When connecting an external drive with private files, we see that many times when leave that unit connected if there is a session or user change, the files will continue to be accessible as the drive will be remounted in the new session.
Permissions and Encryption. The perfect combination
The first thing will be to differentiate the different ways to encrypt drives for preserve data integrity in case the system accidentally deletes them or they have been incorrectly expelled from granting the necessary permissions so that the files are never directly accessible without our knowing it.
If we have activated the option of sharing in network the files will continue to be visible, whether or not they are encrypted and with the password they will be visible from that moment.
Due to the default system settings, all external drives that we connect will be available for all users right out of the box, even though all folders may contain permission restrictions. It is best to use both encryption and setting the appropriate permissions to ensure maximum confidentiality, since the encryption alone can be bypassed by local users and the permissions will not make sense if the unit is connected to another system.
Encryption
The first thing is to encrypt the drive as we have explained in previous posts. We will go to a Finder window and place ourselves on top of the unit with the secondary menu (right button), we will mark that it encrypts this unit.
The next thing we will do is see the permissions of the unit by hovering over it and pressing CMD + I and we will open the padlock at the bottom right and mark the "Ignore property in this volume" box. The groups that we will see will be ourselves, the "staff" which is for all those local accounts that can modify global permissions and "everyone" which is for everyone who can access the unit either locally or through the network.
Permissions
With this we will manage the permissions of the unit to allow users that only we give access to it (only valid for accounts that do not have administrator properties, since if there are other administrators they can also modify permissions). From here we have two possibilities, one is to give a single user permission or to create a multi-user one.
- Single user permission: With the «-» button we will delete the «staff» group to prevent access by local accounts and we will leave the «everyone» group without access to avoid any leakage.
- Multi-user permission: Here, unlike the previous one, what we will do is leave the group "staff" as read-only and "everyone" without access. In this way we ensure the reading by all local users of the equipment but without being able to access it from other locations.
More information - NetsWire gives signs of life with the release of the 4.0 public beta
Source - Cnet