The new year brings with it a new 37signals employee. Welcome aboard Jeffrey!
The first step with any new hire? Keeping things secure. Here’s where we begin…
1. Use encrypted mail for 37signals stuff. For Mail.app users: If you don’t already have a client certificate installed, you can use this guide.
2. We use Adium (for it’s encryption) for IM so we can throw around passwords and other sensitive data.
3. We use encrypted disk images for source code. I think everyone here uses Knox for that.
Dustin Senos
on 02 Jan 08Welcome Jeffrey! Looking forward to the security insight you share.
Peter Cooper
on 02 Jan 08Do you mean the local SVN checkout / Git repository / whatever is in an encrypted image? I must admit I’d not considered that before. Do you have security at your central repository which, I’m guessing, possibly isn’t running on a Mac?
Raphael Campardou
on 02 Jan 08You use Knox for encrypted disk image. Why not Disk Utility ?
John Gruber
on 02 Jan 08Raphael, Knox uses the same back-end as Disk Utility, but provides a much more convenient and elegant UI for managing images.
Brian Puccio
on 02 Jan 08These are all good ideas that every computer user (and company) should be implementing. Glad to see security is being taken seriously at 37 signals without the need for restrictive, draconian policies.
MI
on 02 Jan 08Peter: Exactly right, we checkout all of our source code into an encrypted disk image. We all use laptops, and we’re paranoid about them being stolen. Our central repository is on a machine that’s in a secure location, so that concern isn’t relevant there.
Raphael: What Gruber said. Knox just makes things easier to manage.
Alex Hutton
on 02 Jan 08Encryption for data in transit is extremely overrated. I wouldn’t go through the hassle, frankly.
Encryption for data at rest (filevault) however, may have significant benefits, depending on the probable frequency and magnitude of loss you might face.
MI
on 02 Jan 08Alex: We actually use both. We communicate with our source code repository (and all of our servers) using SSH or SSL as appropriate, and we use encrypted disk images for the local machines. Encryption in transit is pretty easy to accomplish, so there’s no good reason not to use it.
Ben Adida
on 02 Jan 08Sounds great. Any chance you’ll implement password-hashing in your online web apps?
David Ham
on 02 Jan 08I’ve never used mail certificates before—I’ve done encrypted mail using GPG but could never make much use of it because none of my correspondents would use it, because the setup is so arcane and geeky. How does this method compare to GPG and PGP as far as security is concerned? It sounds like it’s much easier to implement.
John Wulff
on 02 Jan 08How do you secure your private SSH keys?
Peter Cooper
on 02 Jan 08Interesting to hear about the use of secure images in that way. I use the secure sparseimages for storing files like I would a backup, but I’d never thought about leaving them mounted and using them for day to day things like source code. The mind boggles.. I imagine you could probably fiddle a way to store your live e-mail from Mail in there too.. without resorting to FileVault.
PabloC
on 03 Jan 08Why don’t you use Google for Apps? It has strong features on security for enterprises (mainly based on Postini adquisition)
MI
on 03 Jan 08Peter: Yep, it’s really very easy to store mail in one. All you have to do is create a symbolic link for the ~/Library/Mail directory pointing to a directory in your mounted disk image.
izidor
on 03 Jan 08Why don’t you use FileVault and have everything encrypted by default?
Why bother with selective ecryption using disk images and running a risk of failing to encrypt one piece of information which is stored someplace you didn’t think of, e.g. in contacts database?
Tor Løvskogen
on 03 Jan 08Security, for starters: http://jonathanleighton.com/blog/37signals-security ?
wildestcoolbee
on 03 Jan 08Security?????? Ah! security then Mr. Jeffery welcome.
Todd Jordan
on 03 Jan 08Great little recommendation short list. Welcome Jeffery and may your security be tight.
Takaaki Kato
on 05 Jan 08Really interesting use of Knox/disk images indeed.
It would be great if you could explain more about how you use such tools. A question I share the same question with Alex. What about using FileVault instead of using disk images for some of the locations on your MacBook Pro? Any comment on performance and reliability on FileVault, if you have any experience with it?
I am trying Knox know, and found it easy-to-use. However, I have many data locations I want to encrypt. Source code and Mail data (both of which are mentioned here) are not the only sensitive data. I use MacBook as my main environment, and put non-sensitive data like iTunes music to ”/Users/Shared” to make some room for FileVault to work. (FileVault requires large space.)
Graeme Mathieson
on 05 Jan 08Thanks for the recommendation of Knox. I’d looked at it in the past but dismissed it because I was using Filevault at the time. I’ve since dropped Filevault because it’s slow and inconvenient but hadn’t thought of using Knox again. My clients’ source code is now stored in Knox images as you suggest. I’m sure they’ll not know they care, but it makes me feel better.
This discussion is closed.