Recently I upgraded my Mac to OS X Lion, the latest operating system from Apple. Lion has been great so far, and I really appreciate all the effort that has obviously gone into making this release of OS X the best yet.
One of the new features in Lion is a completely rewritten version of FileVault, the Mac OS X data encryption technology. I never used FileVault in previous iterations of OS X, mainly because A) I didn’t think I needed it, and B) it tended to cause problems with your Mac.
When the reviews of Lion went up on the web, almost all the reviews I read mentioned that FileVault was all-new, and that it was a really great technology. Around the same time I had also been reading more about digital security and I finally decided that whole disk encryption was a good idea for my MacBook Pro.
I’d like to share why I think digital security is an issue pastors should pay attention to, and how I go about keeping my digital life as secure as possible. Maybe you’ll find it useful and do the same.
Is your password the same password that got assigned to you when you were a freshman in high school? Is your password the same password that your parents used? Does your password have any qualities that would make it possible to guess if someone knew a few a few facts about you?
Anyone who wants to take data security seriously will need a high quality and secure passphrase. And what you’ve been using probably doesn’t cut it. I know mine didn’t.
I followed their advice and used the “Diceware” method to create a strong master passphrase for my system. Yes, that means I actually rolled dice and used the random numbers to generate a five word passphrase. It’s a lot to remember, but it only took about a day or two for it to stick in my memory. Now I have a master passphrase that is impossible for anyone to guess when they sit down at my computer. If someone stole my computer and used digital, brute-force methods to guess the password, it would likely take so long to finally break my code that it would not be worth the effort.
If you have a Mac, turn on FileVault.1 Use your ultra-secure master passphrase as your encryption password. If you want some more detail about the encryption process, read this page of John Siracusa’s review of Lion. (Just be sure to scroll to the part with the screenshot images.)
Your Mac will need some time to encrypt the disk. Let it work for a while.
Once encryption is enabled on your Mac, your computer will ask for your password before it starts the boot sequence. Your passphrase unlocks the entire disk, allowing the boot process to start.
But how is this different than having a login password, you ask? A login password is a fine way to protect a computer, but it is not as strong as whole-disk encryption. Login passwords don’t prevent people who have stolen your computer from accessing your data by physically removing the hard drive.
With FileVault enabled, your entire disk is encrypted. The data is about as secure as possible (as far as we know). Your computer now uses encryption that the NSA evidently considers adequate to protect state secrets.
Be sure to visit your screen saver system preference and make sure your Mac requires a password to exit the screensaver. That way your computer will automatically lock itself down when it goes to sleep or when the screen saver comes on. This added layer of security prevents casual interference on your computer.
So far we’ve only talked about securing the contents of your hard drive. What about all the information you have online? From your bank to Facebook, you’ve probably got dozens, or even hundreds of login names and passwords to various online services.
Have you ever stopped to consider what might happen if someone got into your email? What if they could get into your Facebook account? What could a person do with access to your bank account?
Many people use the same password on all the websites they visit. This is a natural thing to do, especially for the sake of convenience. It would be nearly impossible to remember a separate, ultra-secure passphrase for every single website you use. I don’t want to have to remember 200 separate, difficult passwords just for the sake of security.
So, what happens if that blog account you have gets hacked and that password you use on everything gets into the wrong hands? Yeah, you’re in trouble. All of a sudden a thief has your email address and that password you use for everything. It would not be hard for someone with this information to completely invade your life.
Because of this very real threat, no computer user has any real excuse not to be using 1Password by Agile Bits. In the past, this was a Mac-only piece of software, but now, Windows users can get a copy as well. I’m not exaggerating: If you don’t use this, you’re taking a risk.
I’m not going to go into great detail about how this works. I’ll just say this: 1Password allows you to use a master passphrase (see above) to manage a database of unique, ultra-secure passwords for all your logins. The app manages the process of entering the login information on your website accounts. The app remembers all the passwords for you. You just use your very-secure, five-word master passphrase as the key to unlock all these tools. So, you can go to your bank’s website and have 1Password log in for you using a separate, distinct password that’s only used for your bank. Then you can go to Facebook and let have 1Password log in for you using a separate, distinct password that’s only used for Facebook.
The bottom line is this. With 1Password, you can have a separate, unique login for every online service you use, but you only have to remember your one, secure, master passphrase.
1Password stores all this data in a securely encrypted file on your encrypted laptop. You’ve got two heavy layers of security protecting your digital life now. This means if someone gets the password you use to comment on your favorite fringe Lutheran blog, all they’ll be able to do is comment on your favorite fringe Lutheran blog. They won’t get into your email, bank account, and investment accounts at the same time.
1Password is one of the best apps I’ve ever used on my Mac. Go read more about it and just buy a copy. Then take the time to change the passwords on all the online services you use.
With FileVault turned on and your protected screensaver set to turn on only after a few minutes of inactivity, one could reasonably argue that your ultra-sensitive files (like confidential counseling logs) would be safe enough. I would probably agree. However, if you want an added layer of security for ultra-sensitive documents, consider Knox, by the makers of 1Password.
Knox gives you the ability to create discrete, secure “vaults” of information on your computer. I have one called “Finance,” which contains my tax documents and some other financial records. I also have one called “Counseling,” which holds things like counseling logs and other sensitive data about my interactions with members of my congregation.
So, that means I have an encrypted disk which would take military-grade methods to crack. And even if someone gets into my files, I have further encrypted areas of my drive for the really confidential stuff. This prevents someone who might be at my desk for a few minutes from getting at these important documents. And all the passwords to my online serves are stored securely as well
I’ve talked mainly about securing data that is stored locally, that is, on your own computer. I’ve also talked about securing your online data as much as possible with a good approach to passwords.
Be aware, however, that any online service you use is only as secure as the people in charge of the service. If your bank loses a ton of passwords to a hacker, your password is in the wrong hands no matter how secure it is. If Google wants to use what’s in your inbox to learn more about you, that’s too bad because that’s their business model. If you sync all your documents to Dropbox, it means some people at their company might be able to get at it. Or even worse, major security breaches mean anyone in the world can get at your data.
If you use Dropbox, a good assumption is that whatever you store in Dropbox could possibly be visible to the entire world. Maybe that makes Know more appealing. To understand more about the security model they use at Dropbox, try reading this article by Glenn Fleishman
All of this makes it even more important to have a separate password for each of the online services you use.
A lot of this might make you think the next logical step is to put a foil hat on your head. But, when you think about it, data security is very important to a pastor. One of the most compelling reasons is the matter of confidentiality when counseling. Different states have different laws on confidentiality and the security of counseling records. No matter what the regulations are, the more secure the better. It would be a shame for confidential information, given to a pastor in trust, to come out into the open because of careless computer usage.
Another reason I feel data security is important is simply this: we can’t predict the future, and there’s no telling when or why we might need to protect religious information on our computers. We also don’t know if the day will come when we have to protect ourselves against unjust accusations. So far in the United States, the courts have extended fifth amendment rights to passphrases. This means that you could protect yourself or your members from unjust intrusion by withholding your passphrase and still be well within your rights as a citizen of the United States.
Perhaps the most practical reason is this: your bank information and other sensitive data should be safe. There’s no reason to take a risk with your data, whether you’re a pastor or not.
To use encryption on Windows 7, you’ll have to buy the more expensive Ultimate or Enterprise editions. For the record, I’m glad I left that whole “which version do you need” rigamarole a long time ago. Lion is is the same for everyone. And it’s only $30. ↩
These are the four most recent posts.
Subscribe to my mailing list and you'll get an email when I post new articles to the website.