How to encrypt your Mac with FileVault 2, and why you absolutely should

Apple's first pass at built-in encryption was, frankly, terrible. The original FileVault, introduced with 10.3 Panther in 2003, only encrypted a user's home directory, and had a number of functional and implementation problems. FileVault 2 appeared in 2011 with 10.7 Lion, and had almost nothing to do with the original except the name.

FileVault 2 offers full-disk encryption (FDE). When enabled, the entire contents of the startup drive are encrypted. When your computer is powered off, the drive's data is fully unrecoverable without a password. It also lets you use Find My Mac to wipe your drive in a matter of seconds remotely if you're concerned about into whose hands your computer has fallen. You can enable FileVault 2 with an existing Mac, but starting with 10.10 Yosemite, OS X now encourages turning on FileVault 2 during setup of a laptop.

This has made some law-enforcement officials unhappy, who seemingly don't want your data to be protected this strongly, so they can get access in the unlikely event that they need it. Relatively few people engage in criminal activities, and of them, even fewer ever have their computers seized and examined. It's a good sign as to how well FileVault 2 works that officials are so morose about it.

FileVault 2 takes advantage of the ever-improving processor speed and features in Macs to perform on-the-fly encryption and decryption. Every chunk of data read from and written to disk, whether of the spinning variety or SSD, has to go through this process. Macs introduced starting in 2010 and 2011, and every model since, can use encryption circuitry in the processor, boosting performance.

FileVault 2 works hand in hand with OS X Recovery, a special disk partition that lets you run Disk Utility from the same drive you may be having trouble with, restore or install OS X via the Internet, restore a Time Machine backup, or browse Safari. With FileVault 2 enabled, your computer boots into the Recovery volume, prompting you to login with any account that's been allowed to start up the computer.

How to use FileVault 2

On a system without FileVault 2 already in place, you need to turn it on, which converts your startup drive from its unencrypted state to fully encrypted. This comes with a few big flashing red warnings and pieces of advice before you proceed. (You can encrypt secondary and external drives by Control-clicking a drive's icon and select Encrypt "Drive Name," but it doesn't tie in with login: you set a password for the drive, and have to enter it to mount it.)

Warning 1! During the setup, OS X creates a Recovery Key for your drive. As with Apple's two-step verification for Apple ID accounts, this Recovery Key is critical to retain. Without it, if you lose or forget the account password to all FileVault 2--enabled accounts, your drive is permanently inaccessible. Keep a copy of the Recovery Key, probably printed out, for emergencies.

Warning 2! Once you start the conversion, there's no stopping it. It has to complete, and it consumes CPU resources like mad, slowing down your machine and likely firing up the fan to high speed. Your computer also has to remain plugged in. The operation takes many hours. A friend's niece accidentally accepted the option to enable FileVault 2 when upgrading to Yosemite a few evenings ago, and had her machine--needed for a computer-science class the next morning--slow to a crawl.

Apple provides step-by-step details in a Knowledge Base note, so I won't repeat all of that, but will highlight the critical parts.

Only accounts enabled with FileVault 2 can unlock the volume at boot time after a cold start (when shut down) or restart. For accounts you don't opt to enable, restarting or starting up will require an account with permission logs in, then logs out. If you're helping set up FileVault 2 for a novice user who trusts you, you may ask them to create an account for you that would let you log in if they can't.

Accounts that use an iCloud password for login do provide a way out if you forget or lose an account password, but also offers a security risk if someone obtains your iCloud account information. (During a Yosemite upgrade, you can choose this explicitly when enabled FileVault 2 by checking a box that reads "Allow my iCloud account to unlock my disk." Oddly, Apple has no information about this option on its support site.)

The option to store your Recovery Key on Apple's servers is secure, in that Apple apparently can only unlock the key given information you provide, exactly as it's typed, including capitalization. It doesn't retain enough information to unlock it independently. However, it does put the key in the hands of a party other than yourself, making it possible under the right circumstances for a government agency or ne'er-do-wells to legally or socially engineer access to your recovery key.

Once the conversion is complete, the startup drive is fully protected within the limits of exposure I note above.

What's even niftier is that with Find My Mac enabled on the computer, you have a sort of secret weapon. Find My Mac works when the computer is booted and connected to a network. You can play a sound, lock the computer, locate it (if Wi-Fi networks or other cues to location are nearby), and erase it. Because FileVault 2 relies on a stored encryption key, erasing the drive wipes that key, rendering the drive unrecoverable, even by you.

But the extra-secret secret weapon is Guest mode. When a user logs in as a guest and connects to a network, or the Mac automatically connects to a known network, Find My Mac continues to work. Thus, if someone finds your computer, any message you send with the Lock option can appear, even if it was online before they log in as a guest. But so too can an Erase request make its way through silently.

FileVault 2 can make nations quake, apparently, but it's just a bit of good information hygiene, letting you make choices about the degree of vulnerability you want to tolerate for your locally stored data and any software or stored passwords for services in your accounts. With it off, you're not risking everything, but with it on, you have a high degree of assurance about who can access what.

Join the CSO newsletter!

Error: Please check your email address.

Tags Applesecuritysoftware

More about AppleLionMacs

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place