One of the things that has bugged me about Mac OS X’s FileVault is that it has lacked the ability to encrypt by-folder. I don’t want my massive Final Cut Studio documents to be encrypted… or worse, corrupted in the event of a (rare) FileVault failure during a system crash (even rarer on Mac).
But, now that Macs are shipping with a good size of RAM, I’ve found a reasonable solution: Mix multiple user sharing and FileVault. Here’s the workflow:
1) Go to System Preferences > Accounts and make a couple of new users. Say, Work and Private.
2) Go to Login Options (same window) and turn on multiple user switching. I keep Automatic Login on so that my primary account will still log in automatically when I boot up.
3) Log out (this is just for enabling FileVault… you won’t need to log out after turning it on the first time). Then log in to Work or Private.
4) Go to System Preferences > Security. Turn FileVault on for the user.
While you’re at it, make sure the Security preferences on your FileVault users are set to lock the screen upon sleep or screen saver. This will ensure if someone walks off with your system, that your FileVaulted accounts will stay secure (so long as the screen saver kicks in, or the lid is closed… which someone stealing your laptop will probably do).
Repeat all this for any other users you have that you want FileVaulted.
5) You’re done. Your computer will automatically boot to the primary user, and when you want to deal documents you want encrypted, just switch over to the multiple users menu and log in to that account. Bingo! FileVault for what you want, and none when you don’t need it.
If you want any additional security, you might want to set a Firmware Password, which will prevent someone from jacking into your Mac via FireWire Target Disk Mode. However, FileVault works well at deflecting this risk, since the only way to get at encrypted files would be to pull the plug on the Mac (while a FileVault user is logged in), then mount the Mac via TDM, and tap the unencrypted portion of the FileVault. Not likely… and can cause problems in the event of a drive failure.
On one final note: Backup! I suggest using Mozy (free for the first 2 GB) for your FileVaulted users, since that transports the encrypted data to another encrypted store (online)… preventing people from breaking into your backup to get the data.