Jump to content

Securing your hackintosh


1 post in this topic

Recommended Posts

Securing your hackintosh




Since Snow Leopard, full disk encryption (FDE) has been available via FileVault2. With it enabled, you log in at the EFI level which is before the OS has loaded. Because a hackintosh cannot handle logging in with EFI, FDE with FileVault is no longer an option. This post discusses an alternative solution to get your data secure. I'll be using truecrypt, and ZFS, but you can do any other options which are suitable for you. It may be good to do a practice run on a portable device as this will destroy data if you do it to the wrong drive.


Tools required:

  1. truecrypt
  2. ZFS
  3. Some familiarity with Terminal

Begin by downloading and installing both.


Copy your data


You'll want to copy all your homedir data to somewhere it can be copied back. Maybe you use Time Machine, maybe you use something else, but it will need to be copied in order to have it copied back.


Creating a gateway account


First step is to create a user account that you will be using to login as. This account is not going to be encrypted, so be sure not to have any sensitive information when using this account. e.g do not store your SSN or anything else you want to protect. This will be your gateway account so let's create a user called gateway. Be sure to make the user an admin.





You will be logging into this account every time before you log in to your main account ( I didn't say this would be easy. I will make it as painless as possible however. )

Log out of all other accounts, then log in to this account.


Partitioning your drive


The next step is to create a partition or use another drive to store all the data for that user's account. Here I've created one which is 160gb out of my 256gb drive. That will be plenty for the OS and plenty for me as a user. You will want to format this partition to be free space. It will be an empty grey space initially, mine here is already done. You can use any drive to do this and you don't need to partition, this just happens to be how I did it.





Next step is to create a partition on the empty space using truecrypt. Launch truecrypt and select the space to create a partition. Be sure to select to "Create a partition within a partition/drive". I've tried doing an encrypted file container, but it turned out to be a very unstable affair. The partition has yet to let me down. Select either Standard or Hidden truecrypt volume depending on your desired security. Having a hidden truecrypt volume will allow you claim plausible deniability


I select AES-Twofish-Serpent for encryption, and SHA-512 for the algorithm. Feel free to discuss options you think is better. Just be sure to select a SECURE password. Otherwise this little exercise is really a time waster. For filesystem type, select "none". The rest of the process is fairly simple so I'm going to spare you the details.


Creating a ZFS volume.


Open Terminal.app and start by typing `diskutil list`. Identify the device name of the partition or drive that you have been working on. Decide what you want to call your ZFS volume known as a pool. I will call it the standard `tank` for now. `sudo spool create -m /Users/<username> tank </dev/device>` will create the pool for you.


Once created, you can mount it using `sudo spool import tank` and it will automatically mount it on your selected username's home directory. Now you can copy all your homedir files back into your main user directory. When you're done copying, you can logout from gateway, and login to your main account again.


Creating a script to make it easier


Usually unless you're in a habit of adding and removing devices, the devices tend to be allocated the same device names. That means you can make things a bit easier to mount your main user directory when logging on as gateway. Here's an example file I call mount.sh:


tc="/Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt -t"

$tc --filesystem=none /dev/disk0s3

sudo zpool import -f tank


If you store this as a file in user gateway's home directory, and you leave it to open terminal every time you log on to that account, all you have to do is run sh mount.sh every time you log on, and them immediately log off and use your main user. It's painless.




I've chosen ZFS because I wanted a really fault tolerant file system to work with, also, if you chose another fileystem, you may find that truecrypt tends to unmount it if you exit. I originally had HFS and this was a real pain. I had to run a program as the user in order to force it to remain mounted. I would usually run tmux, a terminal emulator, background it, then logout and back in to the main user.





Link to comment
Share on other sites


  • Create New...