Hiding encrypted partition at startup

dancodanco Senior Member Community Moderator

Not a 1PW question, but as it is a security matter I thought some of the forum members might be able to help.

I know how to ensure that a partition does not mount at startup (using a /etc/fstab file, and the UUID of the partition).

However, as far as I can see, if the partition is encrypted one is still asked for the encryption key during the startup process. Does anyone know of a way to avoid this prompt coming up?

The idea is to completely hide the existence of the partition from sufficiently casual outsiders/thieves. They would have to be fairly casual, as disk size would give a clue, or Disk Utility would reveal the existence of the partition. But as it stands the request for the encryption key is just too big a clue, and I would like to get rid of it.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: OS X 10.10.5
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member
    edited January 2016

    @danco: Hmm. My approach would be to use a USB drive for something like that (which can be removed), since that would eliminate the prompt...but of course that's not what you're asking about. ;)

    I'm not sure that what you're trying to do is possible. Given that (it sounds like) it's a partition on a drive you're still mounting, I'm not aware of a way to make OS X effectively ignore a particular volume on a disk it's working with already...but I'd be happy to be proven wrong. It's a neat idea. :)

  • dancodanco Senior Member Community Moderator

    It is certainly possible to ignore an unencrypted partition at startup. My problem is trying to ignore an encrypted partition.

    For reference, the unencrypted partition can be ignored by an /etc/fstab file stating

    UUID=.... none hfs rw,noauto

    Of course, the partition can be seen (and then mounted) in Disk Utility, but it does not get mounted at startup and a casual user would not know of its existence.

    For my situation (I can explain why), the encrypted partition does need to be on the same hard drive as the startup partition, and I just want a casual user not even to be warned by a request to unlock it.

  • thightowerthightower T-Dog Agile's Mascot

    @danco

    I have always done the unencrypted version (non mount) on startup. Actually I am still using it for an SD Card in my MacBook.

    If you do find some data please add it back here.

    Thanks,

  • BenBen AWS Team

    Team Member

    Only thing I can think of off hand would be to NOT encrypt the partition itself, but to store an encrypted sparse bundle on the unencrypted partition. Of course this means having to mount both the partition itself and the sparse bundle when you want to access it, which probably isn't ideal.

    Would be interested to hear if you find a better way though. :)

    Ben

  • brentybrenty

    Team Member

    Of course, the partition can be seen (and then mounted) in Disk Utility, but it does not get mounted at startup and a casual user would not know of its existence.

    @danco: Ah, indeed that's what I was thinking of: hiding it from the OS itself.

    Only thing I can think of off hand would be to NOT encrypt the partition itself, but to store an encrypted sparse bundle on the unencrypted partition. Of course this means having to mount both the partition itself and the sparse bundle when you want to access it, which probably isn't ideal.

    @bwoodruff: That's what I do in most cases. It isn't as convenient, but I like the control (and security) it affords. If danco isn't accessing this volume frequently, that may be a good option.

  • dancodanco Senior Member Community Moderator

    It looks as though there isn't an answer to my question. The encrypted volume is my usual working one, so sparse image doesn't work. Basically I want a kind of "security through obscurity" that would only defeat very casual outsiders. I can give details if anyone cares enough.

  • brentybrenty

    Team Member

    Well, you've piqued my curiosity! :chuffed:

    Security through obscurity is an icky thing...but it sounds like you may plan to have actual security behind that (with the encryption).

  • dancodanco Senior Member Community Moderator

    Oh yes, real security too.

    I have had a computer stolen and it was clear that the thieves were just casual.

    After that I installed Undercover as a theft-recovery help. That was before Find My Mac was introduced. I still think that it is likely to be better at recovery than Find My Mac, though it doesn't have any option to wipe the drive.

    Because one can't include it on the Mac recovery partition (which will work to allow a guest user and Find My Mac), one needs to have an unencrypted startup partition with no password, as a trap for casual thieves (so that Undercover can do its work behind the scenes if a thief connects to the internet). This partition contains no real data, and the startup partition I use for my data is encrypted by File Vault. It does mean that I have to choose to start from my real partition, not the fake one, but that's a very minor hassle.

    But, as I indicated and seems to be hard/impossible, I don't want anyone starting in the fake partition even knowing about the real one.

  • khadkhad Social Choreographer

    Team Member

    For casual thieves, I wonder if just the mere fact that you have a separate partition is good enough. I guess it depends on the threats you are trying to protect against. If the second partition is encrypted, you should be good to go. By the time a causal thief is aware of its existence, their photo has already been snapped and location tracked by Undercover, right?

    Of course, now you have me thinking about my own setup and use of FileVault and Undercover. ;) I guess this is one downside of FileVault 2 which encrypts the whole drive. Before, we could get away with just encrypting the home folders but leaving a dummy account with FileVault (1) disabled. At least I think that's the way I had it set up before. It's been a while now. :)

  • brentybrenty

    Team Member

    Indeed. That's an interesting point. But after some terrible experiences with its predecessor, I haven't encountered any issues with FileVault 2. There's some extra peace of mind knowing that the whole drive is encrypted even before 1Password, Knox, or any other encryption comes into play. So I'm pretty happy with it. :sunglasses:

This discussion has been closed.