About 2 weeks ago, I said I was going to test FileVault 2’s encryption. Initially, I said I would review it after a week, but I instead decided to test it for 2 weeks to account for things like updating the Mac OS and apps within Mac. Here is my final review of it.
Filevault is the Mac’s built-in disk encryption tool that has been around since OS 10.3 Panther. Encryption is a data protection technique. By locking your hard drive’s data down with an encryption key (a password), your data is basically masked. While it doesn’t matter much if you always have your Mac, it can really matter if someone steals your Mac or gets access from the outside. Anyone trying to look at your hard drive’s contents without the encryption key will only see
random data and no signs of the operating system or your personal files. Encryption is generally used on high-value systems, such as banks, governments, or any other systems with important personal information. While most average users don’t have a lot of social security numbers or credit cards on their hard drive, it’s still a good idea to encrypt your hard drive for the information you do have (think bank statements, Mac’s Password Keychain, etc.).
However, for all the convenience that FileVault provides, many Mac users who do encrypt their hard drives have shied away from FileVault for 2 reasons.
Good encryption encrypts the whole hard drive, while FileVault has traditionally only encrypted the User’s Home folder.
Encryption generally takes some hit on a computer’s resources, though the better the encryption tool, the less of an impact it makes on the computer. FileVault has traditionally had a terrible impact on system performance.
With the release of Lion, Apple has upgraded FileVault to version 2.0, with 128 bit AES Encryption (that’s pretty strong encryption) and the ability to encrypt your entire hard drive, as well as a less dramatic impact on system performance and increased stability. With these new abilities and promises, I decided to take the plunge with FileVault 2. And before you ask, all the pictures below (with the exception of a picture involving encryption and backing up) are all taken from http://support.apple.com/kb/HT4790, so you’re not seeing any private information of mine. REMEMBER: Back up your data before encryption, just for safe keeping.
First you will need to set a decryption key, which is basically the master password to decrypt the disk. If you forget this password, you can recover it via a recovery key, and/or user security questions (more on that later). When you enable FileVault, it will ask which users have to right to unlock the disk. If you have multiple users on the same Mac, you can pick which ones can decrypt, and as such turn on, your Mac. Each user account will have to enter their password in order to have this access right. Once the data is decrypted,
all other users can access the hard drive as usual, so long as the Mac isn’t restarted or put into hibernation.
You will then be presented with a recovery key. It looks a lot like a registration key that you might see on a copy of Microsoft Office, or some other boxed software. You should make a copy of it & hide it away, but Apple gives you the ability to store it with them, keeping in with Apple’s Internet syncing theme it has started lately.
Should you decide to keep it with Apple, you will be presented with 3 recovery questions. You can pick from a variety of question ranging from easy to guess, to rather challenging. Of course, these are your security questions, so it only matters that you remember your answer to the question.
After all of this is said and done, the encryption will begin. Depending on the age of your Mac, the speed of your processor, the amount of data on your hard drive, etc., encryption times may vary. It should take anywhere from 2-3 hours, mine taking about 2 hours. You will likely see your computer restart a couple of times, but this is normal. If you
have previously used an earlier version of FileVault, you may see this image on the right asking about Legacy FileVault. This is because of the change in encryption style from Home Folder to entire disk. It is better to go ahead and turn off Legacy and let FileVault 2 run its encryption.
Once the process is done, your boot up process will be much different. Now when you turn on the Mac, immediately after the chime you will be presented with a User choice screen, letting you pick among the users that have access to decrypt the disc. You will be required to enter your FileVault password (the one you made for it, not the recovery key), after which you will automatically be logged in. After this, my boot up time was noticeable longer than before I encrypted my disk, but once it did boot up, I noticed that all my background apps (Dropbox, Sophos Antivirus, etc.) loaded up much faster. Some had already been loaded up by the time the desktop appeared.
Now the key question: how is the performance impact? On my Macbook Pro, running 10.7.1, with 4 gigs of RAM, a 2.26 GHz Intel Core 2 Duo processor, with a half-full hard drive, I did notice a slight performance hit. Some apps took a few seconds longer to actually begin launching, but for the most part, the only major difference I noticed was the slow down in the start-up and shut down of my Mac. Overall, I noticed little difference in my daily Mac routine, whether it was watching YouTube, writing notes, or playing Minecraft on my friend’s updated server. I did test what would happen with backing up a FileVault encrypted drive to an external hard drive via Carbon Copy
Cloner. The drive booted up perfectly fine, though it did ask for me to provide the decryption key after it booted up before I could do anything else. It probably would be better if it asked that before booting up.
All in all, I think I will leave my hard drive encrypted, as the performance hit is minor and the security is pretty decent. If you still feel worried about FileVault 2, you can always try something like TrueCrypt. FileVault 2 is on Mac OSX Lion and can be found in your Security and Privacy Preference Pane.
If you have a suggestion or a comment, leave a comment below or email me at firstname.lastname@example.org And remember that you can always check me out on Facebook, Twitter, or YouTube by hitting one of the big buttons up top. Thanks!