This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

A set of feature requests

Haravikk
Haravikk Junior Member
Recently gave Knox a try, however, I'm not sure I'm convinced of the benefit for my using it.



However, there are a few features that would make Knox a lot more useful:



[list][*][b]Automatic Unmount[/b] - one of the things that it's not easy to do via a script is intelligently track the usage of a disk image, and unmount it. This provides an opportunity for Knox, as it should be possible for it to look out for mounted images, and if they are configured (perhaps a hidden file inside the image) to unmount, then it will also look out for file-system activity related to the image, and eject it it if it has remained idle for X amount of minutes. This is the main challenge when using secure disk images, namely the users forgetting to unmount them, and completely defeating the purpose by leaving an unencrypted volume available to anyone with access to the computer! Being able to unmount the volumes as the machine goes to sleep would also be a good one, particularly for laptop users, but X minutes is important too if you've finished with whatever you were using the image, but forgot to unmount it again.

[*][b]Creation of Vault Folders[/b] - basically a special alias (or whatever is the easiest way to implement it) that points to a location within a Vault, and automatically attempts to mount it in order to jump to that location. This is another common issue with the images in that OS X's aliases simply return an error if they point to a location on an unmounted volume, but depending what the image contains it might be nice to have simple folder links inside. Not sure of the best to implement this, as ideally once the vault is mounted these aliases should behave like symbolic links so that things like file dialogues will work correctly.

[*][b]1Password Integration[/b] - I was surprised that this one didn't already exist, but it would be useful if 1Password could used for password generation; Knox doesn't appear to have password generation capabilities, meanwhile the Disk Utility password generation dialogue only fills in one of the password fields. Given 1Password's capabilities this is an area where Knox should really excel by providing auto-fill from 1Password, and using it to generate passwords, if available of course.

[*][b]Keychain management[/b] - I confess I don't know what access applications have in this regard, but in general it's a bad idea to store the password for a disk image in your login keychain, and if someone gets access to your computer while you're logged in, then they have full access to the disk image, whether it's mounted or not. Ideally Knox should encourage, or allow the user to manage, a separate keychain for vaults, in a similar way that 1Password does. Basically it would create a Knox keychain, containing maximum length, high entropy passwords for disk-images, with a single, secure as possible password, and automatic locking after X minutes. This is essentially what I've done; my disk image has a long, 1Password generated password, stored in an auto-locking keychain with an easier to remember password, such that when I mount the disk image I just type in this easy to remember (but strong) password to get access, but I could use this keychain to manage multiple images, each with their own password.

[/list]



Sorry if it seems critical, as Knox is a good tool for creating images, and enabling Spotlight; two things that are painfully annoying to do normally due to Disk Utility's useless password selection dialogue (only generates one field, with no copy-paste, wtf?!) and Spotlight's unfriendly requirement to use terminal to enable indexing.



However, with Lion's FileVault 2 coming soon with easy, full-drive encryption, then Knox is going to need to focus on delivering the best possible secure packaging features that it can, since FileVault 2's main weakness that once the disk is decrypted, it's open to the world. Meanwhile, Knox can still be used to secure the most important parts on the off-chance an attacker gets at your system while the drive(s) are decrypted, in which case smart management of the images (how and when they are mounted or unmounted) could be a killer feature.

Comments

  • khad
    khad Social Choreographer
    edited July 2011
    Thanks for the feedback, Haravikk!



    We have some great things in store for Knox, but I can't announce them just yet. In the meantime, let me try to address each of your points.



    [list]



    [*][b]Automatic Unmount[/b]



    This is not implemented due to the extremely high risk of data loss and corruption. Unmounting the vault at the wrong time could be disastrous and knowing the right time is not a simple matter of looking at a single file or file activity within the mounted vault. An application may not be actively writing to the vault but may be [i]about to[/i]. I don't think this is something we are looking to implement unless some really magic APIs materialize in OS X 10.8.



    [*][b]Creation of Vault Folders[/b]



    This is something that has come up a few times and we are looking into improving in this regard.



    [*][b]1Password Integration[/b]



    This is something that has been requested before, and if it were really simple we certainly would have added it already. Essentially, we would need to build in a system-wide form filler that had some intelligence and didn't just fill your password(s) in places it shouldn't even if you asked it to (or some malicious software made it look like you asked it to). This is more of a feature request for 1Password, but it is one we are very keen on.



    [*][b]Keychain management[/b]



    I think the aforementioned request for integration between Knox and 1Password would obviate the need for this. What do you think? At the moment, we provide the option to store passwords for Knox vaults in the OS X keychain, but it is optional. A quick copy and paste from 1Password (or the above integration at some point in the future) means you don't need to use the OS X keychain if you would prefer to not do so.

    [/list]

    [quote]Sorry if it seems critical, as Knox is a good tool for creating images, and enabling Spotlight; two things that are painfully annoying to do normally due to Disk Utility's useless password selection dialogue (only generates one field, with no copy-paste, wtf?!) and Spotlight's unfriendly requirement to use terminal to enable indexing.[/quote]

    That you took the time to post this tells me that you are indeed passionate about Knox like we are. This kind of feedback is great!



    [quote]However, with Lion's FileVault 2 coming soon with easy, full-drive encryption, then Knox is going to need to focus on delivering the best possible secure packaging features that it can, since FileVault 2's main weakness that once the disk is decrypted, it's open to the world. Meanwhile, Knox can still be used to secure the most important parts on the off-chance an attacker gets at your system while the drive(s) are decrypted, in which case smart management of the images (how and when they are mounted or unmounted) could be a killer feature.[/quote]

    All I can say right now is that there are some fun things in the works. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />



    Please keep an eye on our blog, Twitter, and Facebook accounts for updates.



    Please let me know if there is anything else I can help with.



    Thanks!
  • Haravikk
    Haravikk Junior Member
    [quote name='khad' timestamp='1310870354' post='32189']This is not implemented due to the extremely high risk of data loss and corruption. Unmounting the vault at the wrong time could be disastrous and knowing the right time is not a simple matter of looking at a single file or file activity within the mounted vault. An application may not be actively writing to the vault but may be [i]about to[/i]. I don't think this is something we are looking to implement unless some really magic APIs materialize in OS X 10.8.[/quote]

    Well, vaults/images will already refuse to unmount if an application has an active file-handle pointed into the image. You're right of course that there are still plenty of cases where it could fall down.

    What I'm currently doing is experimenting with a script that (should) run automatically once a particular image is mounted, and periodically test to see if it is a good time to unmount the image; it does this simply by trying to unmount the image normally, and if it fails it just waits to try again. It is also able to take a list of applications, and if any of these are open then it won't try to unmount the image until they are closed. This way I can specify that I want the image to stay mounted if Safari is open, in which case the script will just wait until Safari is closed before trying to unmount the image.



    Perhaps something like that could be suitable? This way all I'd do is tell my vault to unmount after X minutes, and then tie it to the applications that I want to use it for.



    [quote name='khad' timestamp='1310870354' post='32189']This is something that has been requested before, and if it were really simple we certainly would have added it already. Essentially, we would need to build in a system-wide form filler that had some intelligence and didn't just fill your password(s) in places it shouldn't even if you asked it to (or some malicious software made it look like you asked it to). This is more of a feature request for 1Password, but it is one we are very keen on.[/quote]

    What about simply adding an API to 1Password that other applications can use to request password information? This way Knox can just ask 1Password if it has a password for the vault in question, and 1Password can then ask the user to authenticate/allow the request. Basically mimicking how Keychain works when it comes to allowing applications access to certain passwords, but with a custom 1Password API? While I'd love a system-wide form-filler, simply having other Agile applications and later third-party applications working with 1Password would be fine too, and probably a lot easier <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



    [quote name='khad' timestamp='1310870354' post='32189']I think the aforementioned request for integration between Knox and 1Password would obviate the need for this. What do you think? At the moment, we provide the option to store passwords for Knox vaults in the OS X keychain, but it is optional. A quick copy and paste from 1Password (or the above integration at some point in the future) means you don't need to use the OS X keychain if you would prefer to not do so.[/quote]

    That's true actually, I'm only using Keychain at the moment because it's quicker for disk-images than 1Password is at present, if that were no longer the case then I would use 1Password exclusively.



    [quote name='khad' timestamp='1310870354' post='32189']All I can say right now is that there are some fun things in the works. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />[/quote]

    Looking forward to it!
  • khad
    khad Social Choreographer
    Thanks for following up on this. I will pass your ideas along to the developers. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    Cheers,