Despite being an avid OS X user, there are deficiencies in this great OS of ours and many of the ones I focus on center — unsurprisingly — around security.

In the plethora of accurate claims of superiority in Apple’s “I’m a Mac” ads, one counter-example is the ability within Windows to encrypt individual folders. While Microsoft’s EFS is no panacea of security and usability, it does work and there has been no practical parallel yet within OS X. Until now.

A Twitter post early Thursday morning from the legendary Matt Gemmell quietly announced Espionage from Tao Effect software (Greg Slepak & John Ashenden). This $14.95 utility (for OS X 10.5+) uses some interesting tricks to bring folder-level encryption and/or privacy to your workstation. Read on to see what’s going on under the covers and to find out if Espionage is the right solution for you.

Encryption Choices on OS X

Without bringing in additional tools, such as TrueCrypt into the mix, Apple offers two ways to secure your information. The first is with FileVault (which has some security and usability issues of it’s own) where you can choose to encrypt your entire home folder — but only your home folder — to keep prying eyes away.

The second is to use Disk Utility to create an encrypted disk image and then mount that whenever you need to store or retrieve data. This is a cumbersome, but effective, process and is ultimately what FileVault is doing under the covers to work it’s magic.

If only there was a way to associate these secure disk images with folders and have the mounting be handled automatically…

A Peek Behind the Curtain

Normally, the inner- and inter-workings of an application are either too-intricate (e.g. Photoshop) or too mundane (e.g. TextEdit) to cover during an app-review. However, when it comes to security, very few details are insignificant and one of the prime uses of Espionage is to secure your data and control the access to it.

Espionage has two basic features, enabling general encrypted folders (using the same “trick” as FileVault) and providing a way to “lock” folders and require a password to access them.

It performs the latter through a kernel extension named “iSpy” that is installed upon first run of the application and can be seen by dropping into the Terminal and issuing the following command:

$ kextfind -case-insensitive -bundle-id -substring 'com.taoeffect.' -print
/System/Library/Extensions/iSpy.kext

“Protected” folders show the typical “restricted access” icon when locked:

And prompt you for an access password (which you create when “securing” the folder):

Because it operates at such a low-level, this “protection” exists even when using command-line utilities to access files in the folder. That is, even attempting an “ls” from the Terminal will bring up the access prompt (provided you have not already unlocked the folder). This “protection” only works on the system the folder was “protected” on and requires the kernel extension to be running. If you disable/unload the extension or just boot in target disk mode, you will be able to access the data. The Tao Effect developers make no claims of security with this method of protection and even go out of their way to warn you.

But, What About Encrypted Folders?!

Ah, yes. The main reason you will want to use Espionage is to take advantage of the encrypted folders. As I have indicated, they use the same slight-of-hand that FileVault uses and create a hidden, encrypted sparse disk image that then is mounted and linked with the folder you specify. For existing folders, it creates this disk image, copies the files and folders from your target selection into the new disk image and sets up the linkage behind the scenes after deleting your old files. I should warn you that it did not do a secure delete of the “expenses” directory and I was able to find it and the contents therein in the “Trash”. This could easily be recovered and is a pretty serious oversight in an attempt to make your digital life more secure.

As part of the magic, you will see that there is a new folder in your “Volumes” directory (this is where all mounted disks get placed by default) where Espionage keeps mount points for all these sparse images.

And, you can also see just where Espionage stores these sparse disk images via the Terminal or through Disk Utility.

Since it is just a disk image “hack”, Espionage also provides a way to specify the default size and filesystem type:

So, What’s The Verdict?

Espionage does have some very interesting capabilities and I was impressed that the installer (which puts the kernel extension into place) includes full details as to what it is doing.

The application also includes other niceties such as support for Growl notifications and the ability to always enable or block application access to a particular folder under the watch of iSpy — and, you will need to make use this feature if you plan on utilizing any type of automated backup solution that will include that folder in the source path list.

However, due to the deficiencies with the way it initially creates encrypted folders and also some quirks during the operation – especially when performing multiple operations on the test “expenses” folder — I, personally, will have to continue to use my existing methods of securing data. As you saw from the FileVault screen capture, I do not use FileVault, but I do use secure disk images locally, on USB sticks, fileshares and when I am backing up sensitive data to my offsite provider. I also use TrueCrypt when I need to ensure my disks are fully protected.

I strongly suggest, however, that you do watch for future updates to Espionage as the developers will no doubt work the kinks out of this initial release and provide a very solid solution to fill the gap left by Apple. Since I am not aware of any features of Snow Leopard that will obsolete the functionality of Espionage, it should continue to fill this gap through the next release of Apple’s desktop operating system.

While I’m not trying to only focus on security topics, they just seem to pop up more often than not, including today’s serendipitous discovery that TrueCrypt is available for OS X. Security isn’t just about maintaining system integrity (loosely defined as keeping malicious code from getting onto/running on your system). A critical component is ensuring that your valuable data is protected according to your risk appetite (loosely defined as confidentiality). Macs already have FileVault and secure disk images to handle basic encryption needs, so you may be asking why we need yet another utility for protecting information our systems (a fair question).

If you need/desire cross-platform compatibility, then TrueCrypt is a perfect choice. You can encrypt a virtual disk image onto a USB drive and take it from Windows to Linux to OS X and gain access to your all your secret data, something that is not possible with OS X secure disk images.

The other big “selling point” (difficult to use that term with a free & open source product) is the concept of plausible deniability. Until you go through the process of decrypting/mounting a volume, TrueCrypt file or disk volumes appear to consist of nothing more than random data (i.e. there is no “signature”). It is impossible to prove that a file, a partition or a device is a TrueCrypt volume or that it has been encrypted. This is an important point since we’re going down a very slippery slope (at least in the United States) where folks are now being forced to give up their secrets with full legal backing. You can rename a TrueCrypt file to “Family Vacation.mov” and be able to claim that it’s just a corrupted transfer from your video camera with no way for the authorities to prove otherwise. Similarly, non-boot volumes (which is not an option for OS X yet) have no identifiable tags, making it look like an unformatted partition with random data.

Sadly, one of the coolest features – creating a hidden volume within an encrypted volume – is also not available on OS X yet. This option would allow you to give up your keys/passphrase to an outer-encrypted volume, but have another hidden, encrypted volume within it that uses a separate set of keys/passphrase. This lets you give up some of your secrets but not all of them.

My attempts at downloading and installing TrueCrypt were woefully unsuccessful with Safari under Leopard (the download file was corrupted). It worked fine in Firefox and is available for 10.4 and 10.5, Intel or PPC. I’ll be putting the software through some tests over the next few days, so drop a note in the comments or forums if you have any questions or want to share your experiences with the product.