Needed measures to protect sensitive data

Question

Needed measures to protect sensitive data

Hello all,

It is my pleasure to join this community. A sleek new iMac 27 inch 2013 has been shipped.

A SSD as the only mass storage is populated in that iMac.

The user did not yet start to store sensitive data on ssd.

The question is what needs to be done now (yet before users start to use ssd

for writing own sensitive data) in order to achieve two goals listed below?

1. If some day in the future (middle, or long term) this imac should be resold

the sensitive user data can be removed from ssd before ownership change

2. If some day in the future the appliance should need

to be sent to any repair service the sensitive user data is save from unauthorized access.

The full reliability of sensitive user data removal and protecting those
data from unauthorized access while the appliance in foreign hands for any reason
has in this case the highest priority.The used measure of protection must not show any negative impacts
in other computing aspect while using this appliance.

Please see the ssd and all resulting impacts as central point of the question.

There are plenty of discussions in web to be found in regards to

reliability of data removal on ssd and to reliability of data encryption on ssd.

For a newbie however it is not easy to see what of been pointed out is still valid today.

I guess the full disk encryption by a ssd external software solution might be oversized

- only the sensitive user data needs to be protected. Furthermore such approach - full disk encryption -

seems to have sever impacts in other computing aspects.

Similarly the ssd internal encryption solution.

On the another hand achieving the goal by folder/files encryption seems to

be tricky as well. One needs namely to know what are all used cache files and folders

utilized by operating system and all the software in use. So I am in doubt.

iMac, OS X Mavericks (10.9.1), just ssd as boot drive, no others

Posted on Feb 10, 2014 2:29 PM

Reply

Answer 1

baltwo

Level 9

62,362 points

Feb 10, 2014 2:39 PM in response to imac-since-late2013

Use File Vault.

Reply

Answer 2

Feb 10, 2014 2:40 PM in response to imac-since-late2013

Protecting sensitive data is going to be an ongoing discussion, with ideas stemming from whether full disk encryption or perhaps avoiding your hard drive and storing files on external media is best.

Any additional encryption or protective measure you take for a file will have an impact on the system; however, in most cases this impact will be negligable.

If files you use are sensitive, then be sure to fully password-protect your system (use strong passwords), and ensure FileVault is enabled. In addition, ensure any external drive you use is fully encrypted, which can be done by formatting it to "Mac OS X Extended (Journaled) encrypted" in Disk Utility. When done, ensure the system has a sleep/screensaver password enabled, and you should be well-off to having your data secured with minimal impact on the system.

Apple's full-disk encryption rides above the storage device hardware, and below the operating system, so the type of storage you use should not matter one bit, and the encryption should be transparent to the operating system and programs you use. In the event of theft, however, without the proper password then all data on the drive will be garbled.

Reply

Answer 3

Joe Bailey

Level 6

12,227 points

Feb 10, 2014 2:41 PM in response to imac-since-late2013

I suppose you are aware that Apple does not support secure erasure of Solid State Drives for many good reasons including the fact they cannot be truly erased. My suggestion would be when the time comes to pass your iMac along to another user you pop open the enclosure, yank out the SSD and place it in an external enclosure for use on the iMac's replacement. As for the old iMac, either replace the drive with a new blank drive or sell it as is without a drive.

Reply

Answer 4

arthur

Level 5

5,242 points

Feb 10, 2014 2:44 PM in response to imac-since-late2013

Use Disk Utility to encrypt your sensitive files or folders. This is very secure. How to create a password-protected (encrypted) disk image
Before you sell your Mac, use disk utility to securely erase your HD. Securely wipe your hard drive | Macworld

Reply

Answer 5

Feb 16, 2014 2:35 PM in response to Joe Bailey

@Joe Bailey and arthur

As mentioned in the thread opening message all this is about iMac late 2013.

That means, drive replacement conducted by user is not possible.

As mentioned there as well it is about ssd, the only drive in this iMac, the boot drive.

A nice thank-you for all your hints.

It helped me little bit to make progress in deciding.

Yes, the FV2 seems to be good enough as for our requirements.

It shows few impacts, however these are rather minors.

The overall costs of any nature seem to be acceptable as well.

Strong passwords, encrypting on the whole chain, screenshots with pwds all these

are right points. My intention however was to narrow the discussion here to

topics and use-cases described at start.

Reply

Answer 6

Feb 16, 2014 3:25 PM in response to imac-since-late2013

If the new iMac is physically safe during your use, for example it is in a location where others do not have access to the physical computer then you may not need FDE (Full Disk Encryption) with File Vault. In this case before the iMac was sold I would simply remove the drive and replace with a new one before selling. The cost of a new drive is relativly small and in 1 to 2 years will be even less expensive. Not selling the drive is the only way to ensure you will not have any data leakage due to sector sparing by the drives internal firmware (the drive will disable access to certain locations if read errors are identified and you will not be able to erase them in the future). I concur with Joe just pull the drive before selling.

Reply

Answer 7

baltwo

Level 9

62,362 points

Feb 16, 2014 3:40 PM in response to bostonpops

bostonpops wrote:

…before the iMac was sold I would simply remove the drive and replace with a new one before selling.

There's no simple way to open up a new iMac. Thus, removing and raplacing the SSD/HD is beyond the average user's ability.

Reply

Answer 8

Feb 16, 2014 3:49 PM in response to baltwo

Baltwo, I completely agree with you about the iMac's are not easily serviceable. However my point is if security is paramount, spending $150 to have a technician replace the drive is the safest option to security of any drive. If this is to much then security is not the most important issue.

Reply

Answer 9

baltwo

Level 9

62,362 points

Feb 16, 2014 5:41 PM in response to bostonpops

I only balked about your use of the word simple. Additionally, using DU's Security Options and choosing to write over the data once, 7 times, or 35 times should do the job wanted.

Reply

Answer 10

Feb 25, 2014 11:49 AM in response to Topher Kessler

Actually, all additional measures to protect sensitive data from unauthorized access within the whole chain of data storage are out of focus here. In focus just two use cases mentioned in initial question.

This is due to switching from hdd and a user serviceable solution to sdd-only and repairable only by professionals mac.

So that switch results in degradation of data security.

The goal here is just to get back the same grade of data security - despite the fact how inperfect it is.

All additional measures will be met not until the decision is made - this data needs more security within whole chain. Currently for the environment here the highest data leakage risks are even two described use cases, natural cataclysm.

Reply