Blog Post

Espionage Brings “Tricksy” Folder Encryption to OS X

Despite being an avid OS X user, there are deficiencies in this great OS of ours and many of the ones I focus on center — unsurprisingly — around security.

In the plethora of accurate claims of superiority in Apple’s “I’m a Mac” ads, one counter-example is the ability within Windows to encrypt individual folders. While Microsoft’s EFS is no panacea of security and usability, it does work and there has been no practical parallel yet within OS X. Until now.

A Twitter post early Thursday morning from the legendary Matt Gemmell quietly announced Espionage from Tao Effect software (Greg Slepak & John Ashenden). This $14.95 utility (for OS X 10.5+) uses some interesting tricks to bring folder-level encryption and/or privacy to your workstation. Read on to see what’s going on under the covers and to find out if Espionage is the right solution for you.

Encryption Choices on OS X

Without bringing in additional tools, such as TrueCrypt into the mix, Apple offers two ways to secure your information. The first is with FileVault (which has some security and usability issues of it’s own) where you can choose to encrypt your entire home folder — but only your home folder — to keep prying eyes away.

The second is to use Disk Utility to create an encrypted disk image and then mount that whenever you need to store or retrieve data. This is a cumbersome, but effective, process and is ultimately what FileVault is doing under the covers to work it’s magic.

If only there was a way to associate these secure disk images with folders and have the mounting be handled automatically…

A Peek Behind the Curtain

Normally, the inner- and inter-workings of an application are either too-intricate (e.g. Photoshop) or too mundane (e.g. TextEdit) to cover during an app-review. However, when it comes to security, very few details are insignificant and one of the prime uses of Espionage is to secure your data and control the access to it.

Espionage has two basic features, enabling general encrypted folders (using the same “trick” as FileVault) and providing a way to “lock” folders and require a password to access them.

It performs the latter through a kernel extension named “iSpy” that is installed upon first run of the application and can be seen by dropping into the Terminal and issuing the following command:

$ kextfind -case-insensitive -bundle-id -substring 'com.taoeffect.' -print

“Protected” folders show the typical “restricted access” icon when locked:

And prompt you for an access password (which you create when “securing” the folder):

Because it operates at such a low-level, this “protection” exists even when using command-line utilities to access files in the folder. That is, even attempting an “ls” from the Terminal will bring up the access prompt (provided you have not already unlocked the folder). This “protection” only works on the system the folder was “protected” on and requires the kernel extension to be running. If you disable/unload the extension or just boot in target disk mode, you will be able to access the data. The Tao Effect developers make no claims of security with this method of protection and even go out of their way to warn you.

But, What About Encrypted Folders?!

Ah, yes. The main reason you will want to use Espionage is to take advantage of the encrypted folders. As I have indicated, they use the same slight-of-hand that FileVault uses and create a hidden, encrypted sparse disk image that then is mounted and linked with the folder you specify. For existing folders, it creates this disk image, copies the files and folders from your target selection into the new disk image and sets up the linkage behind the scenes after deleting your old files. I should warn you that it did not do a secure delete of the “expenses” directory and I was able to find it and the contents therein in the “Trash”. This could easily be recovered and is a pretty serious oversight in an attempt to make your digital life more secure.

As part of the magic, you will see that there is a new folder in your “Volumes” directory (this is where all mounted disks get placed by default) where Espionage keeps mount points for all these sparse images.

And, you can also see just where Espionage stores these sparse disk images via the Terminal or through Disk Utility.

Since it is just a disk image “hack”, Espionage also provides a way to specify the default size and filesystem type:

So, What’s The Verdict?

Espionage does have some very interesting capabilities and I was impressed that the installer (which puts the kernel extension into place) includes full details as to what it is doing.

The application also includes other niceties such as support for Growl notifications and the ability to always enable or block application access to a particular folder under the watch of iSpy — and, you will need to make use this feature if you plan on utilizing any type of automated backup solution that will include that folder in the source path list.

However, due to the deficiencies with the way it initially creates encrypted folders and also some quirks during the operation – especially when performing multiple operations on the test “expenses” folder — I, personally, will have to continue to use my existing methods of securing data. As you saw from the FileVault screen capture, I do not use FileVault, but I do use secure disk images locally, on USB sticks, fileshares and when I am backing up sensitive data to my offsite provider. I also use TrueCrypt when I need to ensure my disks are fully protected.

I strongly suggest, however, that you do watch for future updates to Espionage as the developers will no doubt work the kinks out of this initial release and provide a very solid solution to fill the gap left by Apple. Since I am not aware of any features of Snow Leopard that will obsolete the functionality of Espionage, it should continue to fill this gap through the next release of Apple’s desktop operating system.

20 Responses to “Espionage Brings “Tricksy” Folder Encryption to OS X”

  1. is it possible to simply mount the disc image on a folder location as in linux? this would seem to provide the same functionality, if it works…

  2. @searas without explicitly warning folks to do a Secure Empty Trash it is irresponsible not to do a”srm” on the files vs moving them to the trash.

    @Raz re-creating the “expenses” folder caused numerous, false error messages to appear. the interface also did not show the status of locked folders properly. i also had issues with the “hidden” mount points not being found (the “alias” could not be resolved on multiple occasions)

    @Alex correction noted. Will try to be more careful :-)

    To the folks who are not sure about the advantages, there are many ppl who just want portions of their disk secure either for performance reasons or just because they may have been burned with other solutions. I agree that whole-disk encryption is a much better idea and would prefer to see something like the Travelstar 7K200 or 7K320 (if it worked on Macs)

  3. Cleverly written. For my purposes, I prefer to keep secure data on a drive that is locked down six ways from Sunday, rather than having portions of my HD secured — especially if you need a kext running to secure them anyway. It’s like having a great account password without setting the Open Firmware password.

    Also, small correction: sleight of hand.

  4. Try Knox and Excel. I especially like Knox. I nice feature that may be common to all three of these is that Knox uses the FileVault component of OSX and therefore can be opened on any Mac using OSX, whether Knox is installed or not.

    For me, the major problem with these small encrypted images is that you have not encrypted your library, where all your mail, etc resides.

    Next up- FileVault, when I understand better how it works and work up more nerve.

  5. Bob, could you please elaborate on those “deficiencies” and “quirks”? I still don’t know what the major downsides of this tool are – If there are any besides the trash thing (which is not a big issue in my opinion) and the necessity to block access to those encrypted folders for certain applications. What are those problems you mentioned “when performing multiple operations” exactly?