Category Archives: Encryption

gpg for Mac

Lately I’ve been building a bunch of “Linux” command line tools for my Mac. As I focus on security, I decided GPG would be the next tool. You can download my GPG public key at KenjiYoshino.pub.

Download

  1. gpg-1.4.13.tar.gz
    • SHA-1 of gpg-1.4.13.tar.gz: 45901f228377c65b445104d7037ad26dde70fe7a
    • Signature: gpg-1.4.13tar.gz.sig
    • SHA-1 of the gpg executable: 361b9beec3667abdc01d30b0b5ac0b215b3d4d48
    • SHA-1 of the gpgv executable: 006c7ac41d63f1a1a7aa695428f42acd9f7a54e3
  2. Open the Terminal and navigate to the downloaded archive
  3. Extract the files by running tar xzf gpg-1.4.13.tar.gz
  4. Login with an account with Administrator privileges
  5. Copy /bin/gpg and /bin/gpgv to /usr/local/bin
  6. Copy /man/gpg.1 and /man/gpgv.1 to /usr/local/share/man/man1
  7. Make sure all users have execute/read access to these files

Compile

Note: You must have Xcode installed.

  1. Download the GPG 1.4.13 source from http://www.gnupg.org/download/
  2. Open a terminal window and browse to the downloaded archive
  3. Extract the archive using tar xzf gnupg-1.4.13.tar.gz
  4. Open the gnupg-1.4.13 directory
  5. Run ./configure
  6. Run make
  7. You will have the gpg and gpgv binaries in the /g10 directory and the man page in the /doc directory
  8. Copy /g10/gpg and /g10/gpgv to /usr/local/bin
  9. Copy /doc/gpg.1 and /doc/gpgv.1 to /usr/local/share/man/man1
  10. Make sure all users have execute/read access to these files

MacOS WDE

I decided I should get around to encrypting the data on my Mac hard drives, so a thief would not be able to access potentially sensitive information if I got my laptop stolen. I wanted a Whole Disk Encryption solution that works similar to Symantec PGP Whole Disk Encryption or TrueCrypt, but I didn’t want to pay for Symantec/PGP and (as far as I can tell) TrueCrypt doesn’t support System Encryption for Mac.

When FileVault first came out, I wasn’t too impressed. It seemed like a hack where Apple was just shoehorning user directories into encrypted disk images. Then I heard about performing whole disk encryption using FileVault 2. This sounded pretty good and Apple seems to be doing security right so I decided to explore the FileVault 2 option.

First I went int System Preferences -> Security & Privacy -> FileVault. As I read about FileVault I found it is designed to encrypt the disk encryption key with a key derived from each user’s password. I didn’t want my disk encryption key protected by weak passwords and I didn’t want to be inconvenienced by having to enter extremely long/strong passwords for normal unlocking of the computer. It only took a slight hack of MacOS built in features to accomplish this.

Mac OS WDE Steps

  1. Create a new Administrator account. This will be your unlocking account, so name it and create a password accordingly.
    Note: We are creating a separate account, because FileVault can only be enabled from an Administrator account, but you cannot remove the ability to unlock the drive once it has been granted.
  2. Logout and login with the new unlocking account
  3. Open System Preferences -> Security & Privacy -> FileVault
  4. Click “Turn On FileVault…”
  5. Follow the steps to turn on FileVault. I chose not to send a recovery key to Apple.
  6. Wait for the encryption to finish.
  7. Logout with your unlocking account.
  8. Login with another Administrator account.
  9. Open System Preferences -> Users & Groups
  10. Select the unlocking account and uncheck “Allow user to administer this computer”
  11. Check “Enable parental controls” and click “Open Parental Controls…”
  12. Now restrict this account, so it is unusable for general use and can only reasonably be used to unlock the hard drive.
    1. Under Apps
      1. Check “Use Simple Finder”
      2. Check “Limit Applications”
      3. Uncheck all “Allowed Apps:”.
        Note: I went back and allowed the GoogleSoftwareUpdateAgent and SIMBL Agent, because these were giving me permission errors when logging in.
    2. Under Web
      1. Select “Allow access only to these websites” and do not include any websites in the list.
    3. Under People, deselect all options
    4. Don’t make any changes under “Time Limits”
    5. Under Other
      1. Check all option.
        Note: Checking “Disable changing the password” is especially important if you share the password to allow a few people to unlock the computer.

Now when you boot your computer, you will be presented by a screen asking for the password to your unlocking account. Once you login to the unlocking account, you will not have access to any applications, so the only reasonable thing to do is logout. Then you will have the option to login to on of the other accounts on the system.

7zip for Mac

With taxes approaching , I started revisiting the old question of how to securely transfer files between Mac and Windows.

My first thought was using zip and openSSL, but that requires the Windows user to have openSSL installed and use the command line. Maybe an encrypted zip, but I couldn’t figure out what encryption options the Mac command line supports and the Windows user needs WinZip to decrypt. I like 7zip and it works well for Windows and p7zip works well for Linux, but Mac distributions for p7zip don’t seem to be maintained for Mac. I decided to take things into my own hands. It turned out to be simpler than I expected.

  1. Install the Xcode (available through the Mac App Store) and the Xcode Command Line Tools
  2. Download the full p7zip source from sourceforge
  3. Extract the 7zip source
  4. Open Terminal, navigate to the extracted files
  5. Run make
  6. As an administrative user, copy <extracted files>/bin/7za to /usr/local/bin
  7. As an administrative user, copy <extracted files>/man1/7za.1 to /usr/local/share/man/man1/
  8. Run chmod +r 7za.1 (for some reason only the owner had read access)

You can download the binary I created at 7za-9.20.tar.gz. Extract this file using tar xzf 7za-9.20.tar.gz and then follow steps 6-9 above. The SHA1 hash of the tar.gz archive is 910eb7f91056ac66009373a542a45c1b1b82094d. The SHA1 hash of the 7za executable is e7b0b37be87354c7188401ea46dc65c6611647b5. The signature for the tar.gz archive is 7za-9.20.tar.gz.sig.

Note: On my older MacBook that has undergone a number of OS upgrades, /usr/local/share/ did not exist. Putting the man file in /usr/local/man/man1/ did not work. I had to create /usr/local/share/man/man1/.