[Fed-Talk] Encrypting files and folders via DoD CAC?
[Fed-Talk] Encrypting files and folders via DoD CAC?
- Subject: [Fed-Talk] Encrypting files and folders via DoD CAC?
- From: Michael <email@hidden>
- Date: Tue, 19 Feb 2008 18:47:28 -0500
Other then emailing yourself a file or folder is there a good way to
encrypt files and folders using the DoD CAC on OS X?
Of course the side effect is bad if you lose the CAC or it expires
and gets replaced before you de-encrypt all the files or folders.
Given the mobile nature of laptops and USB sticks I was considering
any alternatives to users remembering dozens of 10+ character
complicated passwords (alternatives that I could suggest since I
can't require anything).
FileVault is not a solution when dealing with USB sticks, USB and
Firewire external hard drives (unless the external hard drive happens
to be the boot drive for the laptop or holds the users home directory
as is easily possible under 10.5). Sometimes FileVault is not a
solution because of a OS X bug, so alternatives are needed.
Keychain to store passwords is not always a solution as outlined
below if interested. Alternative programs in the same vein as
Keychain are less convenient and I have a hard time trusting. The
CAC seems like an almost ideal solution, assuming the right key is
used my employer, DoD, can recover the files as well which is sort of
a requirement if you read closely enough in the right directives.
So back to the original question.
-----
It seems to me that even if you use FileVault under 10.4 or 10.5,
FileVault security is dependent on the security of your login
password, which is dependent on the security of the hashes of the
login password. The same applies to using Keychain to store passwords.
It is easy to recover the login password if you have physical access
to the machine if the LANMAN hashes have not been turned off under
10.4 and before or if you enable any Windows sharing under 10.5.
Knowing this is it is fairly easy to see why user-friendly Apple
decided to put those warnings on the Windows sharing windows of 10.5
and finally disabled by default the LANMAN hashes in 10.5.
It's a rare OS X machine at my site that either (a) has OS X 10.5 or
(b) has LANMAN password hashing disabled. Of course the Windows
laptops are much worse, I suspect even less of them have any
encryption of their hard drives. Even on the Windows machines the
LANMAN passwords remain a problem here, the directives regarding
they're disabling were not widely understood (the first directive our
security specifically told me did not apply to us since we were not
part of NIPRNET), quickly forgotten, and few if any understood that
it should also be applied to OS X 10.4 (I explained this carefully to
another OS X admin in another group and the answer is the same as
always, why should I, leading to a circular argument)--proof that
this was true occurred when a conference room scheduling web site
went online, for some reason large numbers of Windows users couldn't
use Internet Explorer to connect to the site, the solution it turned
out was to disable LANMAN hashing on the Windows machines, the
obvious connection was totally missed by everyone involved. I hear
lots of buts..., well we had an interesting security audit for
managers recently, "locate 10 Word documents relating to FUOU or
similar data on your hard drive and confirm that each document is
encrypted with WinZip with passwords with 8 or more characters and
meeting complexity requirements" -- notice that using File Vault on
OS X would fail this audit as would PGP on any OS. Yes my supervisor
is using FileVault and yes he showed me that question for help in
deciphering what to do with it.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden