File encryption and Filevault on a Mac
Hi
I am currently encrypting my file with a password that has to be entered each time I want to open the file on either of my two Macs. I am considering using Filevault encryption as an added layer of security.
Does this pose any problems or am I good to go ahead and switch it on? In fact, also, if I do this, is there any need to encrypt the Moneydance file?
Cheers....
Using Mac 10.13.5 and latest Moneydance 2017, sync via Dropbox folder, data store in own chosen location on primary machine.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
1 Posted by -Kevin N. on Jun 29, 2018 @ 12:05 PM
Hi tonyt,
The use of the Moneydance master password with regards to encryption is something of a misnomer.
The Moneydance master password provides a layer of protection for your user-names and passwords to your financial institutions.
Moneydance 2017 data files are already fully encrypted by default. Per the Moneydance Blog, full encryption was introduced with MD 2015.
https://infinitekind.com/blog/moneydance-2015
I can't speak to Firevault or adding an additional layer of encryption or what the consequences may be.
-Kevin N. (not a member of MD support)
2 Posted by tonyt on Jun 29, 2018 @ 04:50 PM
Thanks Kevin
I will wait for a reply re Firevault, but new info to me re
password..thanks!
On Friday 29/06/2018 at 1:05 pm, -Kevin N. wrote:
3 Posted by tonyt on Jun 29, 2018 @ 05:58 PM
Also, why is this not made clear as the moneydance website says data security is vital, we should be told what encryption password covers clearly, surely?
Thanks again.....
4 Posted by -Kevin N. on Jun 29, 2018 @ 06:48 PM
Hi tonyt,
I agree that the current password functionality should be made clearer.
Prior to MD 2015, encryption required the selection of an 'Encrypt your data' checkbox along with the creation of a master password.
I would add that the present KB article titled 'Passwords' is in error.
http://help.infinitekind.com/kb/customizing-and-preferences/passwords
The proverbial ball is in MD support's court. :)
-Kevin N. (not a member of MD support)
5 Posted by dwg on Jun 29, 2018 @ 09:32 PM
I'm a fellow user,
As Kevin has indicated your data at rest is always encrypted with Moneydance 2017. As well as a user defined password being required when you are storing online usernames and passwords that password is used to encrypt the data files. Without a user defined password the Moneydance software uses a standard key to decrypt/encrypt the data so that casual browsing of the disk contents would yield nothing that anyone could use but opening the data set with Moneydance allows full access to the data for anyone without a password.
Data in flight i.e. syncing data has a separately defined password which is only used for that data and must match between all machines.
Whole of disk encryption software solutions are designed to be invisible to applications and indeed the Operating System, I'm not aware of any that have caused operational issues (if they did that would be the end of that product IMO)
I doubt that TiK would have tested encryption software, their usage is way above the level of the Moneydance software. Moneydance will of course still encrypt it's data and you still will require a master password to be set if you want to use online banking.
Encrypting encrypted data may use a bit more space
6 Posted by -Kevin N. on Jun 29, 2018 @ 10:53 PM
Hi Des,
I don't think the master password in MD 2017 plays a part in encrypting the data file anymore.
-Kevin N.
7 Posted by dwg on Jun 29, 2018 @ 11:17 PM
Hi Kevin,
I hope it is still used in the encryption process and not just in protecting the online usernames/passwords. If that was all it was doing then it would theoretically be possible for the Moneydance developers to skip over the passwords and access the actual data. In effect there could be a back door to the data, that would not be good IMO.
Des
8 Posted by -Kevin N. on Jun 30, 2018 @ 12:17 AM
Hi Des,
It is my understanding that the MD 2017 data file is encrypted whether a master password is used or not.
-Kevin N.
9 Posted by dwg on Jun 30, 2018 @ 04:35 AM
Hi Kevin,
Yes it is encrypted in either case but if the user has not set a password the
'key" to generate encrypted data must be known to the Moneydance software in general as you can move your data to any other machine install Moneydance and it can read the data, so this key is not system or installation specific, but you cannot read the data without Moneydance.
The way I am thinking it should work is that the data is encrypted, the only difference is if the software uses its built in password or a user supplied password, and the user supplied password is mandatory if the user checks on the store online passwords box. To have the user supplied password only to protect the username/passwords in the file to me is not as secure as it should be
10 Posted by -Kevin N. on Jun 30, 2018 @ 04:54 PM
Hi Des,
The difference between older versions of Moneydance and the current version, is that the data file was un-encrypted in older versions and the master password form provided the option to encrypt the file when a password was entered.
The current version makes no mention of encrypting the file in the master password form.
Per the master password form. "Once you set a master password, you will also have the option to save your online banking passwords in your file."
This tells me that there are no changes made to the current encryption when a password is entered and that the main purpose of the master password, is to block access to the data file, and thus create a layer of protection to the online banking passwords.
-Kevin N.
11 Posted by dwg on Jul 01, 2018 @ 08:51 PM
Hi Kevin,
From the screens I could draw the exact opposite conclusion :)
The new screen says "If you forget your pass phrase, there is no way to decrypt your data" This I would take to mean the password is used as the key for the whole encryption process.
There is no way for us to determine how it works it needs a response from TiK.
12 Posted by -Kevin N. on Jul 01, 2018 @ 11:29 PM
Hi Des,
I see your point. :)
-Kevin
13 Posted by derekkent23 on Jul 02, 2018 @ 07:31 AM
As a test I copied a data set that did not have a password to another computer. I renamed the config.dict file so Moneydance was unregistered, thinking perhaps the key played a part in the encryption. The data set opened on the other computer. So it looks like the data set may be encrypted but anyone with Moneydance can open the data set.
It look like to be of real value a password must be used.
Derek
14 Posted by dwg on Jul 02, 2018 @ 08:44 AM
G'day Derek,
The result you got is what I would expect, it means that only Moneydance can be used to work with the data, so it prevents people using other tools to try and manipulate the information.
Using your license key as a seed would not be a good move, it would mean it all breaks whenever you get new key e.g. after a paid for upgrade, and given the data cannot be in an unencrypted state at all there is no upgrade path you can take.
15 Posted by derekkent23 on Jul 02, 2018 @ 09:27 AM
Hi Des
Good point about the key and paid upgrades.
Derek
System closed this discussion on Oct 01, 2018 @ 09:30 AM.