Confused about Espionage, FileVault 2, Undercover, and Mail Folders

[sawxray]

I know the title sounds confusing. Sorry about that.

Former user of Espionage 2 here. I haven't used it in a while.

I have a new MBP, and am trying to clean up and make it secure. I have used Undercover for a while, as security should the computer be stolen.

I am currently using FileVault 2, which seems to run just fine.

But Undercover says not to use FV, and to use Espionage instead.

Before I purchased a new license, I made the mistake of reading the Tao Effects website, specifically about using Application sets for Mail data folders. The video states not to use this feature unless 'you know what you are doing.'

Another post on the forum says that FV and Espionage work well together, with FV handling application data.

Now I am completely confused. Can I use both Espionage and FV? If so, do I need to use the application data encryption in Espionage 3? If so, what are the 'you know what you are doing issues?'

Thank you in advance for helping me to understand!

[zsolt]

Hello, it is tough, I know...but all your questions are valid, so let me try to clarify to you...

File Vault (2) will encrypt your entire disk, including the user folder, so if all your files are already encrypted then it does not make much sense to encrypt some folder once again.

Whereas File Vault seems to be working fine and Apple continues to use it in OS X, there is always this "what if something goes wrong" and due to some bug in File Vault or error on disk, you loose it all? If the drive is encrypted then no recovery software can help you, it is either all or nothing.

The alternative is to protect only some folders and leave the rest unencrypted, yet, this assumes that you will protect your most valuable data which brings the very same question up again, "what if....", yes, you would not loose the entire disk, just your most valuable data :-)

So I guess the choice is yours, all I can say is that in several years since I support this product, there was no report on data corruption unless it was a corruption of the disk itself. If you add to it the possibility (and recommendation) to backup those disk images, then the whole thing is quite safe, in worst case we could restore an older copy of the disk image containing the data.

The data on the backup disk is saved in the encrypted form, so it is protected in the same way as on your startup disk, no worries here.

Now to the application protection, Espionage 2 offered an "no brainer" application protection, you would pick the app you want to protect and we would to it all automatically for you.
Due to tightened security in OS X, we had to change the way Espionage works, and this does not allow us to intercept application launch any more, so we had to give up on application protection all together. However, the application protection is nothing else then protection of specific folders where application stores it's data, so "if you know what you are doing" you can still do it, but in our tests with Apple's Mail, whereas it works and does what is expected, due to the way IMAP and Apple Mail work, if you lock the folders, Mail will simply download the messages from the server again, we cannot prevent this, as we cannot prevent it from accessing your mail account info. What would be protected are the local folders: if you move some mails from server into a local folder, then the local copy is the only one, and this could not be fetched again, and this would not show up if the Mail folders are locked.
So if you have a specific Mail workflow, then it is worth the trouble.

I hope I made it clear(er) to you, if you have any further questions, let me know

Zsolt

[sawxray]

Thank you for the response. I have been trying to digest it, and I'm afraid I need more clarification. I will try to respond to each of the sections you described:

It doesn't make a difference if I encrypt with FileVault or Espionage. If either fails, I lose data, correct? I am assuming that is a very rare issue with either, so it is not an issue to help me differentiate between them.

Regarding application protection, I still don't understand the difference between encrypting your data, and encrypting an application, or an application's data. The data is either encrypted, or it isn't. For my use, I am not going to pick and choose which app to encrypt, I just want to encrypt my data.

If I encrypt all my data, Mail's data will be encrypted, correct? Is there something unique about Mail that prevents this?

The bigger issue is how to use this with Undercover. Undercover says they won't work with FV on, and recommend Espionage. But the documentation for Espionage makes it seem very complicated, including the warning about 'knowing what you are doing.'

I would like to encrypt my data. I would like to use Undercover to protect myself if my machine is stolen. How can I best achieve these goals? Do I need to scrap FileVault? And is Espionage a good replacement, or do I need to go folder by folder if I use Espionage.

Thanks in advance.

[zsolt]

1. yes, filevault or Espionage, same thing, if something goes wrong, you loose, although, if you use Espionage you can do backups, the files will be protected on the backup disk too, so you can restore. Filevault is either all or nothing and to the best of my knowledge, the backup is unencrypted

2. protecting an application is protecting application's data. With Espionage 2 we were picking the right data for you, with Espionage 3 this is not possible any more so you have to pick it on your own. Which folders do you need to encrypt and how will that affect the application is all on you. I can give you some hints regarding Mail but again, this was not verified with every update of Mail or OS X. I will write a few more words at the end of this post

3. Can you share with me this documentation which seems to be very complicated?

4. If you want to protect your entire user folder then Espionage cannot do this, in Espionage you have to protect each folder separately, and these must be subfolders of default user folders (like Documents, Pictures, Movies etc.)

5. Regarding mail: as I said in my previous post, encrypting application data means that when you launch the application and the folder is locked, each application will handle this differently, trying to recover from this situation. If you launch Mail with folder locked, it will see that the mails are missing and will try to download them new from the defined internet accounts. The trouble is that it will succeed, because the internet account info is not stored within Mail, but within system preferences and those you cannot lock because OS X would not be able to function.
The Mail, however, has the option to move the mails locally, basically you remove them from the IMAP server and store them only locally. In this case, Mail cannot download them new, because they are not on the server any more, and locally they would be encrypted. So you can create a Mail rule, or do this by hand periodically, and move all confidential mails into local folder.

If you have further questions, I suggest that we make a remote session and I can explain you all in details.

[sawxray]

Thank you for the detailed explanation. A few follow-on questions:

3. I am not sure what you are referring to.

4. If I have documents in the Documents folder, not in subfolders, can I encrypt them? In other words, does this mean that every document must be in a folder?

5. Sorry, I still don't understand. Are we saying that I have to unlock all Mail folders before I use Mail at any time?

I am OK with a remote session, but thought I would continue the conversation here, to help others who might be new like me.

Thanks!

[zsolt]

3. I'm reffering to "Undercover says they won't work with FV on, and recommend Espionage. But the documentation for Espionage makes it seem very complicated, including the warning about 'knowing what you are doing.'" is this Undercover documentation or Espionage documentation? Share with me the section which is unclear.

4. With Espionage you cannot protect Files, just folders, so yes, all you want to protect has to be in a folder. However, I do not recommend to protect the "Main" folder, i.e. Documents, Pictures, Music, Movies etc....the folders which are directly under your home folder, as they have special permissions and the encryption might fail, I recommend protecting one or more subfolders of those folders.

5. Yes, you have to unlock the folder before launching mail, because we cannot intercept the application launch like we could in earlier versions of OS X, you can setup a folder action though, where unlocking the folder will launch Mail, it is a bit opposite approach, but it works well. But I'm not sure if you understood what I said before. Do you know which folders do you have to protect to protect Mail?

Remote session would definitely be better then this, as we will be writing for a long time, and at one point you will get frustrated as we will not make progress :-)

I'm usually available in afternoon/evening hours of GMT+1 time zone, mail me directly at taoeffect@macmesupport.com

Cheers
Zsolt