10 Replies Latest reply: Feb 25, 2014 11:49 AM by imac-since-late2013
imac-since-late2013 Level 1 Level 1 (0 points)

Hello all,

It is my pleasure to join this community. A sleek new iMac 27 inch 2013 has been shipped.

A SSD as the only mass storage is populated in that iMac.

The user did not yet start to store sensitive data on ssd.

 

The question is what needs to be done now (yet before users start to use ssd

for writing own sensitive data) in order to achieve two goals listed below?

1. If some day in the future (middle, or long term) this imac should be resold

the sensitive user data can be removed from ssd before ownership change

2. If some day in the future the appliance should need

to be sent to any repair service the sensitive user data is save from unauthorized access.

 

The full reliability of sensitive user data removal and protecting those
data from unauthorized access while the appliance in foreign hands for any reason
has in this case the highest priority.
The used measure of protection must not show any negative impacts
in other computing aspect while using this appliance.

 

Please see the ssd and all resulting impacts as central point of the question.

There are plenty of discussions in web to be found in regards to

reliability of data removal on ssd and to reliability of data encryption on ssd.

For a newbie however it is not easy to see what of been pointed out is still valid today.

 

I guess the full disk encryption by a ssd external software solution might be oversized

- only the sensitive user data needs to be protected. Furthermore such approach - full disk encryption -

seems to have sever impacts in other computing aspects.

Similarly the ssd internal encryption solution.

 

On the another hand achieving the goal by folder/files encryption seems to

be tricky as well. One needs namely to know what are all used cache files and folders

utilized by operating system and all the software in use. So I am in doubt.


iMac, OS X Mavericks (10.9.1), just ssd as boot drive, no others
  • 1. Re: Needed measures to protect sensitive data
    baltwo Level 9 Level 9 (60,115 points)
  • 2. Re: Needed measures to protect sensitive data
    Topher Kessler Level 6 Level 6 (9,340 points)

    Protecting sensitive data is going to be an ongoing discussion, with ideas stemming from whether full disk encryption or perhaps avoiding your hard drive and storing files on external media is best.

     

    Any additional encryption or protective measure you take for a file will have an impact on the system; however, in most cases this impact will be negligable.

     

    If files you use are sensitive, then be sure to fully password-protect your system (use strong passwords), and ensure FileVault is enabled. In addition, ensure any external drive you use is fully encrypted, which can be done by formatting it to "Mac OS X Extended (Journaled) encrypted" in Disk Utility. When done, ensure the system has a sleep/screensaver password enabled, and you should be well-off to having your data secured with minimal impact on the system.

     

    Apple's full-disk encryption rides above the storage device hardware, and below the operating system, so the type of storage you use should not matter one bit, and the encryption should be transparent to the operating system and programs you use. In the event of theft, however, without the proper password then all data on the drive will be garbled.

  • 3. Re: Needed measures to protect sensitive data
    Joe Bailey Level 6 Level 6 (12,095 points)

    I suppose you are aware that Apple does not support secure erasure of Solid State Drives for many good reasons including the fact they cannot be truly erased. My suggestion would be when the time comes to pass your iMac along to another user you pop open the enclosure, yank out the SSD and place it in an external enclosure for use on the iMac's replacement. As for the old iMac, either replace the drive with a new blank drive or sell it as is without a drive.

  • 4. Re: Needed measures to protect sensitive data
    arthur Level 5 Level 5 (4,470 points)
    1. Use Disk Utility to encrypt your sensitive files or folders. This is very secure.  How to create a password-protected (encrypted) disk image
    2. Before you sell your Mac, use disk utility to securely erase your HD. Securely wipe your hard drive | Macworld
  • 5. Re: Needed measures to protect sensitive data
    imac-since-late2013 Level 1 Level 1 (0 points)

    @Joe Bailey and arthur

    As mentioned in the thread opening message all this is about iMac late 2013.

    That means, drive replacement conducted by user is not possible.

    As mentioned there as well it is about ssd, the only drive in this iMac, the boot drive.

     

     

    A nice thank-you for all your hints.

    It helped me little bit to make progress in deciding.

    Yes, the FV2 seems to be good enough as for our requirements.

    It shows few impacts, however these are rather minors.

    The overall costs of any nature seem to be acceptable as well.

     

    Strong passwords, encrypting on the whole chain, screenshots with pwds all these

    are right points. My intention however was to narrow the discussion here to

    topics and use-cases described at start.

  • 6. Re: Needed measures to protect sensitive data
    bostonpops Level 1 Level 1 (0 points)

    If the new iMac is physically safe during your use, for example it is in a location where others do not have access to the physical computer then you may not need FDE (Full Disk Encryption) with File Vault.  In this case before the iMac was sold I would simply remove the drive and replace with a new one before selling.  The cost of a new drive is relativly small and in 1 to 2 years will be even less expensive. Not selling the drive is the only way to ensure you will not have any data leakage due to sector sparing by the drives internal firmware (the drive will disable access to certain locations if read errors are identified and you will not be able to erase them in the future). I concur with Joe just pull the drive before selling.  

  • 7. Re: Needed measures to protect sensitive data
    baltwo Level 9 Level 9 (60,115 points)

    bostonpops wrote:

    …before the iMac was sold I would simply remove the drive and replace with a new one before selling.

    There's no simple way to open up a new iMac. Thus, removing and raplacing the SSD/HD is beyond the average user's ability.

  • 8. Re: Needed measures to protect sensitive data
    bostonpops Level 1 Level 1 (0 points)

    Baltwo, I completely agree with you about the iMac's are not easily serviceable.  However my point is if security is paramount, spending $150 to have a technician replace the drive is the safest option to security of any drive.  If this is to much then security is not the most important issue.

  • 9. Re: Needed measures to protect sensitive data
    baltwo Level 9 Level 9 (60,115 points)

    I only balked about your use of the word simple. Additionally, using DU's Security Options and choosing to write over the data once, 7 times, or 35 times should do the job wanted.

  • 10. Re: Needed measures to protect sensitive data
    imac-since-late2013 Level 1 Level 1 (0 points)

    Actually, all additional measures to protect sensitive data from unauthorized access within the whole chain of data storage are out of focus here. In focus just two use cases mentioned in initial question.

    This is due to switching from hdd and a user serviceable solution to sdd-only and repairable only by professionals mac.

    So that switch results in degradation of data security.

    The goal here is just to get back the same grade of data security - despite the fact how inperfect it is.

     

    All additional measures will be met not until the decision is made - this data needs more security within whole chain. Currently for the environment here the highest data leakage risks are even two described use cases, natural cataclysm.