Pinterest Stumbleupon Whatsapp
Ads by Google

You might feel safe when you have set a password on your Mac OS X account, but the truth is it’s more of a formality; a deterrent for people with temporary access to your computer. It will suffice when you leave your computer on at home, or grab a drink in the library, but someone with the prerequisite knowledge and a bit of time could still access your data.

In truth, a password only keeps someone from logging into and accessing the operating system, but your hard disk is not similarly encrypted. With an Ubuntu boot disk, or by putting your hard drive in an external enclosure, people will still be able to access all the files on your computer.

Only by manually encrypting the files on your hard drive, you can truly keep your files safe. That’s where the Mac OS X FileVault comes in.

Mac OS X FileVault 1 and 2

FileVault is the technology that Apple offers to encrypt the files on your hard drive. After encrypting those files with a sufficiently strong algorithm, it’s technologically unfeasible to access them using any conventional means. Mac OS X launched the first iteration of FileVault with Mac OS X Panther (10.3). Back then, FileVault only encrypted individual users’ home folders in a single large file (a sparse disk image) using cipher-block chaining (CBC) modes of encryption. Since Mac OS X Lion (10.7), FileVault 1 — now called Legacy FileVault by Apple — has been superseded by FileVault 2.

FileVault 2, in contrast, encrypts the entire startup disk in a multitude of smaller files (sparse bundle disk images). It also replaces the now insecure CBC encryption with XTS-AES 128 mode, using a notably safer encryption algorithm. In summary, it has a broader scope and is more secure. This whole-disk encryption has some additional security implications though, which you’ll read more about below.

legacy-filevault

Ads by Google

Users of Legacy FileVault will be notified of the difference if they ever visit the FileVault preferences pane in Mac OS X Lion or later. It’s possible to switch to FileVault 2 by first disabling Legacy FileVault. Users of Mac OS X Lion or later who start using FileVault will, by default, use FileVault 2.

Performance Penalties

Because FileVault is constantly decrypting your hard drive data, using it leads to some performance penalties. Jason Discount from The Practice of Code put FileVault 2 to the test when Max OS X Lion first launched. We’ve included some details below, but you can check out the full post for more in-depth analysis.

filevault-2-speed-test-benchmarks

These tests are executed on a 2011 MacBook Air (from around the time Lion launched). The solid stat disk (SSD) I/O performance on average takes a hit of around 18%. This isn’t negligible, but with an SSD data transfer will still be blazing fast particularly compared to older hard drives. If you’re using a regular hard drive this performance penalty will be more noticeable and you should consider whether the security benefit is really worth the performance hit.

Whole Disk Encryption and Single Unlock

As mentioned above, FileVault now encrypts the entire start-up disk instead of individual users’ home directories. After start-up, the entire drive is unlocked by logging in with an authorised user account. This has both positive and negative consequences.

On the up side, there’s no risk for application incompatibility. The whole drive is unlocked after logging in, so for the applications running on your computer it’s as if the drive isn’t encrypted at all. However, the drive remains unlocked until shutdown. In other words, if a third party were to gain access to your computer after the drive had been unlocked, they could theoretically still access your data, even if you’ve since logged out.

mac-screensaver-lock

In addition to using FileVault, it’s advised to password-protect your computer after inactivity. You can have Mac OS X ask for your password immediately after sleep or after your screensaver The 10 Creative Ways to Use a Screensaver The 10 Creative Ways to Use a Screensaver Read More begins, in System Preferences > Security & Privacy > General. Put together with hot corners, found in System Preferences > Desktop & Screen Saver > Screen Saver > Hot Corners, you can trigger your password-protected screen saver if you briefly need to step away from your computer.

Note that although this additional security measure keeps a lot of intruders at bay, it does not re-lock your hard drive. Only completely powering down your computer will.

Boot Camp and Special Disk Configurations

FileVault 2 relies on, and expects a standard Mac OS X disk configuration: a Mac OS X boot volume with a Recovery partition. Recent Mac OS X installations should come with this Recovery partition, but you can check by trying to boot into recovery. Restart your Mac and hold cmd+R to boot Recovery straight away, or hold alt to list available boot options. If, for any reason, the recovery partition is no longer available on your Mac, you should not try to use FileVault. Doing so will fail and likely lead to data loss.

mac-recovert

Other non-standard disk set-ups, like more advanced RAID configurations, face the same problems. Even if you use Boot Camp, compatibility is not guaranteed. Some people have reported success if they configure Boot Camp and installed all drivers before enabling FileVault, but be aware that compatibility is not assured.

How To Enable FileVault

Before you get started, make a back-up of the files on your Mac. Full disk encryption is an extensive process and you never know when something can go wrong. In any case, it’s very important to have a back-up of your data available. Check out James Bruce’s recommendation for a triple back-up solution The Ultimate Triple Backup Solution For Your Mac [Mac OSX] The Ultimate Triple Backup Solution For Your Mac [Mac OSX] As the developer here at MakeUseOf and as someone who earns their entire income from working online, it's fair to say my computer and data are quite important. They’re set up perfectly for productivity with... Read More .

Open System Preferences, navigate to the Security & Privacy section and select the FileVault tab. Before you can change these settings, you’ll need to unlock the panel with your username and password. Click Turn On FileVault… to start the process. Note that enabling FileVault can take a while, because it needs to encrypt your entire disk. Depending on the size and type of your disk, this can range from half an hour to a few hours.

filevault-main

If there are multiple user accounts on your computer, you can choose which users can unlock the disk after start-up. An authorised user will first have to unlock the disk after start-up before any unauthorised users can log in.

filevault-users

Next, you’ll be given a long alphanumeric recovery key. Write this down (or put it in a secure password manager like LastPass LastPass Premium: Treat Yourself To The Best Password Management Ever [Rewards] LastPass Premium: Treat Yourself To The Best Password Management Ever [Rewards] If you've never heard of LastPass, I'm sorry to say that you have been living under a rock. However, you are reading this article, so you've already made a step in the right direction. LastPass... Read More ) and hold on to it tight. If you ever forget your regular password, this will be the back-up key. Without this recovery key, losing your password is equivalent to losing all your data.

filevault-recovery-key

You can optionally store your recovery key with Apple. If you lose your key, you can contact Apple support and retrieve your key using your security questions. You’ll still need to be able to exactly reproduce the answers to your security questions, or Apple support staff will also be unable to access your key. Retrieving this key is an additional feature, so fees may apply.

It’s debatable whether you should take Apple up on its offer. It’s ultimately safer to keep your key to yourself, but you might need this safety net in the future. In any case, you should be very careful selecting security questions How To Create A Security Question That No One Else Can Guess How To Create A Security Question That No One Else Can Guess In recent weeks I have written a lot about how to make online accounts recoverable. A typical security option is setting up a security question. While this potentially provides a quick and easy way to... Read More , because they’re often the weakest link in a security net.

filevault-store-recovery-key

After this, your Mac will prompt you to restart your computer. After restarting, Mac OS X will start encrypting all the data on your disk. You can keep using your Mac in the meantime, but be aware that disk performance might be impeded.

filevault-final

All Done!

After restarting, you can go back to the FileVault preferences to check on the encryption process, along with an estimated completion time.

Have you used FileVault, or do you use another security solution? Let us know how you protect your set-up in the comments below!

  1. Azrn
    December 30, 2014 at 4:42 pm

    hi, i try to unlock the changes. after i fill the password it lock back. how to turn unlock it n turn on file vault? did i need to create the file vault 2?

  2. K. C.
    May 30, 2014 at 12:06 am

    This is all very nice, but I don't trust any of the native encryption methods. I'm sure they have a backdoor in place for NSA and other 3 letter agencies.
    Without access to the source code we'll never know. That's why closed source is untrustworthy wrt security.
    AFAIK the backdoor is a requirement for U.S. companies and Apple is a U.S. company.
    So much for encrypting your data with OS means.

Leave a Reply

Your email address will not be published. Required fields are marked *