I am looking for a convenient solution to the following problem:
I have some large data (tens of GB) that resides on the hard drive of a Mac. Access to the data needs to be restricted so even users with administrative privileges can't access it without a password. At the same time, those people who do have access should have convenient and fast access: ideally, after unlocking them, the restricted files should be visible and accessible in the same way as any other file on the system. It must be possible to run programs that process the data and accessing the files should not be much slower than usual file access. Only read access is needed, not write access.
What sorts of convenient solutions are possible on a Mac (OS X 10.9)?
Is it for example possible (or advisable) to put everything in an encrypted DMG disk image? It could be mounted after entering a password and used as a normal volume afterwards, but I'm not sure if other users who are logged in at the same time will be able to access it. I am not deeply familiar with Mac specific technologies. I understand that usually there is a tradeoff between security and convenience.
Best Answer
An encrypted disk image is useful to prevent anyone getting access to it unless you authorize it (by entering the password). Once you've authorized access to it, it's just another volume (disk) that's visible to the Mac and its users, just like any other file on your boot volume.
If you talk about other users, I assume you mean giving them access through network file sharing?
Now, you might have noticed that if someone connects to your Mac using file sharing, he has to enter your Mac's user name and password, right? Unless you allow Guest access, in which case anyone can connect as Guest. But Guests can only access certain shared (public) folders.
Now, you might also have noticed that you can create new users on your Mac, using the System Preferences, Users & Groups. If you create a new local user, he gets his own private folder area under /Users/. And now, if someone logs into your Mac, he can use either that new user name or yours. Eitehr will only give him access to that specific user's folders.
With that knowledge, you can now create a special user that only certain people may have access to. Tell them that user's name and password. Copy the to-be-protected files into that user's Documents folder. You can then also use Finder's "Get Info" on those files/folders to choose who has access to them, i.e. that the owner (that specific new user) can read, but not write. That way, no one can mess with the files, they're read-only. Make sure you apply these ownerships to all enclosed folders, using the gear icon in the Get Info window. Then test this and make sure that a remotely logged-in user can indeed only read but not modify those files.
Hope that helps.