Advertisement
Security

How to Set Up and Use FileVault 2

by

There are a number of different ways to keep unwanted people out of your Mac as well as your files encrypted. In this tutorial, we’ll be discussing the king of Mac encryption, FileVault 2.

What is FileVault?

FileVault was a method of automatically encrypting your data that Apple introduced back with OS X 10.3 (Panther). It worked by encrypting and decrypting the user’s home folder. When you logged out of your Mac, OS X would encrypt the contents of your home folder to what’s called a “sparse image” - an encrypted disk image that only took up the space it needed to. A limitation of traditional disk images - DMGs - is that they have to have a specified file size. Since you can’t predict how much space you’ll use, sparse images are used instead.

FileVault was created specifically for portable Mac users where sensitive information was being kept. FileVault doesn’t protect against poor passwords or leaving your computer unattended - it’s designed to make sure that if your portable Mac was to be lost or stolen, the contents of the drive remain private.

FileVault was probably the scariest of all the system preferences. Look at that red writing! Thankfully, FileVault 2 has much less a reason to be scary!
FileVault was probably the scariest of all the System Preferences. Thankfully, FileVault 2 is much friendlier.

VileFault

Historically, FileVault was slow, clunky and unreliable. For starters, it would only encrypt home directories - the rest of the Mac was unencrypted.

FileVault was also notoriously unreliable (coining the term “VileFault”) and if your Mac experienced some problems (such as installation issues) then it was more likely that your home folder would no longer decrypt. If you had a lot of data on a fairly old Mac, you could be waiting a long time for your Mac to log in and out. Many users would become impatient and just power the Mac off while it was logging out (and encrypting), hence damaging the sparse bundle and destroying FileVault.

Worse still, although “compatible” with FileVault, Time Machine could only back up the sparse bundle once you were logged out. Since Time Machine didn’t support disk encryption, it would not backup data while you were logged in (since it would defeat the purpose of encryption in the first place).

FileVault would allow the user to (optionally) set a master password. Making it optional was, in hindsight, a monumentally bad idea. If you forgot your password and didn’t have a master password set (or forgot that to), you lost your data. There was no way to get that back.

FileVault was one of the only features of OS X I actively encouraged people not to use. Until now.

FileVault 2

With the introduction of Lion, Apple completely overhauled FileVault and even made it a sequel - FileVault 2! FileVault 2 operates completely differently from FileVault. It also encrypts the entire hard disk.

FileVault was created specifically for portable Mac users where sensitive information was being kept. FileVault doesn’t protect against poor passwords or leaving your computer unattended.

Unlike before where FileVault encrypted data could be corrupted in some way, FileVault 2 manages encryption and decryption in a different way. All username and password information is stored in a dedicated portion of the hard drive that’s unencrypted (but the data itself is protected). Instead of the usual OS X login window after your Mac is booted, the login window is the first thing you see. Your Mac requires your password before it can boot. Once you’ve logged in and your Mac verifies your password is correct, only then does your Mac boot. You won’t see the login window again, the first one takes care of that for you.

Tip: How exactly FileVault 2 encrypts and decrypts your data goes way beyond the scope of this tutorial but a great guide over at AFP548 shows in detail how the encryption works.

The beauty of FileVault 2 is that there is no overhead or performance compromise. I have been using FileVault 2 since I got my MacBook Air a few months ago and have two USB hard drives that are both encrypted. Overkill? Probably. But since it has no affect on the performance or reliability, I’ve been happily using it.

How to Enable Turn FileVault 2

Before we begin, FileVault 2 requires Lion or Mountain Lion and you must have your recovery system unchanged. If you’ve removed it, you won’t be able to use FileVault 2.

  1. Open System Preferences and select Security and Privacy.
  2. Select FileVault and then click Turn On FileVault

If you have multiple users, you can specify which users will be allowed to decrypt the disk. Let’s say you have 2 users on your Mac, you could be the one that logs in and decrypts but the other user can only login once you’ve logged in already.

You can specify which users will be allowed to decrypt the disk when booting your Mac
You can specify which users will be allowed to decrypt the disk when booting your Mac

Once you’ve entered your password and confirmed, you are presented with FileVault 2’s version of the master password - called the recovery key. This is absolutely crucial to keep safe, so crucial that Apple even offers to store it on their servers so that in the event you lose or misplace it, you can contact Apple to access your drive.

The recovery key is provided if you forget your password. Make sure to keep it secret, keep it safe!
The recovery key is provided if you forget your password. Keep it secret, keep it safe!

Tip: I recommend storing your recovery key in an app such as 1Password which encrypts data as long as you are able to access it through another computer or iOS device. Remember, storing this key on your computer is pointless if you can’t log in!

Unless your company has a strict policy on the storage of encryption keys, it’s recommended to allow Apple to store it. They can’t decrypt it remotely and require a number of security questions and answers to be created by you. It’s not attached to any Apple ID or iCloud account.

You can store the recovery key with Apple
You can store the recovery key with Apple...
 but you’ll need to specify three security questions and answers.
...but you’ll need to specify three security questions and answers.

Tip: As with many security questions (such as name of your first pet) it’s actually better security to provide fake answers only you will know since a lot of this information can sometimes be easily found. Again, make sure they’re answers you’ll remember but there’s nothing wrong with saying your mother’s maiden name was Skywalker or Calrissian!

Activating FileVault 2

Once you’ve completed the setup, you will need to restart your Mac. It can take some time to encrypt the disk so make sure your Mac is plugged in to the mains if it’s a portable.

Once you’ve set up FileVault, make sure you’re not going to need your Mac for a while, it can take some time to complete.
Once you’ve set up FileVault, make sure you’re not going to need your Mac for a while, it can take some time to complete.

Tip: For best results, make FileVault 2 the first thing you enable when buying a new Mac.

Disabling FileVault 2

If you want to disable FileVault 2, you can do so again through System Preferences and Security and Privacy. Once you’ve confirmed with your password, your Mac will decrypt your hard drive.

You can disable FileVault 2 at any time
You can disable FileVault 2 at any time

Time Machine

Along with FileVault 2, Lion also introduced encrypted Time Machine backups. This works in a similar (but simpler way) to FileVault 2.

  1. Open System Preferences and then select Time Machine
  2. Click Select Disk…
  3. From there, select the drive you’d like to use and tick Encrypt Disk
Time Machine lets you encrypt any external drive for Time Machine use, making sure your backup is as protected as your Mac
Time Machine lets you encrypt any external drive for Time Machine use, making sure your backup is as protected as your Mac

Time Machine will then prompt you to enter a password to encrypt the disk with. Once confirmed, it will begin encrypting the hard drive and set up a Time Machine backup.

Time Machine can also take a long time to encrypt the drive depending on speed and size
Time Machine can also take a long time to encrypt the drive depending on speed and size

Tip: Time Machine encryption is actually just a way of creating an encrypted disk. You can encrypt any external hard drive through Disk Utility.

Wrapping Up

As more and more of us switch to portable Macs instead of desktop units, we’re more inclined to take them out of the house. This means an increase in the chance of loss or theft. FileVault 2 will make sure that no one can access the data should it fall into the wrong hands.

But remember, all that protection is nothing if you set your password to something easy to guess or figure out. At the end of the day, the weakest link in any security system is human interaction. Some of the greatest hacks performed haven’t been by figuring out ways to bypass security systems, it’s through educated guessing and social engineering - the method of manipulating someone into providing them with the correct information. Make sure your password is a mixture of upper and lower case, numbers and symbols. Memorize it, but don’t use something memorable.

Tip: Apple has a full support document on FileVault 2 for further information.

FileVault 2 is a completely transparent and no-overhead encryption solution. It works so well that I’d recommend anyone to use it as long as they make sure they encrypt their Time Machine backups too.

Do you use FileVault 2? How have you found it? As always, we’d love to hear from our readers so post a comment!

Related Posts
  • Computer Skills
    Security
    How to Set Up and Use Password Protected Vaults on a MacPassworddisk2x
    Everyone has some files that they don't want other people to see. They may be important business documents, tax returns, health information or anything else someone would want kept secret. While it's all well and good to have a password on your Mac, if someone gets past that password (and there are ways), or comes across your Mac while it is logged in, they have access to all your files. For that reason, it is worth having a second line of defence; by having your most important files locked away securely except when they are actively in use, you can keep them as safe as possible. In this tutorial I will show you three methods for doing so; making your own solution with Apple's Disc Utility, using the open source TrueCrypt and using AgileBits' Knox.Read More…
  • Computer Skills
    OS X
    Understanding the Applications for Target Disk ModeTdm 400
    Mac OS X includes an extremely useful boot utility called Target Disk Mode Target Disk Mode allows a user to transfer data from one Mac, to another Mac, via a FireWire or Thunderbolt connection.  In this tutorial, I'll show you how to set up your hardware for Target Disk Mode and then use it in three different scenarios.Read More…
  • Computer Skills
    OS X
    OS X System Recovery: Explored and ExplainedOsxrecovery retinathumb
    There may be a time, in the life of your Mac, where you need to restore or recovery your machine, either to try and solve problems you've encountered or simply clean house and start from fresh. In this tutorial, I'll show you through the various options for restoring or recovering your Mac and the process of bringing your Mac back to a clean, healthy state.Read More…
  • Computer Skills
    Media
    How to Back Up Your Mac System Disks to USB DrivesDisktousb retina
    When Apple began ringing the death knell for disk-based media by removing the drives from many of its models, it provided a great digital alternative, the App Store, so users would never need a disk again. The problem is that many people still have software on disks: older versions of OS X, iLife, or iWork. So what can be done with them now? Read on to learn how to extend the life of your system disks by moving them to a USB drive. You won't need any special software to digitize your Mac disks, just the versatile app Disk Utility. For this tutorial, I'll be creating a USB backup of OS X 10.6 Snow Leopard. Let's dig in.Read More…
  • Computer Skills
    Security
    How to Securely Format Your SSDSsdpreview400
    Ever since Apple started implementing solid state drives (SSDs) in its line of notebook computers, the process for formatting the drive has evolved from the method previously used for a SATA magnetic disk drive. The tried-and-true method of writing 35-plus series of zeros over the entire disk for maximum data obscurity is no longer a recommendable option because filling an SSD that many times can negatively impact the life expectancy and efficiency of the drive. In this tutorial, I'll be explaining what you should you do if you find yourself needing to permanently destroy files on an SSD.Read More…
  • Computer Skills
    Security
    How to Reset OS X User Account PasswordsKeys400
    We all have those insecure days when we decide to change all our passwords. At the end of the day, we don’t remember to write them down and then shut down our computer for a rest. The next morning, problems arise. You need to get work done, but everything is locked inside your computer and you can’t remember the password. After too many guesses, it’s time to pull out your smartphone and, by Google query, end up here. In this tutorial, I’ll explain how to reset any user account password on your Mac.Read More…