MacBook Pro in for repair - protecting files

So, the fans have to be replaced on my MacBook. They’ve ordered the parts, and it will be a few days before I take it in. I usually back up using TimeMachine, and then I do a Windows backup for the Windows 7 OS running on my computer. I’m capable of doing a clone of the drive, if necessary:

  1. The big issue for me is that I have files on my computer which are confidential, and I don’t want the Mac people to have access to them. So, I feel like I should backup everything, wipe the hard drive, take it in for the fix, and then restore the hard drive. Does this seem like a good approach? What is the best mechanism for wiping the hard drive?

  2. Prior to wiping the hard drive, I have to do some kind of backup. I normally backup using TimeMachine. I have VMWare Fusion running a Windows 7 installation, and I do a Windows backup for that. I didn’t make any changes to the default TimeMachine backup, so it should be backing up the Windows 7 installation, but I just didn’t trust it, so I do the additional backup.

So, would cloning the disk using DiskUtility be the best way to do this? Would that capture the VMWare installation of Windows7 properly? Or is TimeMachine sufficient?

Thanks.

It seems to me (IAN a technician, but…) replacing the fans is a fairly straight-forward procedure that would not involve getting into your hard drive to any great extent. Even if they turn your Mac on, they can let it run just long enough to know that the fans work, and then, good night.

In short, I think you’re over-thinking this.

Unfortunately, I am contractually required to over-think this. I am required to protect confidential files before I take it in for repair. Maybe a wipe is overkill, but if anyone has any suggestions, please let me know. Thanks.

I recommend looking at TrueCrypt. It is a freeware encryption program (well-respected and used by many industry professionals). You can create an encrypted “container” on your drive which can only be accessed using a password. Moving your sensitive files into the encrypted container will keep them secure without having to wipe your drive. (You may want to use a free-space wipe program after you do this - it will prevent anyone from recovering the old unencrypted files.)

There is very good documentation on the TrueCrypt website which explains the details far better than I can. :slight_smile:

Thanks. I’m going to look at this. Can I mount a TrueCrypt partition as a drive shared between both the Mac OS and the VMWare/Windows 7 installation?

Disk Utility has a Secure Erase option.

Filevault is an easier option on a Mac - System Prefs, Security, Filevault. There is an option to securely erase the old home dir, but be advised it may take several days to finish (it runs in the background). That won’t solve your Windows problem.

Neither will satisfy the most paranoid, but they are more than enough to secure against a repair guy snooping around.

Sorry, **BrightNShiny **- I do not know if it can be shared that way. I once again defer to the documentation…

Well, the Windows partition has its own password. I guess I could move everything out of the shared partition into the Windows partition, and then use the Secure Erase option to clear out the Mac partition.

And then look into TrueEncrypt for a longer-term solution.

EDIT: Hmm. Can you you the SecureErase option to clear out only part of a partition? Or does it clear out the entire partition?

The Mac and Windows versions of Truecrypt can read and write the same partitions, I’ve confirmed that myself. No idea if they can do it simultaneously - I wouldn’t count on it.

The whole thing, it’s part of the format process.

ETA: the Filevault secure erase will clear the old unencrypted data. But you probably don’t want that as it will likely interfere with your VM setup.

Why don’t you just physically remove the hard drive? Do they need it to run functionality tests or something? Seems to me that would both be the easiest and most secure solution.

Take it in without your hard drive? Or ask them to remove it when you take it in. May cost a couple of bucks but I am sure they have to deal with security issues.

Maybe you should call the shop where they are gonna fix it and ask them.

I was at the Mac store today, and when I mentioned this issue, they were completely unhelpful. The clerk asked me for a username and password with Administrator privileges. When I didn’t want to give them my account name and password, the clerk said I should create a new account with Administrator privileges. When I mentioned the security issue, she said that all files on the disk would be accessible by the technician, and that it was my responsibility to deal with this issue.

BrightNShiny, what the tech told you is correct. Filevault is a good solution in your case - a new administrator account made just for them won’t be able to access FV-encrypted files in your other account.

If you did this without actually encrypting the data, the files on your Windows partition could be accessed very easily by booting from a live Linux CD or USB key.

To be honest, i don’t know why a repair shop should need administrator access to the operating system in order to replace cooling fans.

Maybe they plan on stress testing it? But, then, why aren’t they using a portable application to pull that off? Heck, why don’t they just boot off a CD?

I am finding it very hard to give them the benefit of the doubt. The only thing I can think of is really dumb corporate policy. If I had a choice, I would avoid using these people. And if I didn’t, I’d be tempted to install some sort of logging software.

If you have the time to backup andd wipe, I’d just do that. But I don’t mean a full wipe–just delete all your important files after you’ve got them backed up, and then wipe all the free space. I’d only do a clone if everything is on the shared partition. Don’t wipe the main partition of a Mac. It can be a minor headache dealing with that.

Buy new hard drive. Swap new for old. Store old hard drive in a safe place. Install some flavor of OS on the new drive, but do not copy any of your confidential files to it. Take laptop in for repair. On return of repaired laptop, swap old drive for new.

While I have not looked at a MacBook Pro, most laptops allow swapping of the HDD by turning a few screws. It looks like there are several generations of MBP out there, but none of them look difficult.

If file confidentiality is a significant issue for you, then you should be encrypting everything as a matter of course, anyway.

Yeah, that was one of my first thoughts on reading the OP. If the information really is that sensitive, and requires such confidentiality, i’m surprised that all of these questions are only being raised now that the computer has to go in for service.

I agree, when confidentiality become this critical, then the company or organisation will contract this maintenance to trusted providers.

In addition, there are other security features that would mean no-one can access your account on your system at al (except for various higher level operator reasons - such as company investigations etc)l, but should be able to access the rest of it using their own password.

Such critical information is usually rather valuable and is generally backed up on the company networks too.