anywho Posted September 21, 2012 Share Posted September 21, 2012 Securing your hackintosh Since Snow Leopard, full disk encryption (FDE) has been available via FileVault2. With it enabled, you log in at the EFI level which is before the OS has loaded. Because a hackintosh cannot handle logging in with EFI, FDE with FileVault is no longer an option. This post discusses an alternative solution to get your data secure. I'll be using truecrypt, and ZFS, but you can do any other options which are suitable for you. It may be good to do a practice run on a portable device as this will destroy data if you do it to the wrong drive. Tools required: truecrypt ZFS Some familiarity with Terminal Begin by downloading and installing both. Copy your data You'll want to copy all your homedir data to somewhere it can be copied back. Maybe you use Time Machine, maybe you use something else, but it will need to be copied in order to have it copied back. Creating a gateway account First step is to create a user account that you will be using to login as. This account is not going to be encrypted, so be sure not to have any sensitive information when using this account. e.g do not store your SSN or anything else you want to protect. This will be your gateway account so let's create a user called gateway. Be sure to make the user an admin. You will be logging into this account every time before you log in to your main account ( I didn't say this would be easy. I will make it as painless as possible however. ) Log out of all other accounts, then log in to this account. Partitioning your drive The next step is to create a partition or use another drive to store all the data for that user's account. Here I've created one which is 160gb out of my 256gb drive. That will be plenty for the OS and plenty for me as a user. You will want to format this partition to be free space. It will be an empty grey space initially, mine here is already done. You can use any drive to do this and you don't need to partition, this just happens to be how I did it. Next step is to create a partition on the empty space using truecrypt. Launch truecrypt and select the space to create a partition. Be sure to select to "Create a partition within a partition/drive". I've tried doing an encrypted file container, but it turned out to be a very unstable affair. The partition has yet to let me down. Select either Standard or Hidden truecrypt volume depending on your desired security. Having a hidden truecrypt volume will allow you claim plausible deniability I select AES-Twofish-Serpent for encryption, and SHA-512 for the algorithm. Feel free to discuss options you think is better. Just be sure to select a SECURE password. Otherwise this little exercise is really a time waster. For filesystem type, select "none". The rest of the process is fairly simple so I'm going to spare you the details. Creating a ZFS volume. Open Terminal.app and start by typing `diskutil list`. Identify the device name of the partition or drive that you have been working on. Decide what you want to call your ZFS volume known as a pool. I will call it the standard `tank` for now. `sudo spool create -m /Users/<username> tank </dev/device>` will create the pool for you. Once created, you can mount it using `sudo spool import tank` and it will automatically mount it on your selected username's home directory. Now you can copy all your homedir files back into your main user directory. When you're done copying, you can logout from gateway, and login to your main account again. Creating a script to make it easier Usually unless you're in a habit of adding and removing devices, the devices tend to be allocated the same device names. That means you can make things a bit easier to mount your main user directory when logging on as gateway. Here's an example file I call mount.sh: tc="/Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt -t" $tc --filesystem=none /dev/disk0s3 sudo zpool import -f tank If you store this as a file in user gateway's home directory, and you leave it to open terminal every time you log on to that account, all you have to do is run sh mount.sh every time you log on, and them immediately log off and use your main user. It's painless. Notes I've chosen ZFS because I wanted a really fault tolerant file system to work with, also, if you chose another fileystem, you may find that truecrypt tends to unmount it if you exit. I originally had HFS and this was a real pain. I had to run a program as the user in order to force it to remain mounted. I would usually run tmux, a terminal emulator, background it, then logout and back in to the main user. source Link to comment Share on other sites More sharing options...
Recommended Posts