PDA

View Full Version : Any more info on Lion's full disk encryption




RafaelT
Jun 2, 2011, 09:54 PM
Just wondering if anyone could share some details about full disk encryption on lion. How does it work with time machine? Is logging out quick?

My only experience with anything encryption wise is FileVault, needles to say that has not been a great experience. Any info would be appreciated!



smithrh
Jun 20, 2011, 07:42 PM
I'd like to know too, but given the lack of responses I guess we'll have to wait a few more weeks for July...

swixo
Jun 20, 2011, 07:55 PM
Just wondering if anyone could share some details about full disk encryption on lion. How does it work with time machine? Is logging out quick?

My only experience with anything encryption wise is FileVault, needles to say that has not been a great experience. Any info would be appreciated!

It works as well as PGP. No delay logging out. SL filevault was useless, I
have been using Lion's without problems for a few weeks.

s

smithrh
Jun 20, 2011, 08:00 PM
It works as well as PGP. No delay logging out. SL filevault was useless, I
have been using Lion's without problems for a few weeks.

s

Good news, thanks!

CyBeRino
Jun 21, 2011, 03:17 AM
Just wondering if anyone could share some details about full disk encryption on lion. How does it work with time machine? Is logging out quick?

My only experience with anything encryption wise is FileVault, needles to say that has not been a great experience. Any info would be appreciated!

Well, it's not technically "full disk encryption" as really it only encrypts your root partition so far as I can tell. I have a small second partition for downloads and it was untouched.

The process is that once you click the button, it converts said root partition to a Core Storage volume with encryption. This requires a reboot. After rebooting the encryption process starts. You can continue working, even rebooting more if needed, and it'll continue going on in the background until it's done.

Once it's done, you don't really even notice it's there unless you look for it. It's entirely transparent to applications and, being simply an application, it has no problem with time machine. You can tell the system to encrypt the TM backups, but this involves erasing them and starting over. The "convert in place" mechanism so far only applies to the root partition. One can convert a partition to Core Storage manually, but I haven't figured out how to enable encryption manually.

Enabling File Vault also enables a few other security measures. For instance, automatic login is essentially disabled (out of necessity, the concept is incompatible with having the disk encrypted). In fact, you get a "fake" login window that looks more or less exactly like the regular one immediately on boot so as to be able to unlock the disk. Enter your info there and it'll skip the "real" login window though; it's clever like that. It also enables the requirement for a password after sleep or the screensaver comes on. This can be disabled if you like.

It's worth noting that FileVault (the original) was basically a hack based on encrypted disk images. This was the cause for all of its quirks and incompatibilities. FileVault 2 actually encrypts the blocks directly on disk using AES-XTS so there's no extra layer of crap in between; only a decryption process.

haravikk
Jun 21, 2011, 09:32 AM
The process is that once you click the button, it converts said root partition to a Core Storage volume with encryption.
So it's just an on/off interface like Filevault 1? With options for Time Machine?
That seems a little disappointing, I was hoping it would present all of your volumes, and let you choose which one(s) to encrypt and then enter passwords for each.

I don't suppose you know if this works with software RAID volumes? I'm hoping so as there shouldn't be a reason not to, especially if it's implemented like a new file-system (that just wraps the encrypted, actual file-system).

Bear
Jun 21, 2011, 11:01 AM
If you go to Lion Features (http://www.apple.com/macosx/whats-new/features.html) and go to the FileVault 2 section, you will get answers to some (but not all) of your questions. It will encrypt disks other than the system volume if you want it to. It even says so on that web page.

RafaelT
Jun 21, 2011, 12:29 PM
Well, it's not technically "full disk encryption" as really it only encrypts your root partition so far as I can tell. I have a small second partition for downloads and it was untouched......

Thank you, your post definitely answered some of my questions. I appreciate the detailed reply!

smithrh
Jun 21, 2011, 12:38 PM
If you go to Lion Features (http://www.apple.com/macosx/whats-new/features.html) and go to the FileVault 2 section, you will get answers to some (but not all) of your questions. It will encrypt disks other than the system volume if you want it to. It even says so on that web page.

Yes, thanks for this pointer.

Some information on this page seems to be directly in conflict with some of the other posts in this thread - which will typically happen as a vendor puts its best foot forward in the marketing materials...

Also, are external drives portable, or are the locked to the original Mac?

Can I make a software RAID array out of encrypted disks?


...and so on and so forth.

haravikk
Jun 21, 2011, 01:14 PM
Also, are external drives portable, or are the locked to the original Mac?
I think they should be portable, but you'll need Lion and the password used for encryption in order to access them. If you encrypt your startup disk then I assume the encryption key will be protected by a user password.

Can I make a software RAID array out of encrypted disks?
I'm hoping the opposite is true, and you can encrypt a RAID volume, which I think would make more sense.

Chances are this is implemented with a dummy file-system that wraps the actual file-system used by the encrypted volume. At least I hope so, otherwise it might not work with RAID volumes at all.

CyBeRino
Jun 21, 2011, 01:28 PM
So it's just an on/off interface like Filevault 1? With options for Time Machine?
That seems a little disappointing, I was hoping it would present all of your volumes, and let you choose which one(s) to encrypt and then enter passwords for each.

Yes, it's on/off, at least right now.

It is perfectly possible to encrypt other drives, but at least at this point in time that involves reformatting them with encryption. Only the filevault interface appears, currently, to be able to encrypt a partition in-place, and it'll only do that on your startup partition.

I haven't actually tried yet, but from what I can gather at this point, encrypted disks should be readable by Lion only. I do expect a future update to 10.6 to add support for encrypted drives, though. They are definitely portable; it'll simply ask for the password when you try to mount it.



I don't suppose you know if this works with software RAID volumes? I'm hoping so as there shouldn't be a reason not to, especially if it's implemented like a new file-system (that just wraps the encrypted, actual file-system).

No idea, sorry.

swixo
Jun 21, 2011, 08:05 PM
If you go to Lion Features (http://www.apple.com/macosx/whats-new/features.html) and go to the FileVault 2 section, you will get answers to some (but not all) of your questions. It will encrypt disks other than the system volume if you want it to. It even says so on that web page.

Only way to do this seems to be to format the other volume as encrypted. You will have to copy off then back on any data. The root volume can be encrypted in place.

s