How to Set Up and Use FileVault 2
There are a number of different ways to keep unwanted people out of your Mac as well as your files encrypted. In this tutorial, we’ll be discussing the king of Mac encryption, FileVault 2.
What is FileVault?
FileVault was a method of automatically encrypting your data that Apple introduced back with OS X 10.3 (Panther). It worked by encrypting and decrypting the user’s home folder. When you logged out of your Mac, OS X would encrypt the contents of your home folder to what’s called a “sparse image” - an encrypted disk image that only took up the space it needed to. A limitation of traditional disk images - DMGs - is that they have to have a specified file size. Since you can’t predict how much space you’ll use, sparse images are used instead.
FileVault was created specifically for portable Mac users where sensitive information was being kept. FileVault doesn’t protect against poor passwords or leaving your computer unattended - it’s designed to make sure that if your portable Mac was to be lost or stolen, the contents of the drive remain private.
FileVault was probably the scariest of all the System Preferences. Thankfully, FileVault 2 is much friendlier.
Historically, FileVault was slow, clunky and unreliable. For starters, it would only encrypt home directories - the rest of the Mac was unencrypted.
FileVault was also notoriously unreliable (coining the term “VileFault”) and if your Mac experienced some problems (such as installation issues) then it was more likely that your home folder would no longer decrypt. If you had a lot of data on a fairly old Mac, you could be waiting a long time for your Mac to log in and out. Many users would become impatient and just power the Mac off while it was logging out (and encrypting), hence damaging the sparse bundle and destroying FileVault.
Worse still, although “compatible” with FileVault, Time Machine could only back up the sparse bundle once you were logged out. Since Time Machine didn’t support disk encryption, it would not backup data while you were logged in (since it would defeat the purpose of encryption in the first place).
FileVault would allow the user to (optionally) set a master password. Making it optional was, in hindsight, a monumentally bad idea. If you forgot your password and didn’t have a master password set (or forgot that to), you lost your data. There was no way to get that back.
FileVault was one of the only features of OS X I actively encouraged people not to use. Until now.
With the introduction of Lion, Apple completely overhauled FileVault and even made it a sequel - FileVault 2! FileVault 2 operates completely differently from FileVault. It also encrypts the entire hard disk.
FileVault was created specifically for portable Mac users where sensitive information was being kept. FileVault doesn’t protect against poor passwords or leaving your computer unattended.
Unlike before where FileVault encrypted data could be corrupted in some way, FileVault 2 manages encryption and decryption in a different way. All username and password information is stored in a dedicated portion of the hard drive that’s unencrypted (but the data itself is protected). Instead of the usual OS X login window after your Mac is booted, the login window is the first thing you see. Your Mac requires your password before it can boot. Once you’ve logged in and your Mac verifies your password is correct, only then does your Mac boot. You won’t see the login window again, the first one takes care of that for you.
Tip: How exactly FileVault 2 encrypts and decrypts your data goes way beyond the scope of this tutorial but a great guide over at AFP548 shows in detail how the encryption works.
The beauty of FileVault 2 is that there is no overhead or performance compromise. I have been using FileVault 2 since I got my MacBook Air a few months ago and have two USB hard drives that are both encrypted. Overkill? Probably. But since it has no affect on the performance or reliability, I’ve been happily using it.
How to Enable Turn FileVault 2
Before we begin, FileVault 2 requires Lion or Mountain Lion and you must have your recovery system unchanged. If you’ve removed it, you won’t be able to use FileVault 2.
- Open System Preferences and select Security and Privacy.
- Select FileVault and then click Turn On FileVault
If you have multiple users, you can specify which users will be allowed to decrypt the disk. Let’s say you have 2 users on your Mac, you could be the one that logs in and decrypts but the other user can only login once you’ve logged in already.
You can specify which users will be allowed to decrypt the disk when booting your Mac
Once you’ve entered your password and confirmed, you are presented with FileVault 2’s version of the master password - called the recovery key. This is absolutely crucial to keep safe, so crucial that Apple even offers to store it on their servers so that in the event you lose or misplace it, you can contact Apple to access your drive.
The recovery key is provided if you forget your password. Keep it secret, keep it safe!
Tip: I recommend storing your recovery key in an app such as 1Password which encrypts data as long as you are able to access it through another computer or iOS device. Remember, storing this key on your computer is pointless if you can’t log in!
Unless your company has a strict policy on the storage of encryption keys, it’s recommended to allow Apple to store it. They can’t decrypt it remotely and require a number of security questions and answers to be created by you. It’s not attached to any Apple ID or iCloud account.
You can store the recovery key with Apple...
...but you’ll need to specify three security questions and answers.
Tip: As with many security questions (such as name of your first pet) it’s actually better security to provide fake answers only you will know since a lot of this information can sometimes be easily found. Again, make sure they’re answers you’ll remember but there’s nothing wrong with saying your mother’s maiden name was Skywalker or Calrissian!
Activating FileVault 2
Once you’ve completed the setup, you will need to restart your Mac. It can take some time to encrypt the disk so make sure your Mac is plugged in to the mains if it’s a portable.
Once you’ve set up FileVault, make sure you’re not going to need your Mac for a while, it can take some time to complete.
Tip: For best results, make FileVault 2 the first thing you enable when buying a new Mac.
Disabling FileVault 2
If you want to disable FileVault 2, you can do so again through System Preferences and Security and Privacy. Once you’ve confirmed with your password, your Mac will decrypt your hard drive.
You can disable FileVault 2 at any time
Along with FileVault 2, Lion also introduced encrypted Time Machine backups. This works in a similar (but simpler way) to FileVault 2.
- Open System Preferences and then select Time Machine
- Click Select Disk…
- From there, select the drive you’d like to use and tick Encrypt Disk
Time Machine lets you encrypt any external drive for Time Machine use, making sure your backup is as protected as your Mac
Time Machine will then prompt you to enter a password to encrypt the disk with. Once confirmed, it will begin encrypting the hard drive and set up a Time Machine backup.
Time Machine can also take a long time to encrypt the drive depending on speed and size
Tip: Time Machine encryption is actually just a way of creating an encrypted disk. You can encrypt any external hard drive through Disk Utility.
As more and more of us switch to portable Macs instead of desktop units, we’re more inclined to take them out of the house. This means an increase in the chance of loss or theft. FileVault 2 will make sure that no one can access the data should it fall into the wrong hands.
But remember, all that protection is nothing if you set your password to something easy to guess or figure out. At the end of the day, the weakest link in any security system is human interaction. Some of the greatest hacks performed haven’t been by figuring out ways to bypass security systems, it’s through educated guessing and social engineering - the method of manipulating someone into providing them with the correct information. Make sure your password is a mixture of upper and lower case, numbers and symbols. Memorize it, but don’t use something memorable.
Tip: Apple has a full support document on FileVault 2 for further information.
FileVault 2 is a completely transparent and no-overhead encryption solution. It works so well that I’d recommend anyone to use it as long as they make sure they encrypt their Time Machine backups too.
Do you use FileVault 2? How have you found it? As always, we’d love to hear from our readers so post a comment!