How and Why to Enable FileVault Encryption on Your Mac
A reader recently emailed us asking about FileVault, Apple’s encryption scheme on Mac OS X. She wasn’t sure what it did, or if she should enable it on her new MacBook. The feature is by no means new, but the recent release of OS X Mavericks and the ever-increasing number of users new to the Apple platform warranted a fresh look at FileVault. So, exactly what is FileVault?
The Original FileVault
First, it’s important to clarify that the version of FileVault currently in use since OS X Lion is FileVault 2, which represents a significant change from the original FileVault, called “Legacy FileVault” by Apple. But before we explain FileVault 2, let’s talk about its predecessor.
FileVault was first introduced in 2003 as part of Mac OS X 10.3 Panther as an on-the-fly encryption scheme for protecting a user’s data. Once enabled, a user’s data was encrypted by the operating system within a sparse disk image (later operating systems utilized the more efficient sparse bundle disk images). While a user’s account password could unlock the FileVault encryption when logging into the Mac, the user would also need to create a “Master Password” in the event that the user account password was lost. While logged in, Legacy FileVault would decrypt and re-encrypt data as the user needed it, all on demand.
While certainly not required, the benefit of FileVault was that user data was protected from unauthorized users or thieves who lacked the necessary password. If your Mac was stolen, for example, FileVault-encrypted data would be very difficult for a thief to access. While less technologically savvy thieves under normal circumstances may be thwarted by a user account password, those with any experience would be easily able to pull the Mac’s hard drive, attach it to a second system, and enjoy unfettered access to the drive’s data. But if the user’s data was encrypted, it would generally be safe from those without the FileVault password.
But there were several issues with the Legacy FileVault. First, it only encrypted the user’s home folder. While most users maintain all of their important data inside their home folder, some may have files scattered throughout the Mac’s system drive, inadvertently or not. These files outside the home folder, which also include other user accounts on the Mac that haven’t enabled FileVault, would be totally unprotected in the event of theft or other unauthorized access.
There were also problems with the encryption method used by the first implementation of FileVault. The scheme utilized cipher-block chaining, or CBC, modes of encryption which, by the end of the original’s FileVault’s lifespan, could be reliably cracked by experienced hackers. Further, from a more user-centric perspective, the way that FileVault handled encryption of only the user home folder led to issues and annoyances with tasks like file sharing and automatic backups.
Make no mistake, Legacy FileVault offered relatively good protection for most users, and was certainly better than nothing when it came to protecting critical data of a personal or business nature. But there was certainly room for improvement and, like it does so often with its consumer products, Apple decided to change things significantly for the next version of FileVault.
Continued on page 2.