A secure document library for your Mac (part 1)

I spend plenty of time futzing* around on the Mac listening to music, watching movies and surfing the web so it’s quite rewarding when I really put it to good use. Shrinking the mountain of old paperwork that filled dozens of A4 ring binders in my study bookcase was one such project, and I now have an online, searchable and secure archive of all my old documents.

My list of ingredients for this little project were:

  • An Apple Mac (running Leopard OS X)
  • A Fujitsu ScanSnap S300M (or a flatbed scanner if you’re patient)
  • TrueCrypt (optional – I ended up using the Disk Utility built in to Leopard)
  • DevonThink Pro (optional – you can just as easily use folders and Finder if you want to)
  • Fellowes P-58Cs shredder (any good cross-cut shredder will do)

The first thing I did was to scan all my old documents using the ScanSnap scanner. While other scanners will do, flatbed scanners are notoriously slow and cumbersome given that the ScanSnap S300M can scan both sides of a sheet of paper in around five or six seconds, and can take 10 sheets of paper at a time. I wrote a little article about the ScanSnap S300M which you can find here, and if you’ve got the budget it’s bigger brother, the S510M can take up to 50 sheets at a time. The time consuming bit when you’re scanning is to give the scanned documents a sensible name. I opted for keeping it simple, sticking to a name and date wherever possible, so for example a copy of the order sheet that Amazon sent out with an item I ordered on December 3rd 2008 got named “Amazon Slip – 2008.12.03”. Generally if I’m looking for something then I’ll at least know the company or person involved and roughly the date it happened, well to within a year or so!

Fellowes P-58Cs Shredder

Fellowes P-58Cs Shredder

So the upshot of this is that after a few days casual scanning and labelling, I had a folder structure on one of my hard disks consisting of folders labelled according to subject, e.g. Amazon, Apple, etc. So far so good, all my old paperwork is now safely on disk, and indexed by Spotlight. Next job – security!

It’s all very well scanning old credit card and bank statements, but what if someone were to break in and steal your Mac while you’re out?! Not only have they pinched your pride and joy, they’ve got a load of your financial details to start making mayhem with your credit rating. Originally I tackled this problem by encrypting individual files using GoSecure. Great drag & drop utility – virtually unbreakable AES-256 bit encryption, but with hundreds of files needing to be secured it quickly became very laborious to encrypt each one by hand. More to the point, every time I wanted to look at one of these documents I had to decrypt it manually then re-encrypt it afterwards. The solution? Store all your scanned files using an encrypted disk image – basically a secure encrypted area that looks like a regular disk while you’re using it. Think of it like a little CD or DVD disk or even a miniature hard disk hidden away inside your Mac. Now I could have used OS X’s FileVault feature to secure an entire hard disk, and if you are happy doing that then it’s the way to go. However, some people think it’s overkill, and it still leaves the issue of how to secure your backups as well. More flexible options include things like the excellent (and free) TrueCrypt utility or Leopard’s very own Disk Utility, which is what I ended up using.

So, I have a bunch of scanned documents that amount to around 1.5Gb of data, and it’s likely that I’ll add to this over the coming years. What’s needed is an encrypted area big enough to allow growth, so let’s say capable of holding up to 2.6Gb? Now while TrueCrypt has lots of bells and whistles, I opted to use Disk Utility as it’s already part of Leopard OS X and it’s really easy to use, and this is what you do:

  1. Go to your Utilities folder and launch Disk Image.
  2. From the File menu, choose New then Blank Disk Image.
  3. Choose a location where you want to store your disk image. I put mine in a separate little disk partition I’ve got, but your Documents folder is as good a place as any.
  4. Give your disk image a name in the ‘Save As‘ box, and give it the same name in the ‘Volume Name‘ box too.
  5. Choose a size for your disk image, remembering that you should allow space to add more files to it in the future. I chose 2.6Gb for my 1.5Gb of files, but you can choose any custom size you like.
  6. Choose a disk format – Mac OS Extended is good for performance and Time Machine compatibility if you’re backing up the whole disk image as just one file.
  7. Encryption – now here’s where Mac OS X does the clever stuff. The default will be ‘none’ but seeing as the idea is to make it secure, choose 128-bit AES or if you’ve got a reasonably fast Mac, go the whole hog and use 256-bit AES. All the encryption will be handled on the fly by OS X when you’re using the disk – you won’t feel a thing!
  8. For the Partitions option you can choose ‘no partition map‘ and for the Image format choose ‘sparse bundle disk image‘. Sparse bundle is good as it allows your disk image to grow and shrink as required.
  9. Click the OK button and Disk Utility will get to work creating your disk image.
  10. After a few seconds you’ll see a prompt asking you for a password for your encrypted disk image. Helpfully the window will show you how good your password is – I’d recommend choosing something with a rating of ‘Good‘ or better.
  11. You’ll also need to decide if you want to store your password in your Keychain. Now while it might sound like a good idea to tick the box, you need to think about what that means. I chose not to store the password in the keychain, and I think that’s a safer setting especially for laptop users. If you do store the password in your keychain then basically if someone manages to log into your Mac, they won’t get prompted for your password when they open your disk image – now is that something you want? Depends on how strong your login password is perhaps. So my recommendation is – make the password ‘Good’ or better, do not store it in your keychain, and choose a different password to your login password.

Now that you’ve created your secure disk image, it’s very easy to mount it and start using it like a real disk. Just open Finder and go to where you created the disk image. You’ll see a ‘.dmg‘ file with the name you chose in Disk Utility, just double-click on it and you’ll be prompted for your password. That done, you have a new ‘disk’ that you can use like any other hard disk, CD, DVD etc. under OS X. At this point you’d move your scanned documents to your new secure disk area. What’s more, when you’re done you can eject the disk image if you like and your documents are safe from prying eyes until you mount the disk image again. Reboot you Mac and your scanned documents are still safely locked away until you decide to open the disk image using your password.

Disk Utility

Disk Utility

I went a step further and decided to try out DevonThink Pro for managing my library of scanned documents. There are benefits and disadvantages to using a tool like DevonThink rather than natively storing the documents and using Finder so it’s a matter of choice and I’ll cover DevonThink Pro in a separate article.

Well that’s about it – the only thing left to do is to decide on a sensible backup strategy for your encrypted disk image. As the disk image itself is a single .dmg file, it’s relatively easy to back it up and if it’s small enough you can back it up to online services like Mozy or even iDisk, after all it’s already encrypted so it’ll be pretty safe wherever you put it.

Oh and last but not least, you can now have fun shredding all your old scanned documents and putting the space you’ve gained to good use!

*In case you wondered what futzing is, the dictionary definition is: To waste time or effort on frivolities; fool. See, told you Macs are fun.

Automatically mount a TrueCrypt volume at Login (Mac OS X tip)

Everyone these days is banging on at us about taking more care of our personal data, but we’re a lazy bunch you & me and like every other bit of advice we get, we tend to push it to the back of our minds unless it’s easy to follow. Securing your personal data is all very well, but quite frankly it can be a pain in the butt if every time you login to your Mac you have to launch a program and navigate through various options to get something done.

I’m just as guilty and having installed TrueCrypt on the Mac some months ago, I’d barely given it a second thought until I had to get it to automatically mount a volume on my Windows XP work laptop the other day. In Windows it’s a relatively straightforward taks to get TrueCrypt to run at startup and then automatically mount your ‘favourite’ volumes. Doing the same under Mac OS X took a little more effort! Yes Mac OS X can automatically mount network volumes if you simply drag the relevant icon into your User Account/Login items, but sadly this doesn’t seem to work for TrueCrypt volumes, so here we go…

For the purposes of this exercise I use the excellent Lingon utility to create an agent that runs when I login, but it should be just as easy to do this using a script, or even an Automator Action – the syntax of the actual command line will be the same.

Lingon details

Lingon details

Assuming you have already installed TrueCrypt in your Applications folder, create the volume you want mounted at login if you haven’t already done so. In my case I created a folder called Document_Store in the root of my ‘user’ folder, and then created a 2Gb TrueCrypt file called ‘docvault‘ inside it.  What you now need to do is work out the full pathname of your TrueCrypt file – in my case it’s:

/Users/macbitz/Document_Store/docvault

…where ‘macbitz’ is my user name, Document_Store is the name of the folder I created to hold my TrueCrypt files, and docvault being the name of the file I want to automatically mount.

Now fire up Lignon and click on the + button to create a new agent and choose User Agents from the list. First thing to do is to give your agent a name – in my case I called it ‘com.truecrypt.mount_docvault’ but you can call it whatever makes sense to you. Next step is to tell Lingon what application to run by using the ‘Choose’ button and navigating to where you installed the TrueCrypt application. Once you’ve done this, you should see some text in the ‘What’ box that looks something like:

/Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt

…that’s Lingon telling your Mac what application to run. The next thing you need to do is add the parameters that tell TrueCrypt what it’s supposed to do. In our case we want TrueCrypt to mount a file called ‘docvault’ and to put it somewhere where it’s easily accessible, like a volume on the desktop, so we add the following text into the Lingon ‘What’ window after the TrueCrypt stuff

--mount /Users/macbitz/Document_Store/docvault /Volumes/VAULT

Once you’ve done that you’ll have a long command line that looks like this:

/Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt
--mount /Users/macbitz/Document_Store/docvault /Volumes/VAULT
Custom icon

Custom icon

One last thing is to tell Lingon when it should run your command. Do this by ticking the box that says – Run it when it is loaded by the system (at startup or login). Now if you’ve done this correctly then the next time you login to your Mac, TrueCrypt will load, and then prompt you for the password to access the encrypted file before mounting it in the location specified. In my example I asked TrueCrypt to mount the file as a volume called ‘VAULT’ which then appears on my desktop (as per my Finder preferences). With a little bit of imagination you can even create a custom icon for your encrypted volume (see left) which Finder kindly remembers. If you want to auto-mount your TrueCrypt volume using a script then just put the TrueCrypt command line and it’s parameters into a compiled script that you run as a login item.

Nicest of all, TrueCrypt is free so now you’ve got no excuse for not locking up your super-secret data away from prying eyes! Having said that, the authors of both TrueCrypt and Lingon are happy to accept donations.