You might feel safe when you have set a password on your Mac OS X account, but the truth is it’s more of a formality; a deterrent for people with temporary access to your computer. It will suffice when you leave your computer on at home, or grab a drink in the library, but someone with the prerequisite knowledge and a bit of time could still access your data.
In truth, a password only keeps someone from logging into and accessing the operating system, but your hard disk is not similarly encrypted. With an Ubuntu boot disk, or by putting your hard drive in an external enclosure, people will still be able to access all the files on your computer.
Only by manually encrypting the files on your hard drive, you can truly keep your files safe. That’s where the Mac OS X FileVault comes in.
Mac OS X FileVault 1 and 2
FileVault is the technology that Apple offers to encrypt the files on your hard drive. After encrypting those files with a sufficiently strong algorithm, it’s technologically unfeasible to access them using any conventional means. Mac OS X launched the first iteration of FileVault with Mac OS X Panther (10.3). Back then, FileVault only encrypted individual users’ home folders in a single large file (a sparse disk image) using cipher-block chaining (CBC) modes of encryption. Since Mac OS X Lion (10.7), FileVault 1 — now called Legacy FileVault by Apple — has been superseded by FileVault 2.
FileVault 2, in contrast, encrypts the entire startup disk in a multitude of smaller files (sparse bundle disk images). It also replaces the now insecure CBC encryption with XTS-AES 128 mode, using a notably safer encryption algorithm. In summary, it has a broader scope and is more secure. This whole-disk encryption has some additional security implications though, which you’ll read more about below.
Users of Legacy FileVault will be notified of the difference if they ever visit the FileVault preferences pane in Mac OS X Lion or later. It’s possible to switch to FileVault 2 by first disabling Legacy FileVault. Users of Mac OS X Lion or later who start using FileVault will, by default, use FileVault 2.
Because FileVault is constantly decrypting your hard drive data, using it leads to some performance penalties. Jason Discount from The Practice of Code put FileVault 2 to the test when Max OS X Lion first launched. We’ve included some details below, but you can check out the full post for more in-depth analysis.
These tests are executed on a 2011 MacBook Air (from around the time Lion launched). The solid stat disk (SSD) I/O performance on average takes a hit of around 18%. This isn’t negligible, but with an SSD data transfer will still be blazing fast particularly compared to older hard drives. If you’re using a regular hard drive this performance penalty will be more noticeable and you should consider whether the security benefit is really worth the performance hit.
Whole Disk Encryption and Single Unlock
As mentioned above, FileVault now encrypts the entire start-up disk instead of individual users’ home directories. After start-up, the entire drive is unlocked by logging in with an authorised user account. This has both positive and negative consequences.
On the up side, there’s no risk for application incompatibility. The whole drive is unlocked after logging in, so for the applications running on your computer it’s as if the drive isn’t encrypted at all. However, the drive remains unlocked until shutdown. In other words, if a third party were to gain access to your computer after the drive had been unlocked, they could theoretically still access your data, even if you’ve since logged out.
In addition to using FileVault, it’s advised to password-protect your computer after inactivity. You can have Mac OS X ask for your password immediately after sleep or after your screensaver begins, in System Preferences > Security & Privacy > General. Put together with hot corners, found in System Preferences > Desktop & Screen Saver > Screen Saver > Hot Corners, you can trigger your password-protected screen saver if you briefly need to step away from your computer.
Note that although this additional security measure keeps a lot of intruders at bay, it does not re-lock your hard drive. Only completely powering down your computer will.
Boot Camp and Special Disk Configurations
FileVault 2 relies on, and expects a standard Mac OS X disk configuration: a Mac OS X boot volume with a Recovery partition. Recent Mac OS X installations should come with this Recovery partition, but you can check by trying to boot into recovery. Restart your Mac and hold cmd+R to boot Recovery straight away, or hold alt to list available boot options. If, for any reason, the recovery partition is no longer available on your Mac, you should not try to use FileVault. Doing so will fail and likely lead to data loss.
Other non-standard disk set-ups, like more advanced RAID configurations, face the same problems. Even if you use Boot Camp, compatibility is not guaranteed. Some people have reported success if they configure Boot Camp and installed all drivers before enabling FileVault, but be aware that compatibility is not assured.
How To Enable FileVault
Before you get started, make a back-up of the files on your Mac. Full disk encryption is an extensive process and you never know when something can go wrong. In any case, it’s very important to have a back-up of your data available. Check out James Bruce’s recommendation for a triple back-up solution.
Open System Preferences, navigate to the Security & Privacy section and select the FileVault tab. Before you can change these settings, you’ll need to unlock the panel with your username and password. Click Turn On FileVault… to start the process. Note that enabling FileVault can take a while, because it needs to encrypt your entire disk. Depending on the size and type of your disk, this can range from half an hour to a few hours.
If there are multiple user accounts on your computer, you can choose which users can unlock the disk after start-up. An authorised user will first have to unlock the disk after start-up before any unauthorised users can log in.
Next, you’ll be given a long alphanumeric recovery key. Write this down (or put it in a secure password manager like LastPass) and hold on to it tight. If you ever forget your regular password, this will be the back-up key. Without this recovery key, losing your password is equivalent to losing all your data.
You can optionally store your recovery key with Apple. If you lose your key, you can contact Apple support and retrieve your key using your security questions. You’ll still need to be able to exactly reproduce the answers to your security questions, or Apple support staff will also be unable to access your key. Retrieving this key is an additional feature, so fees may apply.
It’s debatable whether you should take Apple up on its offer. It’s ultimately safer to keep your key to yourself, but you might need this safety net in the future. In any case, you should be very careful selecting security questions, because they’re often the weakest link in a security net.
After this, your Mac will prompt you to restart your computer. After restarting, Mac OS X will start encrypting all the data on your disk. You can keep using your Mac in the meantime, but be aware that disk performance might be impeded.
After restarting, you can go back to the FileVault preferences to check on the encryption process, along with an estimated completion time.
Have you used FileVault, or do you use another security solution? Let us know how you protect your set-up in the comments below!