Your entire filesystem can become accessible to anyone able to mount it as an external drive on a second system. This can occur, for example, if your Mac is put into target disk mode and mounted, or more drastically, if your hard drive is removed and placed in another machine. One way to keep at least your home directory safe from intrusion, even in these cases, is to use FileVault, as discussed in Chapter 4.

FileVault also protects your Home directory from intrusion by other users with admin accounts on the same Mac as yours, who could otherwise use su or sudo to gain access to any file. As long as you’re not logged in, your home directory contents stay encrypted and inaccessible to anyone without your account password or the master password. While a FileVault protected account is logged in, however, its home directory resides unencrypted on the drive, subject to access by anyone with an admin account.

Enabling FileVault does incur some risk, however, because the entire Home directory (when not in use) exists as a single encrypted image file on the hard drive. If that single file becomes corrupted, that image and all the files within can be lost. For this reason, you might want to keep a separate account, used for only sensitive work, with FileVault enabled. Doing so results in a smaller image ...