Complete guide to FileVault 2 in Lion
Product mentioned in this article
Encrypting your Mac's entire hard drive—making it unreadable to anyone who doesn't have the correct encryption key (a sort of software passcode)—is a perfectly marvelous idea to maintain the privacy of your data. However, Full Disk Encryption (FDE) should meet three criteria. First, you shouldn't have to manage a single setting—the encryption processes should be invisible and seamless while you use your computer. Second, the encryption has to be impregnable to unauthorized access. Third, using encryption should not slow down the computer's normal functions.
FileVault 2, the FDE technology built into Lion (Mac OS X 10.7), meets those three criteria in the right circumstances, but getting it up and running is not as easy as 1, 2, 3. (Speaking of which, Apple uses the "2" label for FileVault only in its marketing materials for Lion. In Lion itself, you'll see it referred to as simply FileVault, as I do through the rest of this article.)
The original FileVault, introduced in Mac OS X 10.3, encrypted only a user's home directory. In Lion, you flip a switch (discussed below) and your entire startup drive is converted into an encrypted volume. A strong encryption key is created, accessible only through the specific user accounts you've configured to allow startup. With FileVault active, whenever your Mac is shut down, the data on your hard drive is a mess of unintelligible bits. The data has meaning only when the Mac is booted and an authorized account logs in, which decrypts the key that in turn deciphers the drive's data.
The "whenever your Mac is shut down" requirement is one of FileVault's usability pitfalls: While your Mac is booted, anyone with physical access to the computer—someone who sits down in front of it, breaks in remotely (however unlikely that seems at the moment with a Mac), or runs away with your laptop—could access your data. So get used to shutting down your Mac when it's not in use, or when it's out of your control, rather than putting it to sleep. (There are a few alternatives and assistants, described below.) But if you do opt to shut down frequently, Lion's Resume feature is quite useful here, in that when you start up your Mac—startup is much faster in Lion, too—your applications and windows are all right where you left them when you shut down. Under earlier versions of OS X, you might get lazy about shutting down because of slow startups and the hassle of getting your workspace set up again.
All that said, there's still a good case for FDE for anyone who routinely handles private or sensitive information. That includes legal, financial, and health-care professionals, as well as a large swath of companies and contractors working with governments.
Note that if you use FileVault, you must leave your machine booted—and, thus, your data accessible—during any backup, so you shouldn't leave it unattended. Also, to ensure your data is safe, don't back up over an unsecured wireless network, and make sure your backups themselves are locked down. In Lion, Time Machine provides an option to encrypt your backups; you activate this setting in the Select Disk screen of the Time Machine pane of System Preferences.
Warnings about the right drive configuration
FileVault is a model of simplicity for most Mac setups, but not all. For one thing, FileVault requires a standard-configuration Lion drive, which means one that has a single visible volume along with Lion's hidden Recovery HD partition. This will be the case for any Mac purchased with Lion pre-installed that hasn't had its drive subsequently modified, or any Snow Leopard Mac that maintained its original drive configuration before upgrading to Lion. If you've partitioned the drive on which you installed or want to install Lion, if you don't have the Recovery HD volume, or if your startup drive is part of a RAID (multiple drives configured for data mirroring or increased performance), you'll run into problems with FileVault—for example, Mac OS X may let you enable the feature, but doing so may leave the drive unbootable.
To see if your drive is set up properly, boot into Lion Recovery mode (before enabling FileVault). If you can't, follow Apple's instructions for ensuring Recovery HD is properly installed. Sadly, this may involve backing up your drive, erasing it, and reinstalling Lion.
FileVault also won't work if all FileVault-authorized users have their home directories residing on volumes other than the startup disk. Such a configuration is fairly technical, and uncommon for a typical Mac user, but it's worth noting. One workaround is to give another, local account—even one created only for this purpose—permission to allow startup under FileVault. Once the Mac has booted, you can then Log Out of that account and into an account that has its home directory on another volume.
But even if you meet all the requirements, some users have found that after enabling FileVault with what appears to be a properly configured drive, they still ran into trouble. So before turning on FileVault, make a full backup of your drive using Time Machine, Carbon Copy Cloner, Super Duper, or Disk Utility. (Note that these backups are not themselves encrypted by default, as they're made when your FileVault volume is mounted. To encrypt the backups, you need to separately enable encryption for your Time Machine volume, as described above, or use the instructions in "Encrypting external drives," below, to encrypt the backup volume.) This will be useful if you end up having to wipe the drive, perform a clean Lion install, and then restore your system—a process that, depending on your Mac model, can be quite time-consuming. (At this writing, any Mac that was released with Lion already installed must use Lion Internet Recovery, which downloads an over-600MB recovery disk image, and then downloads the 4GB Lion Installer before the install proceeds. For Macs capable of running Lion but released before June 2011, Dan Frakes offers instructions on making a bootable Lion installer.)
Activating FileVault on a Mac's internal drive
Compared to the above provisos about using FileVault, setting it up is rather simple. As stated earlier, be sure to back up your data before activating FileVault.
Step 1 Open System Preferences, and then click the Security & Privacy pane. Click the FileVault tab, and then click the lock icon at the lower left; enter an administrative username and password when prompted.
Note that if you first enabled FileVault in Snow Leopard or an earlier version of Mac OS X, you get a special dialog pointing out the differences between the old and new FileVault approaches. When you see this dialog, you'll need to make a choice: You can keep using Snow Leopard's home-directory version of FileVault on accounts for which it was already enabled (though you won't be able to turn it on for other accounts), or you can turn off the legacy version of FileVault in order to use FileVault 2 to encrypt your entire drive.
Step 2 Click Turn On FileVault. If you have multiple regular or administrative accounts set up on your Mac, you're prompted to choose which accounts—in addition to the one you're currently logged in to—may unlock the volume's encryption key at startup. (You can always go back later to add users to or remove users from this list, but, strangely, FileVault won't let you remove users after a restart. Once you restart, the only way to prevent a previously authorized user from logging in is to delete the account or change the user's password.) If your Mac has only a single user account configured, FileVault skips this step.
Step 3 Mac OS X presents you with a 24-character alphanumeric recovery key, which can be used to unlock a FileVault-encrypted disk even if you forget the password for every account authorized to boot up the system. This sounds unlikely, I know, but because the disk is securely scrambled—meaning if you don't have the right key, your data is forever inaccessible—providing this extra measure of help means that you have a way to gain access.
You should write down this recovery key; or copy, paste, and store it somewhere secure. Just be sure you save it in a location other than this computer's drive, so you'll be able to retrieve it should you be locked out of the drive. (Note that if you ever disable FileVault and then enable it again, a new recovery key will be generated.)
Alternatively—or in addition to storing it somewhere yourself—you can opt to have Apple store your recovery key. If you choose to do so, you're prompted to enter the answers to three security questions from a long list of possibilities. Many security experts suggest that you don't provide the correct answers to these questions, because another party with access to your biography, or who pays a person-finder service to create an online dossier, may be able to answer them. That means remembering a set of lies, and that can be harder than the truth, as anyone conducting a double life can tell you. Whatever approach you take, keep track of your precise answers
Remember, if you forget the passwords to all authorized accounts and lose a record of the recovery key, your data is lost forever. Seriously. It's gone.
Step 4 After noting the recovery key, click Continue, and you're prompted to provide the username and password for one of the accounts authorized for FileVault booting. Before clicking Restart here, make sure no other accounts are logged in under fast-user switching—the next step in this process immediately logs out any other accounts, ignoring any unsaved changes to open files.
Click restart, and your Mac restarts. You be prompted to log in to the FileVault boot screen, which looks much like a regular Mac OS X startup login screen except with a gray background, and only FileVault-authorized accounts are shown.
Once you log in, if you return to the Security & Privacy pane of System Preferences, you'll see that the drive is in the process of being encrypted. The process may take many hours, but you can use your computer even while the bits are being scrambled. Any work you do at this point may or may not be immediately encrypted, depending on whether or not it's on a portion of the volume that's been converted, but once the process is finished, all data will be secure. Note that if you shut down before the entire drive has been encrypted, startup is still restricted, but the drive itself is not fully protected—if the drive were removed, it's possible data on the not-yet-encrypted portions could be retrieved by forensics experts or crackers. So it's a good idea to let the process finish.
Life with FileVault
Once FileVault is enabled, you'll want to be aware of a few differences in how your Mac behaves. For example, turning on FileVault disables automatic login, as you might imagine—you don't want your computer booting directly into a user account, as that would defeat the point of encrypting the disk in the first place. Instead, you must log in with any account set up with FileVault access; once you've logged in to any authorized account, you can log out and then log in to any other account, or enable fast-user switching to have multiple accounts in use at once.
Similarly, most theft-recovery software, such as GadgetTrak and Undercover, functions only when your Mac is booted up. So the inability to log in automatically also prevents the use of these products unless your computer is stolen while you are logged in to a user account. That's a tradeoff—you might not be able to track where your machine has gone, but at least its contents are completely useless to whomever stole it.
Turning off FileVault is a simple matter. In the FileVault tab of Security & Privacy preferences, click Turn Off FileVault and then provide the username and password of a FileVault-authorized account. You immediately see a progress bar displaying the decryption status—the system does not even need to restart. (If you restart while decryption is in process, you'll need to use a FileVault-authorized login to start up.) Once FileVault is completely disabled, a restart brings up the normal startup process and login screen.
Locking your Mac, locally or remotely
I noted above that if you want real security, you should get used to shutting down your computer when you're leaving it somewhere. As long as you're not worried about government-grade intrusion, you can use several of OS X's lock features to get around this requirement.
One option is OS X's keychain-status menu, which lets you manually lock your Mac's screen, turning it completely black and requiring your account password to regain access. To enable this menu, launch the Keychain Access utility (in
/Applications/Utilities), choose Keychain Access -> Preferences, and then check Show Keychain Status in Menu Bar. Now you can choose the menu's Lock Screen command whenever you walk away.
A similar option is to configure the Security & Privacy pane of System Preferences to require a password immediately after sleep or a screen saver begins. Combine this with a "hot corner" for your screen saver in the Screen Saver tab of Desktop & Screen Saver preferences, and you can lock your screen with a flick of the cursor.
If your computer is booted, and you've forgotten it or had it snatched, Lion offers two more-serious options via iCloud's Find My Mac feature, which requires a free iCloud account. On your Mac, just enable Find My Mac in the iCloud pane of System Preferences (you'll need to log in to your iCloud account here if you haven't already). You can now go to the iCloud.com website from another computer and click Find My iPhone, or launch the Find My iPhone app on any iOS device. (Ignore the name: the service now finds Macs running Lion, as well.)
In Find My iPhone (either the iOS app or on iCloud.com), select your missing device—it appears even if it's not currently connected to the Internet, and any command you select here is triggered the next time the missing device connects to a live global network—in the case of a Mac, to the Internet via Wi-Fi. If you're lucky, the thief (or a helpful person) will try to connect to a Wi-Fi network. (This is one instance in which there's a bit of an upside to not preventing access.)
Your options for a Mac include Remote Lock and Remote Wipe. Remote Lock lets you set a six-digit lock code and, optionally, add a message to appear on the Mac's screen; when the Remote Lock command is received by the Mac, it immediately shuts down and reboots. But instead of rebooting normally, it reboots from the Recovery HD volume; more specifically, it boots into a special passcode interface. Only if you enter the correct lock code will the Mac reboot normally—which, depending on how your Mac was previously configured, means either the FileVault startup screen, the standard login screen, or automatic login.
If you're sure the machine is irrecoverable, or you don't want to take chances, go nuclear with the Remote Wipe option. (Note that once you use the Remote Lock option, you can't later use Remote Wipe. So choose wisely.) You still need to enter a passcode, which locks the machine to a restricted Recovery HD boot after the wipe occurs. If you have FileVault 2 enabled, the remote wipe happens instantly: Lion simply erases the encryption key, which renders all data on the drive gone for good. Without FileVault 2 enabled, the wipe can take hours or longer. If you end up recovering your Mac after a remote wipe, you'll need to enter the passcode you set previously; then you'll be able to re-install OS X Lion from the Recovery HD partition and restore from a backup.
It's probably worth mentioning that someone who steals a FileVault-enabled Mac can never shut down or restart the machine without losing access to the booted machine's startup drive. (Although they probably wouldn't realize this until after shutting down or restarting.) This also means they can't install updates that require a restart, let the battery run down to zero, or even wipe the hard drive clean and reinstall the OS to get a "working" computer.
The 10.7.2 update to Lion does, however, let someone log in to a FileVault-enabled Mac as a guest, which actually boots into a special Safari-only mode from Recovery HD. This mode doesn't reveal your boot hard drive's contents, or even let you view anything other than a Safari window. (Stay tuned for a separate article that explains how Find My Mac works when booted in this fashion.)
Techniques exist that can extract a key from a running computer, including your drive's encryption key. But they're usually restricted to issues of national security or valuable corporate espionage. For most people, the keychain-based lock and Find My Mac will be security enough.
Using a Recovery Key
Apple makes it easy to punch in a recovery key if you can't remember the password to a FileVault-authorized account. In the initial gray boot screen, click on an account and then click the question-mark (?) icon in the password field. This reveals a message reading, "If you forgot your password, you can...reset it using your recovery key." Click the right-pointing triangle, and you can enter the recovery key I discussed above.
What happens if you can't find the recovery key where you stashed it? If you're lucky, you opted to let Apple store a copy. To obtain the recovery key from Apple, you follow the same process above, clicking the ? mark and then the right-pointing arrow. This also reveals two pieces of information: the serial number of your Mac, and a special record number used to track requests. You then call AppleCare in your country—the service isn't available in every country in which Apple operates—and provide this information, as well as the answers to your security questions. Cumbersome, but a great last-resort option.
When you originally entered your security questions, the text noted that spelling counts. That's because Apple uses the information you enter as the exact passphrase to encrypt the recovery key. (And the recovery key is a passphrase for the volume's actual encryption key, just to show how far this nests.) Using your precisely typed entries as an encryption passphrase prevents Apple employees from seeing your recovery key without knowing the answers. (And even if they have the recovery key, they still must gain physical access to your computer to enter the key.)
Next page: Encrypting external hard drives