Jump to content

Securing your data by automatic home directory encryption


firefly1

Recommended Posts

Security for your Hackintosh

 

Especially for mobile computers like Dell's Latitude-series data encryption is desirable in case that your notebook gets lost or is stolen. Till Snow Leopard one could easily use OS X built-in encryption mechanism called FileVault (aka Legacy FileVault). This encypted the home directory of a user. During the logging process the user password served to decrypt the home diretory.

 

With OS X Lion FileVault 2 was introduced. This was a redesign of the encryption mechanism. It has the advantage of a full disc encryption but is tightly conneted to Apple hardware. So personally I don't know of a way to make FileVault2 work to encrypt the system itself with a hackintosh.

 

As I really wanted to at least secure my home diretory, I've been thinking about other opportunities. As far as I know there are ways to make Legacy FileVault work (Link 1 and Link 2). But I also wanted to be able to access the data over a Linux system as well. The only encryption software I know of that is useable under OS X and Linux is TrueCrypt (eventhough the development stopped) or VeraCrypt (as a successor).

 

With this guide I want to describe a way to encrypt your home directory with TrueCrypt and have it automatically mounted during the boot process using a specal USB stick as your passphrase or key. So the data only get decrypted if this USB stick is plugged into your computer when booting. There are several steps needed to accomplish this:

 

1) Automated start

 

We need to invoke a script during the boot process, which can be accomplished using launchd. Therefore one has to create a plist in:

 

/Library/LaunchDaemons

 

It can have any name (I called mine: my.start.script.plist) and has to be created as root.

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>start script</string>
    <key>ProgramArguments</key>
    <array>
       <string>/usr/local/script/start.sh</string>
    </array>
    <key>RunAtLoad</key>
       <true/>
    <key>UserName</key>
    <string>root</string>
    <key>GroupName</key>
    <string>staff</string>
</dict>
</plist>

 

The sole purpose of this plist is to execute the shell script under /usr/local/script/start.sh.

 

2) Installation of Truecrypt

 

The development of Truecrypt stopped in 2014 (a potential successor is Veracrypt, which now is also available for Linux, OS X and Windows). You should decide for yourself if you still want to use Truecrypt or not. If you want to use Truecrypt you should get the version 7.1a not 7.2! Installation itself is straight forward.

 

3) Create an encrypted partition

 

Now you've to creat an encypted partitions, where to store the data of your user. Of course you need some free disk space for this. Creation of the partition is normally done using disk utility. After this you can use TrueCrypt to set up an encrypted filesystem within this partition. As a password you should use the serial number of a USB stick. This can be figured out by the command: system_profiler SPUSBDataType.

 

4) Creating a script

 

Now you've to create a script that invokes TrueCrypt during the boot process and to mount your encrypted partition. It's the script that you execut in the first step. Here is how mine is looking like:

 

#!/bin/bash

 

# replace 0x_____ with the Vendor ID of your USB stick

device='system_profiler SPUSBDataType | grep 0x_____ | cut -d: -f2 | cut -c2-7`

 

# only execute the command if the USB stick is present

if test "$device" = "0x_____"

then

    # get the serial number of you USB stick

    # and use it as a password

    password=`system_profiler SPUSBDataType | grep -i 'serial' | cut -d: -f2`

    # decrypt and mount the parition

    # you need to give the correct partition name for X and Y

    # my user will be called secret

    /Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt --mount --password=`echo $password` /dev/rdiskXsY /User/secret

    # delet the password

    password='clear'

fi

 

The script must be made executable, with root rights and I only want root to be able to execute it:

chmod 4700 script.sh

 

5) Create a new user

 

Now you've to create a new user who uses the directory /User/secret as his home diretory. This has to be done using the command line:

 

dscl . -create /Users/secret

dscl . -create /Users/secret UserShell /bin/bash

dscl . -create /Users/secret RealName "John Doe"

dscl . -create /Users/secret UniqueID 2000

dscl . -create /Users/secret PrimaryGroupID 20 -> this is staff

dscl . -create /Users/secret NFSHomeDirectory /Users/secret

dscl . -passwd /Users/secret

dscl . -append /Groups/admin GroupMembership secret

dscl . -read /Users/secret

 

6) Take care about the home folders rights

 

Perhaps you need to change the rights of the folder /Users/secret as it gets mounted by root and not the user secret:

chmod 775 /Users/secret

And you have to make sure that the folder belongs to the same group as your new user. In the above case it's the group staff (groupid 20).

 

That's it! Now you have to plug in a very specific USB stick before booting you hackintosh. This will automatically decrypt and mount the home diretory of your newly created user. By adding an additonal user you will still be able to log in with the original user. In case you forget to plug in the USB stick you can also use this user to mount the encrypted paritions, you only need to know the serial number of you USB stick. So you should write this down somewhere incase that your USB stick gets lost. Otherwise you will not only lose the stick itself but also your passphrase.

By extending the script you might also be able to use a keyfile that is stored on any USB stick to decrypt the partition. Just in case that you like the idea.

 

Hope this is helpful to some hackintosh users that like an extra bit of security.

Link to comment
Share on other sites

I slightly modified the script listed under point 4, as a blank space character was causing some trouble:

 

#!/bin/bash

 

# replace 0x_____ with the Vendor ID of your USB stick

device='system_profiler SPUSBDataType | grep 0x_____ | cut -d: -f2 | cut -c2-7`

 

# only execute the command if the USB stick is present

if test "$device" = "0x_____"

then

    password=`system_profiler SPUSBDataType | grep -i 'serial' | cut -d: -f2 | tr -d ' '`

    /Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt --mount --password="$password" /dev/rdiskXsY /User/secret

    password='clear'

fi

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...