Securing Lion user account directories from admin access

FileVault allowed me to create encrypted user directories, so that if I handed my computer over to the Apple store for repairs I could give them a clean admin account to do the necessary repairs without worrying as much that they may be browsing my personal files. (Unless they had truly malicious intent and backdoors, etc.)

This is less trivial to accomplish in Lion since it uses full disk encryption. I know I could make an encrypted sparsebundle or truecrypt container and use that, but that would make things like dropbox syncing for access from a windows machine much more difficult. If it had to be something like that, I would prefer that it auto-mount at login.

Is there an easy to use way to achieve the same functionality I had in snow leopard?

Solution 1:

Administrators don't have ready access to files in other users home directories. Browsing your files would require extraordinary (though admittedly not technically complex) measures and malicious intent.

I'm betting that most Apple store repair techs are a little too busy, and a little too fond of their jobs, to waste a lot of time unlocking and browsing through personal files. There's an old mail server admin adage about being able to read everyone's mail—and not caring. As a consultant I'm "inside" client computers all the time—seeing as little as I possibly can—and I have to tell you, most people's stuff is pretty boring.

I do protect truly confidential data, financial information, CC info, personal photos, inside secure containers such as encrypted disk images, Password Wallet, etc. (In my case this is all in addition to the Filevault 2 protected startup disk.) Having protected the good stuff, I don't lose a lot of sleep about bored repair techs, or interlopers who gain access to my computer, viewing the rest. Your own practice must suit your own position of comfort on the security<>usability continuum, but with a little thought you can get there using the tools the system provides.