PDA

View Full Version : Disk encryption - a few questions




537635
Sep 18, 2011, 04:16 AM
Coming from TrueCrypt on W7 I have a few questions about disk encryption in Lion.

1. Is it possible to change the password without reencrypting the whole disk (I realize it is not as safe, but I've used this several times before on non-cruical data as it saves a lot of time)?

2. I read that it is possible to encrypt external (USB) hard drives. How does it work in reality? Does the system automount the encrypted external drives on login (if the password is the same as for the system disk)?

3. Is it still possible to use Truecrypt for encrypting non-system hard disks? Is it true, that upon startup, Lion always offers to format Truecrypt encrypted hard disks as they are not recognized? Is it possible to disable these notifications?


Thanks!



SimonTheSoundMa
Sep 18, 2011, 09:22 AM
1. You can, CoreStorage will need to decrypt the drive in the background, and then encrypt it again. Same for changing the size of partitions. It's a very slow process, but you can switch the machine on and off while it decrypting/encrypting.

2. CoreStorage will encrypt the external drive in the background. It will automount at login if you save the password in your keychain, if you do not save it, you get a prompt for the password at login. It will only save the password in your user account keychain, so no other users can use the drive without knowing the password. A slight problem is you will need to unmount/eject the drive when you logout, if someone logs in to another account and it is still mounted, they can see the drive and its data.

3. I can't answer that one.

537635
Sep 18, 2011, 11:49 AM
Thank you for a thorough answer! That explains mostly everything.

Celeron
Sep 19, 2011, 07:46 AM
1. You can, CoreStorage will need to decrypt the drive in the background, and then encrypt it again. Same for changing the size of partitions. It's a very slow process, but you can switch the machine on and off while it decrypting/encrypting.

Sorry, this is incorrect. Changing your account password does not trigger reecryption of the hard drive.

Sirolway
Sep 19, 2011, 07:52 AM
Sorry, this is incorrect. Changing your account password does not trigger reecryption of the hard drive.

I don't think they were claiming that changing your account password would change your encryption password ...

Also, my understanding is that you should be able to change your encryption password (why?) without it taking ages - as the FileVault password only lets it get at the 'real' encryption key. So you're only changing the password to a small bit of data, it's not actually the encryption key that's used to encrypt the whole volume. This means changing the FileVault password is quick, as it doesn't need to re-encrypt the drive.

Not 100% sure this is correct, but that's my understanding. Try the Ars Technica article on Lion for more details.

odinsride
Sep 19, 2011, 12:43 PM
3. Is it still possible to use Truecrypt for encrypting non-system hard disks? Is it true, that upon startup, Lion always offers to format Truecrypt encrypted hard disks as they are not recognized? Is it possible to disable these notifications?



I have an external Truecrypt volume and always get this notification when I plug it in. I'd also like to know if there's a way to disable this!

537635
Sep 19, 2011, 02:52 PM
I have an external Truecrypt volume and always get this notification when I plug it in. I'd also like to know if there's a way to disable this!

Do you also get it when you boot / wake-up the computer?

I was thinking.... would it make any difference if the encryption would be partition based, instead of device based? :confused: