How and Why to Enable FileVault Encryption on Your Mac
OS X 10.7 Lion brought many changes to Apple’s desktop operating system. Some of these changes were met with dismay by longtime Mac users, but most Apple customers were excited to see at least one new feature: Apple’s implementation of FileVault 2.
Although sharing the same name, FileVault 2 is an entirely different scheme than its predecessor. Instead of just encrypting the user’s home folder, FileVault 2 employs a technique called “whole disk encryption” (or “full disk encryption”) which, as you can undoubtedly guess from its name, encrypts the entire Mac system volume.
This change brings several improvements over Legacy FileVault. First, as we’ve already mentioned, FileVault 2 encrypts the entire Mac system drive. This solves the issue with the original FileVault whereby hackers or thieves could access any data on the drive that wasn’t inside the user’s encrypted home folder. Second, FileVault 2 utilizes a stronger form of encryption, called XTS-AES 128.
When the Mac is shut down, the entire drive is encrypted and protected; when an authorized user boots the Mac and logs in with the correct password, the entire drive is unlocked. This helps prevent issues like software incompatibility because the whole drive is unlocked when in use, and installed apps generally don’t even know the drive is encrypted at all. However, this also means that your Mac is more vulnerable when booted. Even with the best whole disk encryption, a thief or hacker who gains access to your Mac while it’s booted and logged in will be able to see all of the drive’s data. Only when the Mac is completely shut down is the data on its drive locked up.
As you can probably surmise, booting an encrypted drive (FileVault 2) is a bit more complex than booting a non-encrypted drive that merely contains some encrypted files (Legacy FileVault). In order to accomplish this feat, Apple uses another key OS X feature that was introduced in OS X 10.7 Lion: the Recovery Partition. Once FileVault is enabled and the Mac system drive is encrypted, the Mac will seamlessly boot first to the OS X Recovery Partition in order to give the user the opportunity to enter their password and unlock the main encrypted volume. To the user, this processes presents itself with a simple login prompt. The only clue that something different from a normal boot process is happening is the presence of the gray background that accompanies pre-OS EFI tasks on modern Macs.
And that’s truly the “magic” of FileVault 2. Apple’s implementation, with few exceptions, protects user data with a process that is transparent to the end user. Excluding the initial setup, users with FileVault 2 enabled need only to enter their account password when booting their Mac. Practically all other aspects of using OS X are the same as with a non-encrypted drive.
Still Not Perfect
Despite the improvements offered by FileVault 2, it’s still far from perfect, and there are many issues for users to consider. First, and most importantly, you’ll need to remember your user account password or recovery key (a replacement for Legacy FileVault’s Master Password, which we’ll discuss further below). This is absolutely essential; without one of these items, you’ll be unable to decrypt your drive, and your data (plus the data from any other user accounts) will be permanently trapped inside the encrypted volume. As a backup for this scenario, you can choose to store a copy of your recovery key on Apple’s servers when you enable FileVault. This is generally a safe option, but those with critical business or personal data on their Macs may not want to take the risk. If you do decide to store a backup copy of your recovery key with Apple, you’ll need to set three security questions. Note that you must submit the exact same answers to these questions if you ever need to retrieve the key from Apple, so make sure to pick questions with unambiguous answers.
Another issue to consider is performance. Because the Mac will have to encrypt and decrypt data as the user calls for it, there will be a slight performance hit when it comes to reading and writing data. The magnitude of this performance hit will depend on your Mac. Users with older Macs and slower processors will feel it more, but those with newer Macs may hardly notice a difference thanks to a combination of faster processors, faster drives, and hardware encryption capabilities built into newer Intel CPUs.
FileVault 2 also cannot be used with every Mac and every drive configuration. In general, FileVault 2 can only be enabled on a single system drive containing only the OS X and Recovery partitions. Users report problems when enabling FileVault on drives with additional partitions, and FileVault can’t be used at all on RAID volumes. Further, FileVault protects only the system drive. If you have a Mac with multiple internal or external hard drives, the data on those drives won’t be encrypted by FileVault, something that may be an important consideration for power users (although there are ways to manually encrypt additional drives in OS X).
If these FileVault drawbacks are outweighed by its benefits, then FileVault whole disk encryption may be right for you and your Mac. While we’ve touched on many of the steps necessary to enable FileVault, straightforward instructions on the process are listed below.
Learn how to enable FileVault on page 3.