Building notes, projects, and occasional rants


One recurrent worry that I had was about my laptop security. At least once a week I get an email from a local portuguese Mac-zine about stolen Macbooks. When I got them, my first thought was always: if that happened to me, my $bussiness is screwed...

So a couple months ago I started looking around for options to secure my two macs (desktop and laptop) and their Time Machine backup drives against physical theft.

I bought a copy of PGP Whole Disk Encryption and I'm using it on my laptop. On day-to-day usage, you just don't notice the overhead. I suppose that if I had to do I/O intensive stuff I might, but so far it doesn't register at all.

The setup process is slow but painless. It took about 3 hours to encrypt my hard drive, and the laptop remains usable during the whole process. You can even stop and restart if you need to.

You can have several users each one with a different pass-phrase that can unlock the hard drive at boot time. I created two users, one for me, and another for disaster recovery. I generated a long random pass-phrase for the second user, printed two copies, and stored each copy on two different safe deposit boxes that I and my business parter have access to. This way, if I get hit by a bus, my partner can access the content of the drive.

My next step will be to encrypt the entire Time Machine external disk drive that I use. After that, I'll update the desktop machine and its Time Machine backup disk.

This should solve the physical theft problem. There are some precautions that you need to take though. For example, to be protected you must shutdown your laptop. When the laptop enters sleep mode, the hard drive remains "open". It would be nice to "lock" the hard drive when entering sleep mode, but I guess that it would require more support from Apple to do that. This is a problem for the laptop. I usually shutdown my desktop everyday when I leave the office. I do hope to see a lock-on-sleep feature in a future release.

But so far I'm very happy with this solution. Recommended.

Of course, I still have to worry about non-physical theft. People could still hack into my servers, or even hack into my desktop/laptop while they are running. But its a step.

The servers run with minimal services, and with a firewall active. I still haven't made the jump to a full SELinux enabled system, though. I do have a minimal port-knocking system for ssh connections, but its still experimental and only covers two of the ten servers I manage.

Also, some less secure services still share hosts with other higher security services. This is legacy from a time when I had less servers, and splitting them was not an option. My experiments with OpenVZ should provide an even better solution for this problem.

Small company, so small steps.