The IT Nerd

I got a few questions asking me to explain what FileVault 2 is and why I decided to go with using it on both MacBook Pros in my home.

FileVault 2 is a full disk encryption system offered by Apple in OS X that encrypts the entire hard disk using XTS-AES [Warning: PDF] 128 encryption and performs encryption and decryption on the fly in a transparent manner. Now this isn’t the absolute strongest form of encryption as there is a 256 bit variant of this, but it is strong enough to keep 99% of the universe away from your data. It also takes away the most common way of breaking into Macs which is to use Recovery Mode that is built into every Mac to change the password to your user account.

The advantages beyond encrypting your data include the fact that you can use Find My Mac to silently wipe your drive in seconds remotely if your Mac is stolen (just make sure you always have a current backup). Or you can issue a command to remotely lock the Mac. But you need to keep this in mind. Once you’ve used the Remote Lock option, the Remote Wipe action is no longer available. Another thing that I should point out is that you should always enable the Guest Account option so that it entices a thief to use the Mac. By doing so, he’d have to connect to the Internet and that will allow the Mac to report its location as well as allow you to send commands to lock or wipe the Mac.

Another thing to note is that FileVault 2 works with all your backup software and with utilities like DiskWarrior. So all that means is that you’re protecting your data and your life doesn’t change at all.

Enabling it is easy. The link that I have included on FileVault 2 shows how easy the process is. But there’s a couple of things to keep in mind:

• Once you start the encryption process, there’s no stopping it. You need to leave it alone to complete. Depending on the Mac that you have and how much data it has to encrypt, it may take an hour or two, or several hours. My advice would be to pick a day where you won’t need the Mac for anything and leave it alone to do its thing. It also goes without saying that you should do a backup of your data before you turn on FileVault 2 because however unlikely it might be, something bad could happen.
• During the setup, OS X creates a Recovery Key for your drive. This Recovery Key is something that you need to hold onto because without it, you are screwed if you need to recover your data from a lost password or the like. You have two options in this regard:
  • In OS X Yosemite, you can store your FileVault key in iCloud. You can then use your iCloud account name and password to unlock your startup drive or reset your password. This is the option that I went with and you should as well as this is the best way to get your data back if you forget your password or the like. The only catch is that because the contents of your hard disk would be tied to your iCloud account, the possibility exists for someone to get access to the contents of your drive if they ever gained control of your iCloud account.
  • You can also create a recovery key that consists of a combination of numbers and letters. You can use this key to unlock your drive or disable FileVault. Keep a copy of this key somewhere other than your encrypted startup disk. If you write the key down, be sure to exactly copy the letters and numbers that are shown, and keep it somewhere safe that you’ll remember. If your Mac is at a business or school, your institution can also set a recovery key to unlock it. This is a more secure option, but does you little good if you do not have access to to this key or you wrote it down wrong.

When it comes to who should use it, here are my thoughts:

• If you have a MacBook of some description, the answer should be yes as MacBooks specifically and portable computers in general tend to be high value targets for theft as I can attest to. In fact, when you buy a new MacBook, the Setup Assistant offers to turn this on for you during the initial setup process.
• If you own any other type of Mac, I would strongly consider it. Mac Mini and Mac Pro computers for example are small and easy to steal. For users of those Macs I would recommend turning on FileVault 2. But if you are someone who has work related or confidential data on your Mac, then the answer should be yes as well.

The next thing that I will highlight is speed. In the past, speed has been an issue when it comes to encryption because the process of encrypting and decryption data would slow the computer down to such a degree that some would ditch encryption to make the computer perform they way they wanted it to. But in the age of fast processors and SSD storage, this is a non-issue. Even with mechanical hard drives this is a non-issue as well. I have FileVault 2 turned on both my wife’s MacBook Pro which I put a 7200 RPM hard drive into it, as well as my new MacBook Pro that has a SSD. I cannot tell on either that FileVault 2 is enabled. Though I will admit that it took almost 6 hours on my wife’s MacBook Pro to do the initial encryption 90GB of data. By contrast it took about 90 minutes on my MacBook Pro to do the initial encryption of 225 GB of data. But once that was done, there is no speed penalty that we can detect.

The final thing to highlight is that there is one thing that you should be aware of when you use FileVault 2. Some law enforcement types aren’t thrilled with FileVault 2 because that they can’t get into it at will. Thus if you travel and customs decides to search your MacBook for whatever reason, they might want you to hand over your encryption keys or de-crypt your drive. That’s a big hint that there aren’t any backdoors (that we know of) in FileVault 2. But for that reason, it could cause you some grief if you travel. My best advice is to follow this piece of advice that I wrote in regards to US customs and avoid any conversation about the fact that the drive is be encrypted.

This entry was posted on September 3, 2015 at 9:00 am and is filed under Tips with tags Apple, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.