Sunday, August 17, 2014

Security is hard - where I realize my clone backups are browsable

I rotate my backups offsite, so I encrypt the drives using 10.9’s quite good drive encryption.

Which works fine — until I realized that every user on my machine can browse those drives. OS X provides drive access on startup, and it doesn’t have a concept of user-specific access for encrypted removable drives. So, again, every user can browse them.

So that means my if my kids login to my primary machine they can browse the Carbon Copy Cloner backups [1] on that encrypted drive. Which is not good, since the backups contain the holy grail — our credentials database (Still in FIleMaker, because I like the simplicity and flexibility.)

Happily the credentials database lives on a separately encrypted disk image. In my testing the child accounts cannot view that image, even when it is mounted from my account (because the physical image lives in a folder the kids don’t have access too). They can’t view the file in the backups either — because it’s not mounted from there.

Anyway, I decided to try double-encryption. I encrypt the CCC disk images as well as the drive. In my testing the kids can browse those only if they’re mounted, which is controlled from my user account. So that’s not too bad.

Damn, but security is hard.

[1] I use Time Capsule as well — backup should always be automatic, at least daily, and involve two completely different methods. The CCC clones are backups insofar as I rotate them every week or so, and because CCC puts changed or remove files into an archive.

Update 8/18/14: This wasn’t hard to fix. I just had to change the default settings on my encrypted external drives:

Original: Ownership was ignored and everyone had read privileges

Screen Shot 2014 08 18 at 8 20 37 PM

Revised: Enabled ownership, gave everyone no access but parents and admin read & write (System/wheel/staff stuff just happened, blame weird OS X permission behavior)

Screen Shot 2014 08 18 at 8 25 35 PM

With this configuration I can do backups and restores but the kids can’t open the drive — and they can’t see drives mounted from images on the backup drive. What about if I need to do a restore to a new drive? I believe anyone with admin privileges can change permissions or ignore ownership on an attached drive.

No comments: