This is Signal vs. Noise, a weblog by 37signals about design, business, experience, simplicity, the web, culture, and more. Established 1999 in Chicago. Visit the Product Blog for more information on our products.

Welcome Jeffrey! Looking forward to the security insight you share.

Do you mean the local SVN checkout / Git repository / whatever is in an encrypted image? I must admit I’d not considered that before. Do you have security at your central repository which, I’m guessing, possibly isn’t running on a Mac?

You use Knox for encrypted disk image. Why not Disk Utility ?

Raphael, Knox uses the same back-end as Disk Utility, but provides a much more convenient and elegant UI for managing images.

These are all good ideas that every computer user (and company) should be implementing. Glad to see security is being taken seriously at 37 signals without the need for restrictive, draconian policies.

Encryption for data in transit is extremely overrated. I wouldn’t go through the hassle, frankly.

Encryption for data at rest (filevault) however, may have significant benefits, depending on the probable frequency and magnitude of loss you might face.

Sounds great. Any chance you’ll implement password-hashing in your online web apps?

I’ve never used mail certificates before—I’ve done encrypted mail using GPG but could never make much use of it because none of my correspondents would use it, because the setup is so arcane and geeky. How does this method compare to GPG and PGP as far as security is concerned? It sounds like it’s much easier to implement.

How do you secure your private SSH keys?

Interesting to hear about the use of secure images in that way. I use the secure sparseimages for storing files like I would a backup, but I’d never thought about leaving them mounted and using them for day to day things like source code. The mind boggles.. I imagine you could probably fiddle a way to store your live e-mail from Mail in there too.. without resorting to FileVault.

Why don’t you use Google for Apps? It has strong features on security for enterprises (mainly based on Postini adquisition)

Why don’t you use FileVault and have everything encrypted by default?

Why bother with selective ecryption using disk images and running a risk of failing to encrypt one piece of information which is stored someplace you didn’t think of, e.g. in contacts database?

Security, for starters: http://jonathanleighton.com/blog/37signals-security ?

Security? ?? ??? Ah! security then Mr. Jeffery welcome.

Great little recommendation short list. Welcome Jeffery and may your security be tight.

Really interesting use of Knox/disk images indeed.

It would be great if you could explain more about how you use such tools. A question I share the same question with Alex. What about using FileVault instead of using disk images for some of the locations on your MacBook Pro? Any comment on performance and reliability on FileVault, if you have any experience with it?

I am trying Knox know, and found it easy-to-use. However, I have many data locations I want to encrypt. Source code and Mail data (both of which are mentioned here) are not the only sensitive data. I use MacBook as my main environment, and put non-sensitive data like iTunes music to ”/Users/Shared” to make some room for FileVault to work. (FileVault requires large space.)

Thanks for the recommendation of Knox. I’d looked at it in the past but dismissed it because I was using Filevault at the time. I’ve since dropped Filevault because it’s slow and inconvenient but hadn’t thought of using Knox again. My clients’ source code is now stored in Knox images as you suggest. I’m sure they’ll not know they care, but it makes me feel better.