PDA

View Full Version : MacBook Pro in for repair - protecting files


BrightNShiny
07-07-2011, 12:32 AM
So, the fans have to be replaced on my MacBook. They've ordered the parts, and it will be a few days before I take it in. I usually back up using TimeMachine, and then I do a Windows backup for the Windows 7 OS running on my computer. I'm capable of doing a clone of the drive, if necessary:

1. The big issue for me is that I have files on my computer which are confidential, and I don't want the Mac people to have access to them. So, I feel like I should backup everything, wipe the hard drive, take it in for the fix, and then restore the hard drive. Does this seem like a good approach? What is the best mechanism for wiping the hard drive?

2. Prior to wiping the hard drive, I have to do some kind of backup. I normally backup using TimeMachine. I have VMWare Fusion running a Windows 7 installation, and I do a Windows backup for that. I didn't make any changes to the default TimeMachine backup, so it should be backing up the Windows 7 installation, but I just didn't trust it, so I do the additional backup.

So, would cloning the disk using DiskUtility be the best way to do this? Would that capture the VMWare installation of Windows7 properly? Or is TimeMachine sufficient?

Thanks.

CaptMurdock
07-07-2011, 12:43 AM
It seems to me (IAN a technician, but...) replacing the fans is a fairly straight-forward procedure that would not involve getting into your hard drive to any great extent. Even if they turn your Mac on, they can let it run just long enough to know that the fans work, and then, good night.

In short, I think you're over-thinking this.

BrightNShiny
07-07-2011, 12:54 AM
Unfortunately, I am contractually required to over-think this. I am required to protect confidential files before I take it in for repair. Maybe a wipe is overkill, but if anyone has any suggestions, please let me know. Thanks.

Iridescent Orb
07-07-2011, 01:08 AM
I recommend looking at TrueCrypt. It is a freeware encryption program (well-respected and used by many industry professionals). You can create an encrypted "container" on your drive which can only be accessed using a password. Moving your sensitive files into the encrypted container will keep them secure without having to wipe your drive. (You may want to use a free-space wipe program after you do this - it will prevent anyone from recovering the old unencrypted files.)

There is very good documentation on the TrueCrypt website which explains the details far better than I can. :)

BrightNShiny
07-07-2011, 01:14 AM
I recommend looking at TrueCrypt. It is a freeware encryption program (well-respected and used by many industry professionals). You can create an encrypted "container" on your drive which can only be accessed using a password. Moving your sensitive files into the encrypted container will keep them secure without having to wipe your drive. (You may want to use a free-space wipe program after you do this - it will prevent anyone from recovering the old unencrypted files.)

There is very good documentation on the TrueCrypt website which explains the details far better than I can. :)

Thanks. I'm going to look at this. Can I mount a TrueCrypt partition as a drive shared between both the Mac OS and the VMWare/Windows 7 installation?

tellyworth
07-07-2011, 01:27 AM
Disk Utility has a Secure Erase option.

Filevault is an easier option on a Mac - System Prefs, Security, Filevault. There is an option to securely erase the old home dir, but be advised it may take several days to finish (it runs in the background). That won't solve your Windows problem.

Neither will satisfy the most paranoid, but they are more than enough to secure against a repair guy snooping around.

Iridescent Orb
07-07-2011, 01:30 AM
...Can I mount a TrueCrypt partition as a drive shared between both the Mac OS and the VMWare/Windows 7 installation?

Sorry, BrightNShiny - I do not know if it can be shared that way. I once again defer to the documentation...

BrightNShiny
07-07-2011, 01:34 AM
Disk Utility has a Secure Erase option.

Filevault is an easier option on a Mac - System Prefs, Security, Filevault. There is an option to securely erase the old home dir, but be advised it may take several days to finish (it runs in the background). That won't solve your Windows problem.

Neither will satisfy the most paranoid, but they are more than enough to secure against a repair guy snooping around.

Well, the Windows partition has its own password. I guess I could move everything out of the shared partition into the Windows partition, and then use the Secure Erase option to clear out the Mac partition.

And then look into TrueEncrypt for a longer-term solution.

EDIT: Hmm. Can you you the SecureErase option to clear out only part of a partition? Or does it clear out the entire partition?

tellyworth
07-07-2011, 01:35 AM
The Mac and Windows versions of Truecrypt can read and write the same partitions, I've confirmed that myself. No idea if they can do it simultaneously - I wouldn't count on it.

tellyworth
07-07-2011, 01:40 AM
EDIT: Hmm. Can you you the SecureErase option to clear out only part of a partition? Or does it clear out the entire partition?

The whole thing, it's part of the format process.

ETA: the Filevault secure erase will clear the old unencrypted data. But you probably don't want that as it will likely interfere with your VM setup.

Pitchmeister
07-07-2011, 01:42 AM
Why don't you just physically remove the hard drive? Do they need it to run functionality tests or something? Seems to me that would both be the easiest and most secure solution.

Qwakkeddup
07-07-2011, 01:43 AM
Take it in without your hard drive? Or ask them to remove it when you take it in. May cost a couple of bucks but I am sure they have to deal with security issues.

Maybe you should call the shop where they are gonna fix it and ask them.

BrightNShiny
07-07-2011, 01:49 AM
I was at the Mac store today, and when I mentioned this issue, they were completely unhelpful. The clerk asked me for a username and password with Administrator privileges. When I didn't want to give them my account name and password, the clerk said I should create a new account with Administrator privileges. When I mentioned the security issue, she said that all files on the disk would be accessible by the technician, and that it was my responsibility to deal with this issue.

tellyworth
07-07-2011, 02:14 AM
BrightNShiny, what the tech told you is correct. Filevault is a good solution in your case - a new administrator account made just for them won't be able to access FV-encrypted files in your other account.

mhendo
07-07-2011, 02:26 AM
Well, the Windows partition has its own password. I guess I could move everything out of the shared partition into the Windows partition, and then use the Secure Erase option to clear out the Mac partition.If you did this without actually encrypting the data, the files on your Windows partition could be accessed very easily by booting from a live Linux CD or USB key.

To be honest, i don't know why a repair shop should need administrator access to the operating system in order to replace cooling fans.

BigT
07-07-2011, 07:41 AM
To be honest, i don't know why a repair shop should need administrator access to the operating system in order to replace cooling fans.

Maybe they plan on stress testing it? But, then, why aren't they using a portable application to pull that off? Heck, why don't they just boot off a CD?

I am finding it very hard to give them the benefit of the doubt. The only thing I can think of is really dumb corporate policy. If I had a choice, I would avoid using these people. And if I didn't, I'd be tempted to install some sort of logging software.

If you have the time to backup andd wipe, I'd just do that. But I don't mean a full wipe--just delete all your important files after you've got them backed up, and then wipe all the free space. I'd only do a clone if everything is on the shared partition. Don't wipe the main partition of a Mac. It can be a minor headache dealing with that.

inkling
07-07-2011, 08:11 AM
Buy new hard drive. Swap new for old. Store old hard drive in a safe place. Install some flavor of OS on the new drive, but do not copy any of your confidential files to it. Take laptop in for repair. On return of repaired laptop, swap old drive for new.

While I have not looked at a MacBook Pro, most laptops allow swapping of the HDD by turning a few screws. It looks like there are several generations of MBP out there, but none of them look difficult.

Chronos
07-07-2011, 11:19 AM
If file confidentiality is a significant issue for you, then you should be encrypting everything as a matter of course, anyway.

mhendo
07-07-2011, 12:03 PM
If file confidentiality is a significant issue for you, then you should be encrypting everything as a matter of course, anyway.
Yeah, that was one of my first thoughts on reading the OP. If the information really is that sensitive, and requires such confidentiality, i'm surprised that all of these questions are only being raised now that the computer has to go in for service.

casdave
07-07-2011, 01:00 PM
I agree, when confidentiality become this critical, then the company or organisation will contract this maintenance to trusted providers.

In addition, there are other security features that would mean no-one can access your account on your system at al (except for various higher level operator reasons - such as company investigations etc)l, but should be able to access the rest of it using their own password.

Such critical information is usually rather valuable and is generally backed up on the company networks too.

BrightNShiny
07-07-2011, 05:18 PM
Yeah, that was one of my first thoughts on reading the OP. If the information really is that sensitive, and requires such confidentiality, i'm surprised that all of these questions are only being raised now that the computer has to go in for service.

I didn't word the agreement. I'm supposed to take certain precautions when giving third-parties access to my computer. Since I haven't had to give third-parties access before, I haven't had to deal with the issue. It's not required that I encrypt per-se, only that I prevent third-parties from having access to certain files.

I did plan to eventually start encrypting everything anyway, so this thread is useful in that regard.

WarmNPrickly
07-07-2011, 06:30 PM
You can make a disk image and encrypt that. Then you can dump your files in there and eject the disk. I keep all my significant files in a sparse image disk and encrypt it.

iamthewalrus(:3=
07-07-2011, 07:33 PM
To be honest, i don't know why a repair shop should need administrator access to the operating system in order to replace cooling fans.They don't. But:

1. Who knows if it's just the hardware in the cooling fans? Maybe it's a problem with the driver for the temperature sensor. Maybe part of the OS got compromised and they need to run a diagnostic or repair files that a normal user account can't access.

2. Once they have the hardware, they can do anything they want with the data (unless it's encrypted). Many people seem to think that handing over a physical computer without handing over the password is some kind of protection, but it's not. Asking for an Administrator password makes it quite clear that they're going to have full access.

So, it might be useful, and it doesn't provide any protection to you not to give it. Even better, asking for it causes some people who hadn't thought through the security implications of handing over sensitive data to do so. Win-win-win.