I know I'm being thick here but....
Hi
Sorry to pester and I know I'm probably being thick but could someone clarify something for me. I have the GPG Suite all up and running and working nicely with Apple Mail. I've got my keychain sorted and I think I understand how that all works and I'm now tinkering around with other services like encrypting blocks of text, files and folders which I have several uses for.
A test I've just done involved encrypting a folder and it all works as expected but am I right in thinking that in the end the whole edifice stands or falls on the basis of access to my Mac?
What I mean is that once I've encrypted the files/folders all I have to do, because I have the key on my keychain on the Mac, is use "services" to decrypt the file and lo and behold there are the files. This essentially means that as long as someone has access to this Mac he or she can then access all the files simply because the required keys are sitting there, no password or passphrase required.
I tried the option to check the "encrypt with password" box but that didn't seem to make any difference, I opted not to have GPG save that password in the keychain to see if that would make any difference.
I'm sort of concluding that whilst I'm making files safe for transfer or storage if they are going to be on a remote system but if they are sitting on my Mac essentially anyone who can use the Mac can open them.
Have I got this right or am I missing something? Do I need to move my keys off onto a USB stick or something to ensure that encrypted files on the Mac cannot be read, if someone unauthorised were to access it?
Thank you,
Quentin.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Luke Le on 03 Dec, 2018 10:28 PM
Hi Quentin,
that is generally correct. In most cases, physical or remote access to your Mac might be considered as game over. Even if you decide to not store the passphrase for your secret key in macOS Keychain, it would be only a matter of time, till you access the files and an attacker could extract the passphrase using a key logger.
Using a smart card for your secret keys, or storing them on a USB drive, would certainly make physical attacks harder.
Encrypting files and folders for example does make a lot of sense on backups, since the files on the backups are still protected when stolen. But unless you are looking to be able to access your files and folders on different OS's (Linux, Windows) or to exchange files and folders, there are better alternatives on macOS. For example an encrypted sparse-bundle.
As additional safety guarantee you should enable FileVault, so your hard disk is encrypted if your Mac is powered off.
Hope that helps.
Support Staff 2 Posted by Steve on 04 Dec, 2018 04:02 PM
Adding a minor note: depending on your work environment, you may want to enable a screensaver with password option to protect your mac if you leave your workplace but want to keep your mac running.
3 Posted by Quentin on 04 Dec, 2018 07:21 PM
Luke Le
Thank you again, I am now clear on this issue.
Quentin.
Steve closed this discussion on 04 Dec, 2018 10:46 PM.