AES-256 user home directory sparse image bundle in Lion?
Snow Leopard and previous had file vault to protect users' home directories as, I believe, AES-128-encrypted sparse image bundles. As I understand it now, under Lion, the options are to enable AES-128 whole disk encryption, or, if upgrading an existing snow leopard machine with a legacy file vault user account, to maintain that legacy file vault user home directory. However, under this second approach, additional users' home directories cannot be individually "file-vaulted" and instead, would require that legacy file vault be decrytped and then the entire disk be encrypted.
I am thinking that it would be advantageous from a security standpoint if an individual user home directory could remain encrypted, if that user were not actively logged in. Then, all contents would be inaccessible to other users, including administratively privileged users, and also that user's home directory would remain encrypted when the computer was turned on and booted up because as I understand it, file vault 2's real strength lies in protecting "data at rest" versus "data on a powered up and mounted file vault 2 volume".
To that end, I am wondering, regardless of whether file vault 2 is enabled or not, whether an existing user home directory and all of its contents be converted to an AES-256-encrypted sparse image bundle, using Disk Utility, and exist at the /Users directory space, mounting and decrypting "on the fly" from the login window at user login just like how a legacy file vault home directory is treated under snow leopard, independently of whether file vault 2 was enabled on the whole disk or not. This would also permit later addition/conversion of another "file vaulted" user account whether fle vault 2 were enabled or not.
To recap, an AES-256-encrypted sparse image bundle that would mount upon user login just like a legacy file vault user home directory does. Does anyone know if something like that is doable, and has that road already been travelled successfully? If so, I'd love to read a step-by-step, play-by-play, set of instructions on how to do just that.
I think I got a solution worked out. I don't mind if things get installed in /opt as long as pacman tracks it, and I found ruby-enterprise-rmagick in the AUR as an orphan. I adopted it, updated it, installed it, and it's working great with my code.
Similar Messages
-
User Home Directory Unavailable
I seem to have unmounted my home directory.
It is now an ejectable disk image, that only shows up in the finder with my other harddrives...
It does not show up in disk utility...?
Everything seems to be working fine still, except for Mail....?
Any ideas on how to remount?
I don't dare shut my machine down...
I was trying to access files on a remote hard drive that was formerly a mirror partition of a software RAID array for a machine running 10.4.11. It has been repeatedly crashing my new 10.5.5 system till today when I had reset the jumper pins to slave...
I was using Terminal to try and reset permissions/disable RAID, when suddenly I was told "User home directory ... is unavailable".
What does this mean? Can I remount somehow? I have my whole home user directory encrypted with file vault.
Please help. Lot's of very valuable data on this disk, in this directory.If he is using FileVault, then I believe his home directory IS a mountable object. It is an encrypted sparseimage which mounts when he logs in, and unmounts when he logs out. Somehow or other it sounds like he got logged out and the sparseimage unmounted. I've never used FileVault, too dang many problems with it. If I had sensitive info on a laptop I would make an encrypted disk image to keep the info in. Take a look at GuyEWhite's post here:
http://discussions.apple.com/thread.jspa?messageID=5881960
Perhaps that will help. Or someone who is very familiar with the the oddnesses of FileVault may see this thread and be able to offer more specific information for this very peculiar case.
Francine
Francine
Schwieder -
Hi,
So I want to create a new folder within my main user home directory (not the root directory) just for my developer-related files? I can do this from Finder, although it does prompt me for my password to do so. However, when using 'Save As' from any app, the 'New Folder' button is greyed out when I select my user home directory. So I have to create the folder in Finder then Save As.
Is this normal behavior? Is OSX discouraging me from adding things to my user home directory by making it less convenient? Is there a good reason it would be discouraging me from creating new folders there? If not, is there a setting that I can change to allow the creation of new folders from the Save As prompt?
Thanks for your help,
BYou may need to rebuild permissions on your user account. To do this,boot to your Recovery partition (holding down the Command and R keys while booting) and open Terminal from the Utilities menu. In Terminal, type: ‘resetpassword’ (without the ’s), hit return, and select the admin user. You are not going to reset your password. Click on the icon for your Macs hard drive at the top. From the drop down below it select the user account which is having issues. At the bottom of the window, you'll see an area labeled Restore Home Directory Permissions and ACLs. Click the reset button there. The process takes a few minutes. When complete, restart.
Repair User Permissions -
[User home directory property not found.]
Our Roaming Profile policy does not work but exits with the following error message in the log file:
RoamingProfile Policy] "...[POLICYHANDLERS.RoamingProfile.ErrorInEnforcement] .... [User home directory property not found.] ...."
We are running ZCM 10.3.1
We have the exact same environment at another customer where everything is just working fine. We compared the user properties and could not find any differences. eDirectory is fine, too
Does anybody have the same problems or a solution to it?
Thanks,
SebastianYes, home directory is defined in eDir.
In Novell Client for Windows XP there is no "Allow Roaming User Profile Paths to non-Windows servers" attribute, it is in Client for Win 7 only.
In roaming policy, if I type the path to home directory manualy, it works fine.
In our original environment I have ZfD 4 on Netware, roaming profiles save to home directories normally, without errors. -
User home directory at /var/imap is unavailable
We're running a single 10.5.7 server and recently migrated our mail to a new location from the default /var/imap and var/spool/imap. Since that time, I've been seeing the following log entries pop up when a user attempts to log in to the mail server. An example:
Feb 5 10:19:37 ServerName imapd: [xxx.xxx.xxx.xxx] username
[6608]: CFPreferences: user home directory at /var/imap is unavailable. User domains will be volatile.
We migrated the mail using a process nearly identical to the one found at:
http://discussions.apple.com/thread.jspa?messageID=6600016�
I have checked the settings and paths in:
cyrus.conf
imapd.conf
(postfix) main.cf
(postfix) master.cf
All of the paths point to the correct new paths, which are:
/Volumes/Resources/Mail/imap
/Volumes/Resources/Mail/spool/imap
All users are able to access their accounts and use the mail server. What we're seeing is periodic periods of high latency (messages taking minutes to send) and occasionally odd problems with users' Sent folders (a sent message appearing twice with the same timestamp, even though the outgoing mail filter indicates it was only sent once). I'm making the assumption that these intermittent problems are related to the user home pointing to the wrong path.
I've looked through the forums and googled the phrase, but haven't found anything that would point me toward finding the setting in the mail services that remains incorrect.
We also intermittently receive the following mail-related message in the mailaccess.log:
Feb 5 10:36:07 Rivendell master[865]: can't open com file: /var/imap/.smd.imap.com (No such file or directory)
This appears to be a similar problem, but again, the location of the setting I need to change eludes me.
Thanks for any help or pointers.Here's the solution that finally fixed this problem and removed latency problems that seem to have been associated with it.
(1) Stopped mail services with terminal.
(2) Opened the Server Admin application.
(3) Under Mail/Settings/Advanced/Database I changed the path to the original location, /var/imap and /var/spool/imap.
(4) Clicked "Save."
(5) In the same spot, changed the paths back to the new location.
(6) Clicked "Save."
(7) Restarted the mail server.
I have no idea what hidden setting that's not in the conf files that this changed, but it removed the error messages and the latency. -
Moving user home directory to another partition on same hard drive
I would like to find a way to move the user home directory off the OS partition and over to a new partition on the same hard drive. I then would want to create a time machine to back up the new partition containing the user home directory to a 3rd partition called "backup". I have partitioned the hard drive as follows 1. OS, 2. DATA, 3. Backup. I copied the user home directory to the DATA partition but do not have access\permission to the files\folders now on DATA partition. After getting this permission issue resolved, I would like to create a time machine using the DATA partition as the source that needs to be backed up to "backup". How can this be done? I have 20 of these MacBook Pro's that I need to do the same config for. My company will not allow external drive for time machine\data storage. In a real bind. Appreciate any help.
I would like to find a way to move the user home directory off the OS partition and over to a new partition on the same hard drive.
That's possible, with some moderately low-level hacking of your system, and some people do it, but IMHO it is an extremely bad idea. It increases complexity with no positive benefits, which is never a good thing. Leave the user folder where it is.
I then would want to create a time machine to back up the new partition containing the user home directory to a 3rd partition called "backup".
You could call it "trout" instead. 'Cause it's just as much a trout as it is a backup! If you store the backup on the same physical device as the original, it's not a backup. What happens if the drive fails? Both are gone. What happens if the machine is stolen? What happens if there's a fire? A power surge? Someone spills coffee in it? You get the idea.
See my [Mac Backup Guide|http://www.reedcorner.net/thomas/guides/backups> for some help figuring out a decent backup strategy.
My company will not allow external drive for time machine\data storage.
Your company is managed by fools, then. Sorry to be so blunt, but if they are prohibiting you from backing up company data, it's the unvarnished truth. Feel free to tell them I said so.
Sooner or later, someone will lose data because of something as simple as a hard drive failure... and who do you think will take the bullet for that? The guy who denied you resources for backups, or the guy who set up the machines (ie, you)? You really don't want to be left holding that bag. Go on record saying that backups are needed. If they are denied, document it and then go over his head.
If you've got 20 company machines, all containing company data, then there needs to be a centralized backup scheme... probably a tape drive and something like Retrospect to coordinate and maintain backups across all machines through the network. Nearly two decades ago I set up a system like that to keep about 50 Macs backed up... it wasn't cheap, but nobody lost data on my watch! -
User home directory on server over WAN link
Hello all,
I have a performance question about home directories. The situation is:
- 3 locations, 3 servers (OS X server 10.4.7 (Xserves))
- WAN connections are 1 Mbit/s
- All clients running 10.4.7 (imac G5 1.6/1.8 GHz.)
- User home folders are all located on one of the three servers
Two locations are OD replicas from the first location.
User home folders are located on the server at the location where they work most.
Some users work 4 days at location A, and 1 day at location B or C.
For simplicity let's say I have a user called A, with home directory located on server at location A.
User A is now working one day at location B. User logs in successfully, but everything is very slow (1 Mbit WAN link).
I really like the flexibility of server based home folders. Also the fact that there is no data on the local machines is very much appreciated (physical security, backup etc.). I was thinking about portable home directories, but that won't solve my problem, given the fact that all data needs to be copied once from location A to B (especially when users use different machines on the other location). Data will be stored on the local machines as well in that situation (but can be synchronized).
It is of course possible to synchronize data from server A to B and C when a user logs off (rsync). Is there any way to tell OD that it should pick a user home directory based on the location where that specific user logs in? Disk space isn't really an issue.
The performance is really awful using a 1 Mbit connection and upgrading the connections is not really an option (well maybe I could get it to 2 Mbit, but that won't solve this problem).
Thanks for any advice.
Jordi
Powerbook G4 Mac OS X (10.4.7)How about firewire harddrive or ipod-based home directories which the users could take to different offices with them?
If not... I really think that your best option is to work to get Portable Home Directories working. Remember it is only the data that has been changed that is synced each time. You mention you are concerned about backup, but this will be done from the server after user data is sync'd there. The physical security worries can be taken take of by using open firmware passwords.
Is there any way to tell OD that it should pick a user home directory based
on the location where that specific user logs in?
By using DHCP at each site to bind the clients you can force them to use the Home Diretory you specifiy at each site. But this sounds like a sync & backup nightmare to me and don't forget rsync will mangle your acl's and other meta data.
hth,
b. -
Mountain Lion Server: Network users Home directory mount problems
I am having several problems with my server after a latest name change of the server via Server.app. (A first name change made problems, after that I have been trying to repair, changing the name a few times more. With latest name change, I also changed the server name itself from Foo to Bar while changing domain name from domain.com to bar.domain.com after which I repaired DNS so it covers the whole domain.com domain).
The users in the Network directory think their home directory is on afp://domain.com/Users, but the server is now called bar.domain.com. /Network/Servers/bar.domain.com does not exist on the server. Client machines (with mobile home directories) are now able to sync, because I added an A record for domain.com to DNS (not nice, but does the job, or more specifically that job). Also on the clients, I can go to a SHARED folder in Finder with the name Bar and go to Users and see al the home directories there. But:
bash-3.2# ls -l /Network/Servers/
total 4
dr-xr-xr-x 2 root wheel 1 Apr 14 11:14 domain.com
dr-xr-xr-x 2 root wheel 1 Apr 14 11:14 foo.domain.com
bash-3.2# ls -l /Network/Servers/*
/Network/Servers/domain.com:
total 2
dr-xr-xr-x 2 root wheel 1 Apr 14 11:14 Users
/Network/Servers/foo.domain.com:
total 2
dr-xr-xr-x 2 root wheel 1 Apr 14 11:14 Users
bash-3.2# ls -l /Network/Servers/*/Users
/Network/Servers/domain.com/Users:
ls: Users: Input/output error
/Network/Servers/foo.domain.com/Users:
ls: Users: Input/output error
So, on the server looking for folder ~user does not work. It wants to go to afp://domain.com/Users/user but that is unreachable.
Any tips on what I can do except do a clean rebuild of the server (again)?
(One of the obvious problems is that the Realm of OD is still called foo.domain.com, the origin of my problems has been that the first name change from foo.domain.com to domain.com (ill-advised, I know) failed — partly).
What I'd like to know is:
- where is it determined which servers end up in /Network/Servers?Som additional info:
Other machines can mount afp://foo.domain.com/, afp://domain.com/ and afp://bar.domain.com/, but the server itself cannot mount them via Finder. -
User Home Directory not being created when "Create Home Now" button hit...
This is a cross post, since I was not sure where this should end up since it touches two pieces- Open Directory and User Management. Any help would be appreciated!
I am running OS X Server 10.5. All of my user accounts have been migrated over along with their home directories. Problem is that when creating new users and then assiging a home directory the system does not actually create the directory.
Currently all users are setup to have their home directory setup here:
afp://172.16.110.100/Users/'username'. The Users folder has been setup to automount, and all users that have folders can be accessed without issue.
The problem is when I create a new user, select the aft://172.16.110.100/Users option and then select "Create Home Now" button and save as it requests... it does not create the directories.
I have even tried to change the Home patch to make it local to see if it was an network issue, and used the /Users choice and it will not create the directory in that way either- both location go to the same place.
The system was obviously able to create the local admin account and directory admin account home folders without issue when the system was installed.
The permissions for the "Users" folder are as follow:
directory admin = Read and Write
local admin= Read and Write
system user (root)= Read and Write
admin group= Read Only
everyone group= Read Only
The system is in production, so any kind of server resets need to be done after 5pm, so I have not been able to reset AFP service.
Currently the only services running are AFP, SMB and Open Directory.
All users have their entire home directories located on the server, and login over Directory Access on their clients, so all user accounts are stored on the server. No one is having issues accessing their files or logging in.
I just can not create new home directories when I create new accounts.You do not have to be logged on as the root user to do this. Launch the terminal and type-
sudo createhomedir -a
I run an XServe with Tiger server ( 10.4.11) and this has been the workaround I have been using.
Good luck. -
Accessing files in another Admin users home directory?
In another topic thread http://discussions.apple.com/thread.jspa?threadID=798797&tstart=0
I've posted how I somehow hosed my first Admin account, which was, foolishly, my primary working account.
I've tried several things documented in the other thread to try to get back into the system under that login name, but with no luck. I created another Admin user, and tried using the Terminal window to creat a disk image of the original admin user home directories, but it failed with input/output error at reading a DMG file on the desktop.
I've tried to access those folders via the new admin, but can't get in, says I don't have sufficient priveledges.
Is there a way to change the priveledges for those folders, from single user, or current Admin terminal window? I have the password, so it's not like I'm trying to break in to someone else's files without permission.
I've got some not-yet-backed photos and other files in the original account I need.
Am I just screwed?Did you enable the root account on the system using
NetInfo Manager ?
Not sure what that is. I'll check it out.
Have you considered using the OSX boot disc to reset
the admin account password ?
I do need to try booting from the cd, however, it doesn't appear to be a password issue - the password is accepted at the login prompt, a bad password typed in intentionally vibrates the box, the good password doesn't. Running admin utilities from the guest account with the ailing admin account name and password works. Still, it's worth a shot. -
User Home Directory settings in dock using WGM
Hello all:
There has to be a simple answer to this problem as I have successfully done this in the past on a Panther server.
I just upgraded to Tiger server and want to include the user's Documents, Home Directory, etc in their Dock. However, I can't seem to find the correct procedure.
I used to complete this by logging into a client machine with WGM (as administrator), run the application, go to the user, select the preferences to include the user's Documents folder, Network Home, etc in the Dock for always, and that was it.
However, this procedure no longer seems to work.
What am I doing wrong??
Any advice would be greatly appreciated.
Regards,
Brian
Message was edited by: Gage1Yeah, in my initial post I said that the user share shows up on the desktop, if those options are selected.
The problem is that if those Finder options aren't selected the users don't have quick access to their user directory. They literally don't know it's there. Worse since 'All My Files' are the default in 10.8 they don't even get it in new finder windows.
The most peculiar issues is that the first time a user logs onto the computer with their domain credentials IT DOES WORK; their user directory shows up in the dock, and it does NOT show up on the desktop. On subsequent logins this is reversed.
I'd simply like it to work the way it's supposed to... -
Problems With FTP Users home directory
Hello Everyone,
I recently ran into a problem when setting the home directory of an ftp user. What I want to be able to do is for example I have two users, one user is User1, and the other is FTPUser. Now when people ftp into the user FTPUser I want to set the home directory to be a certain path in User1. Now I was able to successfully do this on one box when creating the FTPUser I just set the home directory to be the path in User1. And when people ftped into FTPUser they were in the right directory under User1.
I tried to do this same procedure on another box, and after creating the FTPUser and setting its home directory to a path under User1. Now when they ftped into FTPUser it was showing that the home directory was "/". I examined /etc/passwd and it presents the right home directory that I want, yet when people ftp into FTPUser its showing the home directory to be "/". Any help would be appreciated. Thanks in advance.
-KevinSorry for such a late reply, but I figured out my problem and will put it on here in case other people run into the same problem. You must make the FTPUser be in the same group of the normal users directory path you wish to FTP into. For example the command will look like this when making the FTP user:
useradd -g "users group number" -d /path/to/file -s /bin/sh ftpusername
so if user1 group id was 110 you would put 110 after -g and set the home dir of the ftpusername to be some path in user1. Thanks all for the help.
-Kevin
Edited by: kratkinson on Jun 22, 2009 6:46 AM -
How to recover plist files from a deleted user home directory .dmg file
Our company is starting to have our mac users authenticate against active Directory, One of the requirement is that the local mac user account short name can not be the same as the active directory account so it is necessary to remove the local users account, we do this by removing the local and turning the home directory into a .dmg file, after the user logs in with their active directory account, we mount the .dmg file and move the files over to the new home directory, However the system does not transfer over the pervious system setting such as Dock settings Desktop background setting, and plist files how do we get these setting moved also.
there is nothing else to transfer. the problem is probably related to the fact that you are using AD. I'm not familiar with it so can not comment further.
-
Unable to create a user home directory ?
When I use root to create a new account, it can not create a default home directory for this user .
This problem will also cause a lot of other problems when using non-root account to login in.
$ ssh [email protected]
Password:
Last login: Mon Jul 7 10:13:42 2008 from 10.250.X.X
Could not chdir to home directory /home/admin: No such file or directory
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
what's the problem ?chances are its the automounter. check /etc/auto_master. it by default includes /home as a mount point for the automount process. if you dont need the automount for /home, comment that line out, save the file, and run automount -v (-v for verbose output). you should then be able to create dirs under /home. or, you could use a diff home dir prefix, or use the automounter (this will take some setup).
-
Time Machine on NAS, sparse image bundles, etc
I have a specific question about using Time Machine with a NAS drive. I have a NAS setup, and I just installed a 2nd drive there specifically for backups. I have 2 macs, a MBP & an iMac. I followed instructions somewhere for creating a sparsebundle disk image on the NAS drive for each machine to get time machine to work over the network, and got it to work. Since the drive is 1TB, I made 2 images at 450GB each, even though the 2 machines only currently need about 90GB & 150GB.
Now, based on advice elsewhere, I set up Superduper to back up to the same drive. This uses a similar process of creating a sparse image on that drive. Note that I say sparse image, not sparsebundle - I tried using the existing sparsebundles already created, but superduper didn't seem to want to do that, and in fact although sparsebundle is a choice in their menu, only sparse image would work. So I went ahead and did this but only with my MBP. It indeed created a separate sparse image, and it takes up the full amount of space necessary to back up the entire drive (90GB).
What I'm wondering is if I'm running the risk of quickly running out of room on my NAS drive, since I think TM will fairly quickly eat up as much space as you give it (450GB X 2 = 900 GB), and the superduper backup is taking up the full amount of hard drive space needed (90GB) to make a full backup (based on what I had read, I thought that somehow using superduper onto the same drive as your TM backups would mean superduper would 'piggy back' on TM's backed up files and only add the components needed to create a startup disk, and therefore not take up much space.) I was still hoping to also back up the iMac (120GB) with Superduper onto the same drive, but don't want to do that yet until I have some peace of mind about this question...
Thanks for any insight you may have!doublelibra wrote:
I have a specific question about using Time Machine with a NAS drive. I have a NAS setup, and I just installed a 2nd drive there specifically for backups. I have 2 macs, a MBP & an iMac. I followed instructions somewhere for creating a sparsebundle disk image on the NAS drive for each machine to get time machine to work over the network, and got it to work. Since the drive is 1TB, I made 2 images at 450GB each, even though the 2 machines only currently need about 90GB & 150GB.
you should know that TM backups to 3rd party NASes are not officially supported. you used a hack to make it work. but you use it on your won risk and with no guarantees.
Now, based on advice elsewhere, I set up Superduper to back up to the same drive. This uses a similar process of creating a sparse image on that drive. Note that I say sparse image, not sparsebundle - I tried using the existing sparsebundles already created, but superduper didn't seem to want to do that, and in fact although sparsebundle is a choice in their menu, only sparse image would work. So I went ahead and did this but only with my MBP. It indeed created a separate sparse image, and it takes up the full amount of space necessary to back up the entire drive (90GB).
What I'm wondering is if I'm running the risk of quickly running out of room on my NAS drive, since I think TM will fairly quickly eat up as much space as you give it (450GB X 2 = 900 GB)
no, that won't happen. TM is very economical in how it stores backups. on every backup it only backs up afresh new and changed files. everything else is *hard linked* to existing backup copies. that's why incremental TM backups are usually quite small and fast.
, and the superduper backup is taking up the full amount of hard drive space needed (90GB) to make a full backup (based on what I had read, I thought that somehow using superduper onto the same drive as your TM backups would mean superduper would 'piggy back' on TM's backed up files and only add the components needed to create a startup disk, and therefore not take up much space.)
NO. nothing like this is remotely true. superduper and TM backups are fully independent and don't interact at all. use separate sparse bundles for TM and superduper backups.
I was still hoping to also back up the iMac (120GB) with Superduper onto the same drive, but don't want to do that yet until I have some peace of mind about this question...
Thanks for any insight you may have!
Maybe you are looking for
-
Communication between javascript and Objective-c in iOS.
We wanted to have a communication between javascript and objective c code. We have already tried the below approach. To load fake URLs in JS and append a string which will be used as parameter to the Objective-C code and parse that URL in this delega
-
Error while doing MIRO-Overflow for arithmetical operation (type P) in prog
Hi , I am getting the error while doing the MIRO as below- Runtime Errors COMPUTE_BCD_OVERFLOW Exception CX_SY_ARITHMETIC_OVERFLOW Date and Time 20.05.2009 10:07:03 Short text Overflow during the arithmetical opera
-
How to change the text of a tabstrip?
Hallo Experts, There are 3 tabstrips in Screen Painter with the name tabstrip1, tabstrip2 and tabstrip3. The default text ist: customer_fields1, customer fields2, customer fields3. Now I want to change the text of tabstrips in real time. E.g. text of
-
Shouldn't I be expecting the instruments that came with the $5 version I bought long ago, would remain mine to use, after Apple decides to go the freemium route? I'm feeling ripped, here, and not happy at all that I have to buy GB a second time (it's
-
How to use XRANK operator for partial match comaprison?
Hi All, I am aware how to use the XRANK operator to boost a result if a managed property equals a specific value. XRANK(cb=400) importance:'1' How would I make a key word query using XRANK which will boost a result if the managed property contains a