Complete guide to FileVault 2 in Lion
Encrypting your Mac's entire hard drive—making it unreadable to anyone who doesn't have the correct encryption key (a sort of software passcode)—is a perfectly marvelous idea to maintain the privacy of your data. However, Full Disk Encryption (FDE) should meet three criteria. First, you shouldn't have to manage a single setting—the encryption processes should be invisible and seamless while you use your computer. Second, the encryption has to be impregnable to unauthorized access. Third, using encryption should not slow down the computer's normal functions.
FileVault 2, the FDE technology built into Lion (Mac OS X 10.7), meets those three criteria in the right circumstances, but getting it up and running is not as easy as 1, 2, 3. (Speaking of which, Apple uses the "2" label for FileVault only in its marketing materials for Lion. In Lion itself, you'll see it referred to as simply FileVault, as I do through the rest of this article.)
The original FileVault, introduced in Mac OS X 10.3, encrypted only a user's home directory. In Lion, you flip a switch (discussed below) and your entire startup drive is converted into an encrypted volume. A strong encryption key is created, accessible only through the specific user accounts you've configured to allow startup. With FileVault active, whenever your Mac is shut down, the data on your hard drive is a mess of unintelligible bits. The data has meaning only when the Mac is booted and an authorized account logs in, which decrypts the key that in turn deciphers the drive's data.
The "whenever your Mac is shut down" requirement is one of FileVault's usability pitfalls: While your Mac is booted, anyone with physical access to the computer—someone who sits down in front of it, breaks in remotely (however unlikely that seems at the moment with a Mac), or runs away with your laptop—could access your data. So get used to shutting down your Mac when it's not in use, or when it's out of your control, rather than putting it to sleep. (There are a few alternatives and assistants, described below.) But if you do opt to shut down frequently, Lion's Resume feature is quite useful here, in that when you start up your Mac—startup is much faster in Lion, too—your applications and windows are all right where you left them when you shut down. Under earlier versions of OS X, you might get lazy about shutting down because of slow startups and the hassle of getting your workspace set up again.
All that said, there's still a good case for FDE for anyone who routinely handles private or sensitive information. That includes legal, financial, and health-care professionals, as well as a large swath of companies and contractors working with governments.
Note that if you use FileVault, you must leave your machine booted—and, thus, your data accessible—during any backup, so you shouldn't leave it unattended. Also, to ensure your data is safe, don't back up over an unsecured wireless network, and make sure your backups themselves are locked down. In Lion, Time Machine provides an option to encrypt your backups; you activate this setting in the Select Disk screen of the Time Machine pane of System Preferences.
Warnings about the right drive configuration
FileVault is a model of simplicity for most Mac setups, but not all. For one thing, FileVault requires a standard-configuration Lion drive, which means one that has a single visible volume along with Lion's hidden Recovery HD partition. This will be the case for any Mac purchased with Lion pre-installed that hasn't had its drive subsequently modified, or any Snow Leopard Mac that maintained its original drive configuration before upgrading to Lion. If you've partitioned the drive on which you installed or want to install Lion, if you don't have the Recovery HD volume, or if your startup drive is part of a RAID (multiple drives configured for data mirroring or increased performance), you'll run into problems with FileVault—for example, Mac OS X may let you enable the feature, but doing so may leave the drive unbootable.
To see if your drive is set up properly, boot into Lion Recovery mode (before enabling FileVault). If you can't, follow Apple's instructions for ensuring Recovery HD is properly installed. Sadly, this may involve backing up your drive, erasing it, and reinstalling Lion.
FileVault also won't work if all FileVault-authorized users have their home directories residing on volumes other than the startup disk. Such a configuration is fairly technical, and uncommon for a typical Mac user, but it's worth noting. One workaround is to give another, local account—even one created only for this purpose—permission to allow startup under FileVault. Once the Mac has booted, you can then Log Out of that account and into an account that has its home directory on another volume.
But even if you meet all the requirements, some users have found that after enabling FileVault with what appears to be a properly configured drive, they still ran into trouble. So before turning on FileVault, make a full backup of your drive using Time Machine, Carbon Copy Cloner, Super Duper, or Disk Utility. (Note that these backups are not themselves encrypted by default, as they're made when your FileVault volume is mounted. To encrypt the backups, you need to separately enable encryption for your Time Machine volume, as described above, or use the instructions in "Encrypting external drives," below, to encrypt the backup volume.) This will be useful if you end up having to wipe the drive, perform a clean Lion install, and then restore your system—a process that, depending on your Mac model, can be quite time-consuming. (At this writing, any Mac that was released with Lion already installed must use Lion Internet Recovery, which downloads an over-600MB recovery disk image, and then downloads the 4GB Lion Installer before the install proceeds. For Macs capable of running Lion but released before June 2011, Dan Frakes offers instructions on making a bootable Lion installer.)
Activating FileVault on a Mac's internal drive
Compared to the above provisos about using FileVault, setting it up is rather simple. As stated earlier, be sure to back up your data before activating FileVault.
Step 1 Open System Preferences, and then click the Security & Privacy pane. Click the FileVault tab, and then click the lock icon at the lower left; enter an administrative username and password when prompted.
Note that if you first enabled FileVault in Snow Leopard or an earlier version of Mac OS X, you get a special dialog pointing out the differences between the old and new FileVault approaches. When you see this dialog, you'll need to make a choice: You can keep using Snow Leopard's home-directory version of FileVault on accounts for which it was already enabled (though you won't be able to turn it on for other accounts), or you can turn off the legacy version of FileVault in order to use FileVault 2 to encrypt your entire drive.
Step 2 Click Turn On FileVault. If you have multiple regular or administrative accounts set up on your Mac, you're prompted to choose which accounts—in addition to the one you're currently logged in to—may unlock the volume's encryption key at startup. (You can always go back later to add users to or remove users from this list, but, strangely, FileVault won't let you remove users after a restart. Once you restart, the only way to prevent a previously authorized user from logging in is to delete the account or change the user's password.) If your Mac has only a single user account configured, FileVault skips this step.
Step 3 Mac OS X presents you with a 24-character alphanumeric recovery key, which can be used to unlock a FileVault-encrypted disk even if you forget the password for every account authorized to boot up the system. This sounds unlikely, I know, but because the disk is securely scrambled—meaning if you don't have the right key, your data is forever inaccessible—providing this extra measure of help means that you have a way to gain access.
You should write down this recovery key; or copy, paste, and store it somewhere secure. Just be sure you save it in a location other than this computer's drive, so you'll be able to retrieve it should you be locked out of the drive. (Note that if you ever disable FileVault and then enable it again, a new recovery key will be generated.)
Alternatively—or in addition to storing it somewhere yourself—you can opt to have Apple store your recovery key. If you choose to do so, you're prompted to enter the answers to three security questions from a long list of possibilities. Many security experts suggest that you don't provide the correct answers to these questions, because another party with access to your biography, or who pays a person-finder service to create an online dossier, may be able to answer them. That means remembering a set of lies, and that can be harder than the truth, as anyone conducting a double life can tell you. Whatever approach you take, keep track of your precise answers
Remember, if you forget the passwords to all authorized accounts and lose a record of the recovery key, your data is lost forever. Seriously. It's gone.
Step 4 After noting the recovery key, click Continue, and you're prompted to provide the username and password for one of the accounts authorized for FileVault booting. Before clicking Restart here, make sure no other accounts are logged in under fast-user switching—the next step in this process immediately logs out any other accounts, ignoring any unsaved changes to open files.
Click restart, and your Mac restarts. You be prompted to log in to the FileVault boot screen, which looks much like a regular Mac OS X startup login screen except with a gray background, and only FileVault-authorized accounts are shown.
Once you log in, if you return to the Security & Privacy pane of System Preferences, you'll see that the drive is in the process of being encrypted. The process may take many hours, but you can use your computer even while the bits are being scrambled. Any work you do at this point may or may not be immediately encrypted, depending on whether or not it's on a portion of the volume that's been converted, but once the process is finished, all data will be secure. Note that if you shut down before the entire drive has been encrypted, startup is still restricted, but the drive itself is not fully protected—if the drive were removed, it's possible data on the not-yet-encrypted portions could be retrieved by forensics experts or crackers. So it's a good idea to let the process finish.
Life with FileVault
Once FileVault is enabled, you'll want to be aware of a few differences in how your Mac behaves. For example, turning on FileVault disables automatic login, as you might imagine—you don't want your computer booting directly into a user account, as that would defeat the point of encrypting the disk in the first place. Instead, you must log in with any account set up with FileVault access; once you've logged in to any authorized account, you can log out and then log in to any other account, or enable fast-user switching to have multiple accounts in use at once.
Similarly, most theft-recovery software, such as GadgetTrak and Undercover, functions only when your Mac is booted up. So the inability to log in automatically also prevents the use of these products unless your computer is stolen while you are logged in to a user account. That's a tradeoff—you might not be able to track where your machine has gone, but at least its contents are completely useless to whomever stole it.
Turning off FileVault is a simple matter. In the FileVault tab of Security & Privacy preferences, click Turn Off FileVault and then provide the username and password of a FileVault-authorized account. You immediately see a progress bar displaying the decryption status—the system does not even need to restart. (If you restart while decryption is in process, you'll need to use a FileVault-authorized login to start up.) Once FileVault is completely disabled, a restart brings up the normal startup process and login screen.
Locking your Mac, locally or remotely
I noted above that if you want real security, you should get used to shutting down your computer when you're leaving it somewhere. As long as you're not worried about government-grade intrusion, you can use several of OS X's lock features to get around this requirement.
One option is OS X's keychain-status menu, which lets you manually lock your Mac's screen, turning it completely black and requiring your account password to regain access. To enable this menu, launch the Keychain Access utility (in
/Applications/Utilities), choose Keychain Access -> Preferences, and then check Show Keychain Status in Menu Bar. Now you can choose the menu's Lock Screen command whenever you walk away.
A similar option is to configure the Security & Privacy pane of System Preferences to require a password immediately after sleep or a screen saver begins. Combine this with a "hot corner" for your screen saver in the Screen Saver tab of Desktop & Screen Saver preferences, and you can lock your screen with a flick of the cursor.
If your computer is booted, and you've forgotten it or had it snatched, Lion offers two more-serious options via iCloud's Find My Mac feature, which requires a free iCloud account. On your Mac, just enable Find My Mac in the iCloud pane of System Preferences (you'll need to log in to your iCloud account here if you haven't already). You can now go to the iCloud.com website from another computer and click Find My iPhone, or launch the Find My iPhone app on any iOS device. (Ignore the name: the service now finds Macs running Lion, as well.)
In Find My iPhone (either the iOS app or on iCloud.com), select your missing device—it appears even if it's not currently connected to the Internet, and any command you select here is triggered the next time the missing device connects to a live global network—in the case of a Mac, to the Internet via Wi-Fi. If you're lucky, the thief (or a helpful person) will try to connect to a Wi-Fi network. (This is one instance in which there's a bit of an upside to not preventing access.)
Your options for a Mac include Remote Lock and Remote Wipe. Remote Lock lets you set a six-digit lock code and, optionally, add a message to appear on the Mac's screen; when the Remote Lock command is received by the Mac, it immediately shuts down and reboots. But instead of rebooting normally, it reboots from the Recovery HD volume; more specifically, it boots into a special passcode interface. Only if you enter the correct lock code will the Mac reboot normally—which, depending on how your Mac was previously configured, means either the FileVault startup screen, the standard login screen, or automatic login.
If you're sure the machine is irrecoverable, or you don't want to take chances, go nuclear with the Remote Wipe option. (Note that once you use the Remote Lock option, you can't later use Remote Wipe. So choose wisely.) You still need to enter a passcode, which locks the machine to a restricted Recovery HD boot after the wipe occurs. If you have FileVault 2 enabled, the remote wipe happens instantly: Lion simply erases the encryption key, which renders all data on the drive gone for good. Without FileVault 2 enabled, the wipe can take hours or longer. If you end up recovering your Mac after a remote wipe, you'll need to enter the passcode you set previously; then you'll be able to re-install OS X Lion from the Recovery HD partition and restore from a backup.
It's probably worth mentioning that someone who steals a FileVault-enabled Mac can never shut down or restart the machine without losing access to the booted machine's startup drive. (Although they probably wouldn't realize this until after shutting down or restarting.) This also means they can't install updates that require a restart, let the battery run down to zero, or even wipe the hard drive clean and reinstall the OS to get a "working" computer.
The 10.7.2 update to Lion does, however, let someone log in to a FileVault-enabled Mac as a guest, which actually boots into a special Safari-only mode from Recovery HD. This mode doesn't reveal your boot hard drive's contents, or even let you view anything other than a Safari window. (Stay tuned for a separate article that explains how Find My Mac works when booted in this fashion.)
Techniques exist that can extract a key from a running computer, including your drive's encryption key. But they're usually restricted to issues of national security or valuable corporate espionage. For most people, the keychain-based lock and Find My Mac will be security enough.
Using a Recovery Key
Apple makes it easy to punch in a recovery key if you can't remember the password to a FileVault-authorized account. In the initial gray boot screen, click on an account and then click the question-mark (?) icon in the password field. This reveals a message reading, "If you forgot your password, you can...reset it using your recovery key." Click the right-pointing triangle, and you can enter the recovery key I discussed above.
What happens if you can't find the recovery key where you stashed it? If you're lucky, you opted to let Apple store a copy. To obtain the recovery key from Apple, you follow the same process above, clicking the ? mark and then the right-pointing arrow. This also reveals two pieces of information: the serial number of your Mac, and a special record number used to track requests. You then call AppleCare in your country—the service isn't available in every country in which Apple operates—and provide this information, as well as the answers to your security questions. Cumbersome, but a great last-resort option.
When you originally entered your security questions, the text noted that spelling counts. That's because Apple uses the information you enter as the exact passphrase to encrypt the recovery key. (And the recovery key is a passphrase for the volume's actual encryption key, just to show how far this nests.) Using your precisely typed entries as an encryption passphrase prevents Apple employees from seeing your recovery key without knowing the answers. (And even if they have the recovery key, they still must gain physical access to your computer to enter the key.)
Next page: Encrypting external hard drives
Encrypting external drives
Although FileVault is designed to encrypt your internal startup volume, OS X does provide ways to encrypt other volumes. Apple doesn't provide as much handholding for these features, but I discuss below two ways to encrypt an external drive; they use the same CoreStorage technology as FileVault. The first, the easiest for encrypting a bare drive—or a drive you can back up, erase, and then restore—uses Disk Utility. The second, your only option for drives with existing data that you don't want to erase and restore, requires the command line (Terminal).
Drives encrypted using either of these procedures are portable—you can connect one to a different Lion system, and the Finder will prompt you to enter password to mount the disk. You can store that password in the Keychain to automatically mount the drive in the future, or you can opt to enter it for each mount. However, volumes or partitions encrypted using Disk Utility will not be bootable. (For that, you need to use the command line to convert an existing bootable partition.)
I urge you to use these options with caution, because an errant keystroke could cause untold problems. Where I see them as most useful is with directly attached hard drives used for backup, where you would like to rotate through backup drives, or where you want to be sure that your backups are well-protected when the system is powered down.
Also note that regardless of which method you use—Disk Utility or the command line—once you encrypt a drive, or any partition on a drive, Disk Utility can no longer be used to change the size of that drive's partitions or perform other operations normally available. For those operations, you must turn to the command line (more on that below).
Encrypting an empty, single-partition drive with Disk Utility
Using Disk Utility (in
/Applications/Utilities), you can either set up an entire drive with a single partition, or you can encrypt individual partitions, each with a unique password. Remember, this erases the drive, so if there's data on it, be sure to back up that data elsewhere first. To encrypt an entire single-partition drive:
Step 1 Select the drive in Disk Utility's left-hand list. Be sure to select the item named with the storage size—1 TB CalDigit in our screenshot here—and then click the Erase tab. Choose Mac OS Extended (Journaled, Encrypted) from the Format popup menu.
Step 2 This step erases all your data, in case you need a reminder. Click the Erase button, and you're prompted to enter a password and verify it; you're also given the option to enter a password hint.
In the password dialog, you can click the key icon to bring up OS X's Password Assistant, which helps you choose a strong password. (Make sure and write it down or otherwise record it—if you forget it, the drive's data is irretrievable!) Click Erase to finish the job.
Encrypt multiple empty partitions with Disk Utility
If you'd like to encrypt a drive with individual partitions, follow these steps; remember to back up any data on the drive first, as this procedure erases it completely:
Step 1 Select the drive—named with the storage size—in Disk Utility's left-hand list. If the drive isn’t already formatted as Mac OS Extended (Journaled), first erase it, choosing Mac OS X Extended (Journaled) format. Don’t choose the Encrypted option in the format pop-up menu here—that comes later.
Step 2 If partitions aren’t already set up, click the Partition tab. From the Partition Layout pop-up menu, choose the number of partitions; then use the options on the screen to choose the sizes of the partitions. Click Apply.
Step 3 Select a partition—one of the volumes listed below the main drive in Disk Utility's volume list—you want to encrypt. Click the Erase tab, and then select Mac OS Extended (Journaled, Encrypted) from the Format pop-up menu. Click the Erase button, provide a password for the volume, and then click Erase to encrypt the partition.
An important security note when using a partitioned drive: Once you've entered the password for a partition to mount it, that password is cached as long as any partition on the drive remains mounted. This means anyone could access an unmounted partition without needing to enter its password. You must unmount all partitions—eject the entire disk, as it were—to ensure that OS X requires a password again for each partition.
Encrypt existing partitions using the command line
If you want to enable encryption on a drive or partition that currently contains data, and you don't want to reformat the volume(s) and restore that data from a backup, you'll need to use Terminal. You should, of course, still back up your data before you proceed, just in case.
Step 1 Launch Terminal (in
/Applications/Utilities). The command you'll be using to create or change encrypted external disks is called
diskutil list and press Return to see which disks are mounted and how each is labeled by the system. Lion's CoreStorage technology, which handles disk encryption, works only with drives formatted as Mac OS Extended (Journaled)—that's journaled HFS+ for the technically minded—with the GUID Partition Table scheme. (The partition is changed to another format after encryption.)
Step 2 Locate the volume you want to encrypt, and look at the Identifier volume; you'll use that identifier—I'm going to use
disk4 in my examples here—in your commands. To add encryption, you use a CoreStorage command that can be abbreviated after
diskutil as simply
cs. Be sure the volume has no files in use (it must be unmounted to complete the operation), and type the following command, where PASSWORD is your desired passphrase for the encrypted volume:
diskutil cs convert disk4 -passphrase PASSWORD
Alternatively, could type
-stdinpassphrase instead of
-passphrase without a passphrase; this would prompt you, after pressing Return, to enter the passphrase on a separate line. (I recommend a strong password with only letters and numbers—I used 1Password to generate jdeS6DG4kE8Zzfa—because the command line has difficulty with some punctuation.) This passphrase is used to unlock the disk's much stronger encryption key and thus gain access to the disk's contents.
Step 3 Terminal will show primitive animation as the drive's partitions are modified and the drive is readied for remounting. On completion, you're prompted for your passphrase to mount the volume in the Finder. You can opt to check the box to store the key in the Keychain, but you may want to decline for security's sake—that way, if both your computer and the unmounted drive are absconded with, the drive's contents remain safe even if the Mac is booted up. The drive remains mounted while it's encrypted.
To see the status of encryption (noted as conversion) enter
diskutil cs list and press Return. Look for the indented line that begins with your disk identifier: Below a Disk: label, you'll find a line that says Size (Total), with the next reading Size (Converted). when the Total and Converted numbers match, the whole disk has been encrypted.
If you later want to remove the encryption from a volume that you encrypted using the command line, you can decrypt the drive with a corresponding command. Enter the following command followed by a Return; type the volume's passphrase when prompted:
diskutil cs revert disk4
After entering the passphrase, the volume is decrypted, but remains mounted as the decryption operation happens in the background. You can type
diskutil cs list followed by Return to view the status of decryption, noted as simply conversion. (Note that on a drive set up with multiple partitions, if you encrypted one or more of those partitions using Disk Utility, you can't decrypt those partitions using the command line—you must use Disk Utility to remove encryption by erasing the partition completely.)
FileVault 2 can provide the necessary level of security to ensure your data isn't hijacked when a computer is lost or stolen, but it has to be used with other measures to ensure that you aren't still exposing yourself to risk.
Lion and iCloud's Find My Mac feature provides a neat backstop in the case of a theft or loss, letting you easily lock or wipe a system to render it useless to the party in possession of the Mac—assuming the Mac connects to the Internet at some point after you issue the remote wipe or lock command.
The only risk in using FileVault is being too clever for your own good and forgetting how to unlock the secrets you've cached away.
Updated 10/21/2011, 1:50pm, to note that backups of encrypted volumes are not themselves encrypted; that Disk Utility cannot create bootable encrypted partitions; and that OS X 10.7.2 added a guest-login option to FileVault-enabled startup drives. Updated 11/7/2011 to note that FileVault 2 doesn't currently allow you to remove an authorized user once added.
[Glenn Fleishman, a senior contributor to Macworld, learned binary math at a young age. He writes weekly for the Economist magazine's Babbage blog, and his most recent book is Take Control of Your 802.11n AirPort Network, updated for Lion.]
Product mentioned in this article