App of the Week: FileVault 2

About 2 weeks ago, I said I was going to test FileVault 2’s encryption.  Initially, I said I would review it after a week, but I instead decided to test it for 2 weeks to account for things like updating the Mac OS and apps within Mac.  Here is my final review of it.

Filevault is the Mac’s built-in disk encryption tool that has been around since OS 10.3 Panther.  Encryption is a data protection technique.  By locking your hard drive’s data down with an encryption key (a password), your data is basically masked.  While it doesn’t matter much if you always have your Mac, it can really matter if someone steals your Mac or gets access from the outside.  Anyone trying to look at your hard drive’s contents without the encryption key will only see

FileVault 2 icon

random data and no signs of the operating system or your personal files.  Encryption is generally used on high-value systems, such as banks, governments, or any other systems with important personal information.  While most average users don’t have a lot of social security numbers or credit cards on their hard drive, it’s still a good idea to encrypt your hard drive for the information you do have (think bank statements, Mac’s Password Keychain, etc.).

However, for all the convenience that FileVault provides, many Mac users who do encrypt their hard drives have shied away from FileVault for 2 reasons.

  1. Good encryption encrypts the whole hard drive, while FileVault has traditionally only encrypted the User’s Home folder.
  2. Encryption generally takes some hit on a computer’s resources, though the better the encryption tool, the less of an impact it makes on the computer.  FileVault has traditionally had a terrible impact on system performance.
With the release of Lion, Apple has upgraded FileVault to version 2.0, with 128 bit AES Encryption (that’s pretty strong encryption) and the ability to encrypt your entire hard drive, as well as a less dramatic impact on system performance and increased stability.  With these new abilities and promises, I decided to take the plunge with FileVault 2.  And before you ask, all the pictures below (with the exception of a picture involving encryption and backing up) are all taken from http://support.apple.com/kb/HT4790, so you’re not seeing any private information of mine.  REMEMBER: Back up your data before encryption, just for safe keeping.
First you will need to set a decryption key, which is basically the master password to decrypt the disk.  If you forget this password, you can recover it via a recovery key, and/or user security questions (more on that later).  When you enable FileVault, it will ask which users have to right to unlock the disk.  If you have multiple users on the same Mac, you can pick which ones can decrypt, and as such turn on, your Mac.  Each user account will have to enter their password in order to have this access right.  Once the data is decrypted,

User selection screen (property of Apple)

all other users can access the hard drive as usual, so long as the Mac isn’t restarted or put into hibernation.
You will then be presented with a recovery key.  It looks a lot like a registration key that you might see on a copy of Microsoft Office, or some other boxed software.  You should make a copy of it & hide it away, but Apple gives you the ability to store it with them, keeping in with Apple’s Internet syncing theme it has started lately.
Should you decide to keep it with Apple, you will be presented with 3 recovery questions.  You can pick from a variety of question ranging from easy to guess, to rather challenging.  Of course, these are your security questions, so it only matters that you remember your answer to the question.
After all of this is said and done, the encryption will begin.  Depending on the age of your Mac, the speed of your processor, the amount of data on your hard drive, etc., encryption times may vary.  It should take anywhere from 2-3 hours, mine taking about 2 hours.  You will likely see your computer restart a couple of times, but this is normal.  If you

You are using an earlier version... (property of Apple)

have previously used an earlier version of FileVault, you may see this image on the right asking about Legacy FileVault.  This is because of the change in encryption style from Home Folder to entire disk.  It is better to go ahead and turn off Legacy and let FileVault 2 run its encryption.
Once the process is done, your boot up process will be much different.  Now when you turn on the Mac, immediately after the chime you will be presented with a User choice screen, letting you pick among the users that have access to decrypt the disc.  You will be required to enter your FileVault password (the one you made for it, not the recovery key), after which you will automatically be logged in.  After this, my boot up time was noticeable longer than before I encrypted my disk, but once it did boot up, I noticed that all my background apps (Dropbox, Sophos Antivirus, etc.) loaded up much faster.  Some had already been loaded up by the time the desktop appeared.
Now the key question: how is the performance impact?  On my Macbook Pro, running 10.7.1, with 4 gigs of RAM, a 2.26 GHz Intel Core 2 Duo processor, with a half-full hard drive, I did notice a slight performance hit.  Some apps took a few seconds longer to actually begin launching, but for the most part, the only major difference I noticed was the slow down in the start-up and shut down of my Mac.  Overall, I noticed little difference in my daily Mac routine, whether it was watching YouTube, writing notes, or playing Minecraft on my friend’s updated server.  I did test what would happen with backing up a FileVault encrypted drive to an external hard drive via Carbon Copy

Mac asking to be decrypted from a bootable backup drive

Cloner.  The drive booted up perfectly fine, though it did ask for me to provide the decryption key after it booted up before I could do anything else.  It probably would be better if it asked that before booting up.
All in all, I think I will leave my hard drive encrypted, as the performance hit is minor and the security is pretty decent.  If you still feel worried about FileVault 2, you can always try something like TrueCrypt.  FileVault 2 is on Mac OSX Lion and can be found in your Security and Privacy Preference Pane.
If you have a suggestion or a comment, leave a comment below or email me at easyosx@live.com  And remember that you can always check me out on Facebook, Twitter, or YouTube by hitting one of the big buttons up top.  Thanks!
Advertisements

Posted on September 20, 2011, in App of the Week and tagged , , , , . Bookmark the permalink. 8 Comments.

  1. Hi Stuart:

    Thank you for the review on File Vault. I am running my new Mac 10.7.3 and I have downloaded TrueCrypt and have been using it. Since MacFuse is no longer a supported application, I have trouble with TrueCrypt – I cannot always dismount it without receiving an error message as follows: hduitl: detach: timeout for DiskArbitration expired. In fact, I have received this three times this morning and it requires an hard shut down and restart. Have you seen this? Based on this experience, I may try FileVault 2.

    • When are you experiencing this error? Does it have anything to do with a backup program you might be using, especially Carbon Copy Cloner or Time Machine. My research indicates that this seems to be a problem some people are seeing with TrueCrypt in association with a backup program. While I don’t know how to fix the error, here are my suggestions:

      1: Backup. I would recommend getting a good backup of all your data, especially user data (documents, music, etc.).

      2: See if you can undo TrueCrypt. TrueCrypt should allow you to turn off encryption and decrypt all of the data, so try to do that if you can. Hopefully this will stop the error from coming up.

      3: Run a Permission Repair and Disk Check from Disk Utility. You can find this program under Applications->Utilities. Run the repair programs and see if these help at all.

      This is one problem with using third party programs that dig so deep into the OS, especially something like encryption. If I find anything else, or if you do, let’s post it here as to what we found.

      • Hi Stuart:

        Thank you for your quick response. The error only appears when I try to dismount my TrueCrypt drive. The error will occur almost always when I have used Carbon Copy Cloner to back up the TrueCrypt drive. The error will occur more than 50% of the time if I have used a file from TrueCrypt in the Mac environment. I am also running parallels and Windows7 but I do not run TrueCrypt in the Windows environment.

        Interestingly, I have no trouble dismounting my backup TrueCrypt drives which resides on a USB drive. I have 100% success in dismounting the USB Truecrypt drive.

        I have repaired permissions on my Mac several times. Should I run the Repair and Disk Check on the TrueCrypt drive as well?

        • Since it seems to be that TrueCrypt and CCC are not getting along, I would advise running a permissions reapair on the TrueCrypt drive as well. Can you explain the setup you have going though? Is only your internal hard drive encrypted and your backup drive is not, or are both of them encrypted? What drives are being encrypted by TrueCrypt?

          If the permission repair doesn’t work, you might try unencrypting the troublesome drives and them re-encrypting them.

          • Here is my set up. I have a true crypt volume on my Mac that I use for all my data. That drive is backed up to a TrueCrypt volume on my USB drive each night.

            Today I did the following: Without opening any folders on either TrueCrypt volumes, I ran CCC several times and I did not experience any dismount errors. As soon as I opened up a file on my Mac TrueCrypt drive – and made any tiny change – the problem started again. After a tiny change, the CCC program and the dismount feature from TrueCrypt, either together or either one independently, resulted in the same hdutil: error as noted above. That error pretty much causes a hard shut down of my Mac to get things back up and running.

            I was hoping that by starting fresh with a new TrueCrypt volume the issue would be gone, but no luck. I am now wondering if the 7.1a version of TrueCrypt may be the issue. I wonder if prior version is more stable.

  2. Yep, verified again. Any little change in any file and I’m stuck. I did verify each of the true crypt volumes through disk utility and there are no problems noted with either one.

    This is very perplexing since TrueCrypt worked just fine on my old Mac.

    I have checked to be sure all of the settings are correct, and everything seems to be fine with the way I have set up the TC volumes. Do you think I can just reinstall Truecrypt?

  3. 1) What if you don’t want to decrypt your whole hard drive? I like leaving my music, movies, etc unencrypted because they’re big in size and just don’t need to be protected. If someone steals my laptop, it’s just the sensitive info I don’t want them to have.

    2) Anyone know how (if possible) to update the security questions? I’m setting this account up for my wife and doing the questions from her perspective. But I set one of the answers wrong.

    • If you only want to encrypt parts of your drive, FileVault is not for you, since it encrypts the whole drive. You should use a tool like TrueCrypt to do that.

      As for the questions, I don’t know how to change these, though I’ll be sure to look around. I also encourage that if you find you own solution, that you come back and let us know how to do so. I’ll keep looking in the mean time.

Feel free to comment.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: