Messages

Thanks so much for all these useful answers - really appreciate the speed of your response!

A few points below:

3- I understand that there are lots of requests for timed or screensaver/sleep-triggered auto-locks (many messages from 2010 in forum) but this does not seem to have been implemented (yet?) as I could not see any mention of it in the app or help file. I understand the complexities of it (if a document from an encrypted folder is open, etc.) and the usual answer seems to be "to enable the sleep/screensaver password in the Security System Preferences" (which I already do). I completely understand the rationale behind this: if a thief resets my user password to be able to login (will need to log off/restart) or access the HDD from another machine, they wont be able to access my RAM, which is where the decrypted information resides.
However my question is with regards to the sleepimage file, which - as I understand - contains a dump of the RAM to disk. Does this mean that the Espionage-protected data (all unlocked folders) will implicitly be dumped in its RAM-DEcrypted state to disk as part of the overall RAM dump/copy?

4- If the above is true. Is it sufficient to set the Security System Preference "Use Secure Virtual Memory" to true to be protected (i.e. the unlocked Espionage folders will be dumped in their decrypted state as part of the overall RAM, which is in turn fully encrypted somehow by Mac OS)?

Correct, make sure that's checked. I believe (but am not 100% sure) that this is the default on 10.7 and later.

From what I remember reading yesterday (I read a lot while researching all that security business!...), it could be that the default is different in 10.6 for laptops (encrypted by default) and desktops (non-encrypted by default) - not sure about 10.7 but I would suggest people check their own settings.

5- In terms of backup, there should not be any of the problems above: if I keep to the recommendation of either using the built-in backups or ensure that the folders are locked when running the backup, only the encrypted data should be copied?

You can go ahead and run backups even while the folders are unlocked as per the reasoning above (so long as the backup program does not backup the decrypted data by traversing the symbolic link/alias). The reason we recommend running third-party backups while the folder is the same locked state as during the previous backup is to optimize the efficiency of the backup because the hidden disk image is moved each time the folder is locked or unlocked (see here for details).

Just a question here: how would I make sure that the backup program (I use SuperDuper) does not traverse the symlink?

Note that the answers to these questions will likely be quite different in the next major release of Espionage.

Leaving us a bit on a cliffhanger here!  ;)
Any more indications as to what could be different?
And when the next major release is due?

Should I worry about having to change my whole Espionage set up soon once the new version comes out?

[one of the main reasons that we want to switch away from OS X's keychain is because it's not as secure as it could be]

You bring up a valid concern with regards to "multiple possibilities for infiltration", but in fact one of the main reasons that we want to switch away from OS X's keychain is because it's not as secure as it could be. Espionage's separate keychain, by virtue of it being separate from the login keychain, makes it a bit more secure, but by switching away from OS X's keychain mechanism altogether we can ensure stronger levels of encryption for protecting the passwords, and we can ensure a greater level of reliability. This is one of the areas where Apple, unfortunately, didn't do a very good job, which is why we're looking to implement our own "keychain-like" solution using secure opensource standards.

Would you say the above still stands 18+ months later (ie is the Espionage keychain stronger than the Apple one - which is not as secure as it could (should?) be?

Thanks.

I use 1Password and like it a lot..
However, its encryption level is not good enough for my taste: I use it to protect my sensitive login data and in the event that somebody gets hold of the agilekeychain that it uses, there are too many bits of information that are stored in plain text in my opinion.

This is something that the guys from 1Password are working on apparently, but in the mean time, thiefs of my HDD or computer or trojan horses harvesting 1Password files or dropbox hackers could fairly easily see all my login URLs (amazon, name of bank, etc.) as well as the password strength.

This was actually highlighted by the 1Password guys themselves in this post - http://blog.agilebits.com/2011/11/defen ... arvesters/

My basic strategy to protect any sensitive info (emails, sensitive folders like financial stuff) leans towards using Espionage on a selective basis (include all sensitive stuff): as a result: it is encrypted on my internal HDD and anywhere else it gets replicated to (external HDD, cloud, etc.).

Based on the above, I am thinking that encrypting the 1Password folder containing its own keychain (agilekeychain - I do not use the Mac login keychain) might be a solution. Has anybody tried this option? I can only see a few old references to 1Password in the forum and there is no application template for 1Password.
Are there any issues? - especially if using the browser extension, which accesses the same file? (ie would I need to associate the browser application to the folder too? - I'm using Chrome)

Thanks,
Jezza

I was not able to find any explanations as to what exactly the Path Finder option in the Preferences does?

The help file does not mention it and all I could find on the site was:

"Path Finder Support!

Path Finder users rejoice! Espionage now has a checkbox for you in its general preferences. Just enable the Path Finder compatibility mode, and Espionage will work seamlessly with your favorite file manager."

I use Path Finder as my default file browser and had Espionage running without the option ticked at first with seemingly no issues (I have only started trialling it). Checking it does not seem to give any differences?

Thanks,
Jez

I am just trialling Espionage and so far, it looks promising.

But I have the following questions / required clarifications after having looked up a few forum posts. Basically my aim is that specific data on my hard drive (and then copied onto a backup location - external HDD or offline/cloud storage) is unaccessible to anybody else than me.

If I understand correctly, encrypted folders use the standard/native  Mac OS encryption with sparse images/bundles "wrapped in a clever way" that allows Espionage to do its magic such as application data locking, auto-unlock, white-listing, etc.

1- I read on the forum that this means data on the hard drive is always encrypted (it only gets mounted as a volume and decrypted on the fly and stored in RAM when unlocked - but the actual HDD data is unlocked). Is this correct?

2- Does that mean that if I have many large encrypted folders - all unlocked, this will greatly increase RAM usage (to hold all this decrypted data)?

3- I understand that there are lots of requests for timed or screensaver/sleep-triggered auto-locks (many messages from 2010 in forum) but this does not seem to have been implemented (yet?) as I could not see any mention of it in the app or help file. I understand the complexities of it (if a document from an encrypted folder is open, etc.) and the usual answer seems to be "to enable the sleep/screensaver password in the Security System Preferences" (which I already do). I completely understand the rationale behind this: if a thief resets my user password to be able to login (will need to log off/restart) or access the HDD from another machine, they wont be able to access my RAM, which is where the decrypted information resides.
However my question is with regards to the sleepimage file, which - as I understand - contains a dump of the RAM to disk. Does this mean that the Espionage-protected data (all unlocked folders) will implicitly be dumped in its RAM-DEcrypted state to disk as part of the overall RAM dump/copy?

4- If the above is true. Is it sufficient to set the Security System Preference "Use Secure Virtual Memory" to true to be protected (i.e. the unlocked Espionage folders will be dumped in their decrypted state as part of the overall RAM, which is in turn fully encrypted somehow by Mac OS)?

5- In terms of backup, there should not be any of the problems above: if I keep to the recommendation of either using the built-in backups or ensure that the folders are locked when running the backup, only the encrypted data should be copied?

Thanks in advance (and sorry for the long message!)

Jezza