How to secure files from other users on external disks

If you use an external disk drive with OS X, you may notice that when it is mounted, it becomes available for all users on the system. Therefore, if you have files you have saved to a USB drive and you attach it to your system and you switch user accounts, those files will be viewable within the second account.

In addition, if you have network file sharing enabled, the files on this drive will be accessible to any user who logs in via the network.

This behavior may seem a bit concerning, especially for those who have set up encryption on secondary drives in hopes of preventing others from viewing their files, but this is normal behavior in OS X, and essentially means two things:

1. Encryption by itself is only meant to secure a drive's contents from access if the drive has been locked (ie, removed from the system, or the system shut down). It is not meant to protect one users' files from another user on the same system. While unlocking the drive is limited to those who have the password, once unlocked then all users will have access just like any other USB or Firewire drive.
   
   On a related note, there has been past concern about encrypted drives being easily remounted if you tell it to eject but do not detach them from the system; however, this is ultimately not a security threat. Simply do not use encryption to protect data from another account on the system, as this purpose is not its intent. Instead, only use it to prevent a thief or other third-party who you have not given access to your computer, from accessing your files.
2. External hard drives are open to all users by default. Even though all hard drives are capable of containing permissions restrictions like any other folder on the system, for external drives OS X turns this feature off. This is primarily because permissions settings are specific to one operating system installation, so those set by one system may either not be observed by another, or be interpreted to mean something entirely different and result in improper access to the files.

If set up independently, encryption will not protect your files from other local users, and permissions may be overcome by using the drive with another system. Therefore, the way to fully secure the files on your external drive is to enable both of these features.

To do this, first enable encryption on the drive by right-clicking it in the Finder and choosing the Encrypt Drive option. Supply the password to use when prompted, and then wait for the drive to remount as an encrypted volume.

Next, enable permissions observation on the drive by selecting it and pressing Command-I to get information on the drive. In the information window that appears, expand the Sharing section and click the lock to authenticate. Then uncheck the option to "Ignore Ownership on this volume."

With this setting in place, the system will now observe permissions restrictions on the drive, which you can set to permit or deny access to specific users (note that this will only work to manage access for nonadministrator accounts -- admin accounts will always be able to grant themselves access to files and folders).

By default, the drive will be owned by the account that formatted it, so you should see your username listed as the first item in the Sharing & Permissions list. Next the drive should have a group association of "staff" (underneath your username) which is the default group for all local accounts on the system. This allows you to set global permissions for accounts other than yours.

Finally, there should be an "everyone" group that encompasses all other users on the system, such as a guest user account that is not a member of the "staff" group.

At this point, you have two possible approaches for the drive. The first is to set its permissions so only you have access to it, and the second is to set it up with a subdirectory or two that is only restricted to your account, so other accounts can do the same and have their sequestered and private folders.

Single-user access
To set the drive so only you have access, in the Sharing & Permissions section of the information window, choose "no access" for the "staff" group (or simply select and remove this group altogether). Then set the "everyone" group to likewise have "no access."

When finished, click the small gear menu and select the option to apply these settings to all enclosed items (this step is not needed on an empty drive).

At this point the entire drive will be a private, detachable folder for your account. Even though it will show up as a device in other accounts on the system, if they try to access it then they will be given a "permission denied" error.

Multiuser access
To set the drive up so other users have access, leave the drive's permissions as their default so the "staff" group is intact and has full read and write permissions. Then open the drive in the Finder and create a folder on it to store your files. Now get information on this folder and set it so only your account is in the Sharing & Permissions list, with "read & write" access, and with all others set to "no access."

From here, your account will be able to view the files in this folder, but other accounts will not.

As an additional security measure, you can set up a similar folder for each account on the system, and when finished get information on the drive itself and set the "staff" group to "read only" permissions (do not use the gear menu's option to apply permissions to enclosed items). With this setup, when another user opens the drive, they will only be able to drag items to their specific folder, and neither to another user's folder nor to the top level of the drive.

Regardless of the approach you use, at this point you will have a drive that has secured resources from other users, and one that is also encrypted and thereby protected from someone attempting to override the permissions settings by attaching it to another computer.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.