gallardo on December 29, 2020 at 6:17 pm

I suppose this is understood: encrypted sensitive data will be inaccessible if the password dies with you (or with your memory). You may get ill and stay at hospital, or you could get stuck far from your mac … and in need to grant access.
Be careful about being too cautious without securing a back path out of the labirynth. This seems obvious, but “forgotten password” is a quite common failure.
It’s kind of funny that at the end one should keep a “passwords book”, on paper, at hand, and locked.

LikeLiked by 1 person
- 11
  
  hoakley on December 29, 2020 at 6:33 pm
  
  Thank you – yes, yes, yes.
  In the days when I had to use passwords at work, we had to keep a copy locked away so that others could access our accounts if we were unavailable. This is even more important with anything that’s encrypted.
  Howard.
  
  LikeLike

Share this:

Related