Apple’s FileVault technology is a method of automatically encrypting your files so you do not have to worry about data theft should your system be stolen. In its first iteration FileVault was just used to encrypt the user’s home directory, but in OS X Lion Apple introduced a second-generation full-disk encryption scheme that has been dubbed FileVault 2.
Many people who are considering using FileVault 2 have been asking about questions such as whether or not the encryption is needed, and expressing concerns about its security.
Is FileVault needed?
This is perhaps one of the most common questions I get asked about FileVault. The answer will vary depending on your data and how you use your computer. One rule of thumb is that the more portable the data is, the more need there is for security measures such as encryption. For server systems where the computer is locked away in a closet the need for FileVault is minimal, but for a laptop that gets taken on the road all the time the need will be greater. Of course, another factor is how sensitive the data is.
If you have proprietary information on your system, then it’s probably preferable to use some form of encryption. In many cases you can use encrypted disk images to store your data, and have it be just as secure as using FileVault. The only benefit FileVault has over encrypted disk images and other file-wrapper solutions is it ensures that everything is encrypted, including caches, Web cookies, and other files you may have on your system that could potentially contain sensitive information.
How well does FileVault work with other partitions and drives?
FileVault encrypts the boot volume by default, so only files stored on the boot drive will be encrypted, and because this encryption is transparent to the operating system, the system will not warn you that you are copying files from a secured medium to one that isn’t secure. Therefore, to make sure encrypted files stay encrypted, copy them only to drives that you know are also encrypted.
Luckily, you can use Apple’s Disk Utility program to format and encrypt other volumes on your system, or even set Time Machine to keep its backup volume encrypted and thereby ensure that the files on your computer will always reside on an encrypted medium.
While for the greatest security you can encrypt all of your drives with FileVault, keep in mind that this may not be necessary or desirable, especially if you might need to access the backup drive from a non-Mac system. For instance, if you keep your backup drive locked in a safe or other secure location, then encrypting it might be a bit redundant. Furthermore, if something happens to your Mac and you need to access the backup from a Windows or Linux machine, then you will run into hurdles if the drive is encrypted with FileVault. On the other hand, an iMac that is chained to a table may not need its drive encrypted, but a small external drive attached to it and used for Time Machine might benefit from encryption.
How much security does FileVault offer over the main account password, especially since FileVault is transparent once you unlock the volume?
The account password in OS X is the barrier to the encryption keys and therefore is the weakest link in the chain, so if you choose a poor password that is easily guessed, your data is potentially unsafe. So far the only hack for this is through memory snooping that takes advantage of FireWire’s DMA features, but the workaround for this is to never leave the system in sleep mode when it is unattended.
Do keep in mind that once the volume is unlocked, FileVault no longer plays any role in securing your files. An unlocked FileVault volume has been completely unsecured and is for all intents and purposes an unencrypted volume, so the only file security will be the system’s permissions setup and its ability to block intrusions and security breaches.
It is exceptionally difficult to carry out such breaches on a standard OS X installation, but it’s still a good idea to guard against it by using a good and secure password, and disabling unneeded sharing services like file and printer sharing. You might also consider using a screen lock password (screensaver password) if your system is in a relatively public area where others might sit down at it. If an intruder or thief cannot guess your password and unlock the screen, then he or she may try rebooting the system and thereby lock the FileVault volume again, thereby inadvertently securing it.
Is FileVault just as secure as encrypted disk images?
Technically FileVault is not as secure when it comes to the files being encrypted. FileVault uses XTS-AES 128-bit encryption, but disk images offer an option to encrypt at 256-bit encryption, which is more secure; however, given that both will take millions of years to crack via brute-force approaches, the difference here is effectively minuscule. FileVault does offer the option to encrypt all files you use, so in terms of thoroughness it is more secure than encrypted disk images. (Despite these differences, both encryption options are useless when unlocked, so if you leave your system unattended then the files can be copied just as if the disk were not encrypted.)
Either option will work just as well for securing data. The main functional difference between FileVault and disk images is the conveniences they offer. FileVault seamlessly encrypts all contents of the drive, but disk images offer a more portable option that will secure files in smaller packages and keep them safe even if they are distributed on unencrypted media throughout the Internet.