Your account in OS X should be relatively secure, and provided you store your files within the structure of your account (ie, the Documents, Music, Movies, and Photos folders in your home directory), then other users on your system will not be able to access your documents. However, this security has its limits, and may break down for several reasons, especially if you transfer documents from your Mac to other systems, or to online services which you access from other systems:
- Permissions modifications — The exclusive access to your account is set up by file and folder permissions; however, if some error (perhaps when restoring from a backup or otherwise modifying your system) has affected permissions, then folders you think are private may in fact be readable by others.
- Administrative access — If someone has administrative access to your Mac, then they can override any permissions settings and gain access to files and folders.
- Bypassing OS X — Your OS X installation is what implements and upholds file and folder security, but this can be bypassed by someone removing your drive and putting it another system, or by booting your Mac to an external boot drive.
To overcome these three security issues, you have two options: Filevault, and individual file security.
FileVault is Apple’s built-in full-disk encryption routine for OS X, which ensures the entire drive (including installed applications, system files, and your documents) are scrambled data unless a proper unlocking password or encryption key is provided. This is a great routine to have, provided you keep all of your documents on your Mac; however, with sharing services like Dropbox, and other means of copying files (including to unencrypted backup drives), you can easily and inadvertently duplicate your FileVault-secured files to other unsecured computers. This is true even if the storage in a service like like Dropbox is secure, since you can simply use its Web interface to download a file from it to another Mac that is not encrypted.
These options are simply the security features that programs offer for the files they create. For instance, when you create a Pages or Numbers document you can set a file password (in the File menu) that will be required to open that document. The same goes for third-party programs like Word, TurboTax, and many others. The unfortunate issue here is that some programs will have these features, and others will not, so you will have to look into which ones support these security options, and then implement them accordingly.
If a program you use does not have an option for securing document content, then you can still secure files using a disk image as an encryption wrapper. To do this, you can use Disk Utility to create a dynamically resizable but encrypted disk image, that can be mounted with a password, and then will only be the size of the documents and data that are stored within it.
- Open Disk Utility
- Choose “Blank Disk Image” from the File > New submenu (or click the “New Image” button in the toolbar).
- In the window that appears, choose either 128-bit or 256-bit encryption from the “Encryption” menu.
- Choose the size of the disk and other options to most appropriately match your data, or better yet, choose a combination of a large size and “Compressed” or “Sparse” as the image format, along with “No Partition Map” for the partition type, to make the disk image dynamically resizable.
With the disk image created, you can open it and provide your password when prompted, and then copy files to it. When you unmount (“eject”) the image, the files on it will be secured by the image’s encryption, and you can then copy the whole image to any online service (or anywhere else) you want, and know the files on it will not be accessible without knowing the image’s password. This approach does require you copy the image itself, is a requirement for keeping files safe that do not support their own encryption options.