Complete guide to FileVault 2 in Lion
Product mentioned in this article
Encrypting external drives
Although FileVault is designed to encrypt your internal startup volume, OS X does provide ways to encrypt other volumes. Apple doesn't provide as much handholding for these features, but I discuss below two ways to encrypt an external drive; they use the same CoreStorage technology as FileVault. The first, the easiest for encrypting a bare drive—or a drive you can back up, erase, and then restore—uses Disk Utility. The second, your only option for drives with existing data that you don't want to erase and restore, requires the command line (Terminal).
Drives encrypted using either of these procedures are portable—you can connect one to a different Lion system, and the Finder will prompt you to enter password to mount the disk. You can store that password in the Keychain to automatically mount the drive in the future, or you can opt to enter it for each mount. However, volumes or partitions encrypted using Disk Utility will not be bootable. (For that, you need to use the command line to convert an existing bootable partition.)
I urge you to use these options with caution, because an errant keystroke could cause untold problems. Where I see them as most useful is with directly attached hard drives used for backup, where you would like to rotate through backup drives, or where you want to be sure that your backups are well-protected when the system is powered down.
Also note that regardless of which method you use—Disk Utility or the command line—once you encrypt a drive, or any partition on a drive, Disk Utility can no longer be used to change the size of that drive's partitions or perform other operations normally available. For those operations, you must turn to the command line (more on that below).
Encrypting an empty, single-partition drive with Disk Utility
Using Disk Utility (in
/Applications/Utilities), you can either set up an entire drive with a single partition, or you can encrypt individual partitions, each with a unique password. Remember, this erases the drive, so if there's data on it, be sure to back up that data elsewhere first. To encrypt an entire single-partition drive:
Step 1 Select the drive in Disk Utility's left-hand list. Be sure to select the item named with the storage size—1 TB CalDigit in our screenshot here—and then click the Erase tab. Choose Mac OS Extended (Journaled, Encrypted) from the Format popup menu.
Step 2 This step erases all your data, in case you need a reminder. Click the Erase button, and you're prompted to enter a password and verify it; you're also given the option to enter a password hint.
In the password dialog, you can click the key icon to bring up OS X's Password Assistant, which helps you choose a strong password. (Make sure and write it down or otherwise record it—if you forget it, the drive's data is irretrievable!) Click Erase to finish the job.
Encrypt multiple empty partitions with Disk Utility
If you'd like to encrypt a drive with individual partitions, follow these steps; remember to back up any data on the drive first, as this procedure erases it completely:
Step 1 Select the drive—named with the storage size—in Disk Utility's left-hand list. If the drive isn’t already formatted as Mac OS Extended (Journaled), first erase it, choosing Mac OS X Extended (Journaled) format. Don’t choose the Encrypted option in the format pop-up menu here—that comes later.
Step 2 If partitions aren’t already set up, click the Partition tab. From the Partition Layout pop-up menu, choose the number of partitions; then use the options on the screen to choose the sizes of the partitions. Click Apply.
Step 3 Select a partition—one of the volumes listed below the main drive in Disk Utility's volume list—you want to encrypt. Click the Erase tab, and then select Mac OS Extended (Journaled, Encrypted) from the Format pop-up menu. Click the Erase button, provide a password for the volume, and then click Erase to encrypt the partition.
An important security note when using a partitioned drive: Once you've entered the password for a partition to mount it, that password is cached as long as any partition on the drive remains mounted. This means anyone could access an unmounted partition without needing to enter its password. You must unmount all partitions—eject the entire disk, as it were—to ensure that OS X requires a password again for each partition.
Encrypt existing partitions using the command line
If you want to enable encryption on a drive or partition that currently contains data, and you don't want to reformat the volume(s) and restore that data from a backup, you'll need to use Terminal. You should, of course, still back up your data before you proceed, just in case.
Step 1 Launch Terminal (in
/Applications/Utilities). The command you'll be using to create or change encrypted external disks is called
diskutil list and press Return to see which disks are mounted and how each is labeled by the system. Lion's CoreStorage technology, which handles disk encryption, works only with drives formatted as Mac OS Extended (Journaled)—that's journaled HFS+ for the technically minded—with the GUID Partition Table scheme. (The partition is changed to another format after encryption.)
Step 2 Locate the volume you want to encrypt, and look at the Identifier volume; you'll use that identifier—I'm going to use
disk4 in my examples here—in your commands. To add encryption, you use a CoreStorage command that can be abbreviated after
diskutil as simply
cs. Be sure the volume has no files in use (it must be unmounted to complete the operation), and type the following command, where PASSWORD is your desired passphrase for the encrypted volume:
diskutil cs convert disk4 -passphrase PASSWORD
Alternatively, could type
-stdinpassphrase instead of
-passphrase without a passphrase; this would prompt you, after pressing Return, to enter the passphrase on a separate line. (I recommend a strong password with only letters and numbers—I used 1Password to generate jdeS6DG4kE8Zzfa—because the command line has difficulty with some punctuation.) This passphrase is used to unlock the disk's much stronger encryption key and thus gain access to the disk's contents.
Step 3 Terminal will show primitive animation as the drive's partitions are modified and the drive is readied for remounting. On completion, you're prompted for your passphrase to mount the volume in the Finder. You can opt to check the box to store the key in the Keychain, but you may want to decline for security's sake—that way, if both your computer and the unmounted drive are absconded with, the drive's contents remain safe even if the Mac is booted up. The drive remains mounted while it's encrypted.
To see the status of encryption (noted as conversion) enter
diskutil cs list and press Return. Look for the indented line that begins with your disk identifier: Below a Disk: label, you'll find a line that says Size (Total), with the next reading Size (Converted). when the Total and Converted numbers match, the whole disk has been encrypted.
If you later want to remove the encryption from a volume that you encrypted using the command line, you can decrypt the drive with a corresponding command. Enter the following command followed by a Return; type the volume's passphrase when prompted:
diskutil cs revert disk4
After entering the passphrase, the volume is decrypted, but remains mounted as the decryption operation happens in the background. You can type
diskutil cs list followed by Return to view the status of decryption, noted as simply conversion. (Note that on a drive set up with multiple partitions, if you encrypted one or more of those partitions using Disk Utility, you can't decrypt those partitions using the command line—you must use Disk Utility to remove encryption by erasing the partition completely.)
FileVault 2 can provide the necessary level of security to ensure your data isn't hijacked when a computer is lost or stolen, but it has to be used with other measures to ensure that you aren't still exposing yourself to risk.
Lion and iCloud's Find My Mac feature provides a neat backstop in the case of a theft or loss, letting you easily lock or wipe a system to render it useless to the party in possession of the Mac—assuming the Mac connects to the Internet at some point after you issue the remote wipe or lock command.
The only risk in using FileVault is being too clever for your own good and forgetting how to unlock the secrets you've cached away.
Updated 10/21/2011, 1:50pm, to note that backups of encrypted volumes are not themselves encrypted; that Disk Utility cannot create bootable encrypted partitions; and that OS X 10.7.2 added a guest-login option to FileVault-enabled startup drives. Updated 11/7/2011 to note that FileVault 2 doesn't currently allow you to remove an authorized user once added.
[Glenn Fleishman, a senior contributor to Macworld, learned binary math at a young age. He writes weekly for the Economist magazine's Babbage blog, and his most recent book is Take Control of Your 802.11n AirPort Network, updated for Lion.]