PDA

View Full Version : FileVault2 - Who's using it




maflynn
May 26, 2012, 08:04 AM
Given the maturity of Lion, who has opted to use FileVault2?

If you used it but then disabled it, why did you turn it off?



Bear
May 26, 2012, 08:22 AM
I've been using encryption for over 4 months now for my internal disk, my Time Machine disk and a couple of external data disks.

The initial disk encryption process seems very resilient. you can actually sleep or shutdown the machine in the middle of it and it will pick back up. In my case, I had a third party device driver crash the system (not related to the encryption process) during the encryption process. The system recovered fine.

I would recommend only enabling encryption on one drive at a time and wait for it to finish.

I of coursed used system preferences to enable FileVault2 and to also encrypt the Time Machine disk. For the other external drives since they had data on them, I used diskutil to convert them to encrypted disks.

maflynn
May 26, 2012, 06:59 PM
Interesting info regarding the resiliency of FV

I came across this thread http://forums.macrumors.com/showthread.php?t=1376080 where the owner of a MBA had his laptop stolen from his house. I'm rethinking not using it and was curious to know how many folks here are using it or were and if they stopped why did they

grapes911
May 26, 2012, 07:02 PM
I don't use it. Any data I want to secure goes in a TrueCrypt volume.

maflynn
May 26, 2012, 07:04 PM
I don't use it. Any data I want to secure goes in a TrueCrypt volume.

That's another option as well that I'm considering but given the ease of FV its difficult to dispute

grapes911
May 26, 2012, 07:10 PM
That's another option as well that I'm considering but given the ease of FV its difficult to dispute

I've been using TrueCrypt for years. A big limitation of FV (for me anyway) is the lack of cross-platform. Most of my sensitive data is on external hard dives that I can easily use on any machine. If you use only one machine, or at least only use Macs, then FV is probably fine.

Bear
May 26, 2012, 09:32 PM
I don't use it. Any data I want to secure goes in a TrueCrypt volume.That's another option as well that I'm considering but given the ease of FV its difficult to disputeCan you even use TrueCrypt for your boot drive? I'd stick to FileVault 2 on the boot volume to keep things simpler. And also probably on the Time Machine drive.

And as for external drives, if you're using Macs only why risk having OS X patches being incompatible with the TrueCrypt drivers? Although if you need data portability, TrueCrypt does make sense.

grapes911
May 27, 2012, 10:26 AM
Can you even use TrueCrypt for your boot drive? I'd stick to FileVault 2 on the boot volume to keep things simpler.

I don't think you can. Honestly, I don't have a reason to encrypt my boot drive. Maybe I should just because I can, but I personally have nothing on my boot drive worth encrypting.

Alrescha
May 27, 2012, 11:02 AM
I've used Filevault2 on my boot drive and Time Machine drive since day one. I'll eventually migrate my external drives as time goes by. No issues so far.

A.

Bear
May 27, 2012, 11:46 AM
I don't think you can. Honestly, I don't have a reason to encrypt my boot drive. Maybe I should just because I can, but I personally have nothing on my boot drive worth encrypting.Passwords to email accounts? IM Accounts? Passwords to web sites? Copies of tax returns?
Possibly enough information for someone to (help) do an identity theft possibly? Your address book?

There's more on ones computer than most people realize.

grapes911
May 27, 2012, 07:26 PM
Passwords to email accounts? IM Accounts? Passwords to web sites? Copies of tax returns?
Possibly enough information for someone to (help) do an identity theft possibly? Your address book?

There's more on ones computer than most people realize.

Nope, nope, and nope.


I have some junk email accounts, but the only two that have anything of value are encrypted exchange servers that require tokens to access and I do not store mail locally.
No instant messenger.
I never save passwords to websites.
Tax Returns are stored on encrypted external drives and only accessed via a LiveCD.
Address book is stored on an encrypted exchange server that requires a token to access.


I'm very security conscious, yet still haven't had a need to use FV. I'm sure it works fine. I just haven't had a need.

talmy
May 27, 2012, 07:46 PM
I've taken a different approach -- encrypted DMG files (which behave like drives). I tried FileVault2 back with a Lion Developer's Preview and decided against the overhead and potential risk. Among the encrypted DMG, 1Password, and KeyChain everything I want to protect is encrypted.

maflynn
May 28, 2012, 06:24 AM
I tried FileVault2 back with a Lion Developer's Preview and decided against the overhead and potential risk.
I can understand not wanting to use beta software for encryption but as I stated in my post, Lion has been out for a while now and no real reports of issues with FV2.

I take this approach, using encrypted DMGs but I find that unless you are very disciplined slowly your sensitive files will make their way into the documents folder and not in the encrypted folder.

Bear
May 28, 2012, 06:37 AM
I've taken a different approach -- encrypted DMG files (which behave like drives). I tried FileVault2 back with a Lion Developer's Preview and decided against the overhead and potential risk.FileVault 2 (unlike the original FileVault) has very little overhead. So unless you're running your system at the edge, it shouldn't matter.

I take this approach, using encrypted DMGs but I find that unless you are very disciplined slowly your sensitive files will make their way into the documents folder and not in the encrypted folder.And passwords for encrypted DMGs can wind up on the keychain as well, which would of course negate the security you get by using encrypted DMGs. And I suspect using encrypted DMGs would have the same or more of a performance impact than FileVault 2 does.

maflynn
May 28, 2012, 06:42 AM
And passwords for encrypted DMGs can wind up on the keychain as well, which would of course negate the security you get by using encrypted DMGs. And I suspect using encrypted DMGs would have the same or more of a performance impact than FileVault 2 does.
Agreed, that you're information is still exposed though the usefulness of that data may not be as great as your tax returns or bank statement (at least to most of the thieves).

I'm going to use FV2 because
1. It is seamless
2. it protects the entire volume
3. it has a good track record at this time.

The downsides of FV2 is performance, not accessing the volume outside of OSX.

I'll probably turn it on later today and let it run all day/night. I've spent the last few days cleaning up my boot drive freeing up space. My only issue is that I have a dual boot system and I frequently access my data from from my Lion partition.

bobr1952
May 28, 2012, 06:42 AM
I don't use it. Any data I want to secure goes in a TrueCrypt volume.

I started using TrueCrypt as well--very nice program indeed. :)

RoelJuun
May 28, 2012, 07:44 AM
Had encryption enabled on my iMac using FV but after a clean install I didn't bother to activate it again. All passwords and administration files are stored in an encrypted dmg-file.

talmy
May 28, 2012, 08:36 AM
And passwords for encrypted DMGs can wind up on the keychain as well, which would of course negate the security you get by using encrypted DMGs. And I suspect using encrypted DMGs would have the same or more of a performance impact than FileVault 2 does.

If you use FileVault2 you are still protected by only a single password, the same situation as encrypted DMGs with password saved in the keychain. The performance impact of encrypted DMGs is less because only sensitive information is encrypted. The operating system, application programs, and non-sensitive data are clear.

Also I know that any backups I make will have the sensitive data encrypted since I'm backing up the DMG as a file. I really don't know without investigating what happens to backups with FileVault2. I expect the backup volumes would have to be encrypted as well and since I back up to drives connected to a Snow Leopard Server system FileVault2 isn't available there.

Alrescha
May 28, 2012, 09:06 AM
I've spent the last few days cleaning up my boot drive freeing up space.

FileVault is going to read and rewrite every block on the disk, whether you have data there or not. Empty or full, it's going to take a long time.

If you intend to use FileVault on new external volumes, you can format them as encrypted using Disk Utility - which only takes a minute or two. Unfortunately, this does not work for boot volumes.

A.

maflynn
May 28, 2012, 09:10 AM
FileVault is going to read and rewrite every block on the disk, whether you have data there or not. Empty or full, it's going to take a long time.
I know, I expect it to take all day and even into the night. That's why I was cleaning up, removing unwanted or unnecessary files.


If you intend to use FileVault on new external volumes, you can format them as encrypted using Disk Utility - which only takes a minute or two. Unfortunately, this does not work for boot volumes.

Nope, I don't use external volumes, I have a NAS and the format of that is such that I cannot and will not encrypt that but the data on that is not sensitive

Bear
May 29, 2012, 07:33 AM
If you use FileVault2 you are still protected by only a single password, the same situation as encrypted DMGs with password saved in the keychain. The performance impact of encrypted DMGs is less because only sensitive information is encrypted. The operating system, application programs, and non-sensitive data are clear.
...My point is that if your system disk is not encrypted and your encrypted DMG password winds up on the keychain, that DMG loses its protection.

What we need is to see real performance impact numbers for an encrypted boot volume. And we also need to see performance impacts for encrypted DMGs. One should also probably include mount and dismount times (including user interaction for this to happen).

I feel that for myself, the impact of managing encrypted DMGs is more overhead than the minor performance impact of encrypting the whole disk.

Also I know that any backups I make will have the sensitive data encrypted since I'm backing up the DMG as a file. I really don't know without investigating what happens to backups with FileVault2. I expect the backup volumes would have to be encrypted as well and since I back up to drives connected to a Snow Leopard Server system FileVault2 isn't available there.Yes, the backup volume would need to be encrypted as well for proper protection. My Time Machine disk is encrypted.

maflynn
May 29, 2012, 07:36 AM
My point is that if your system disk is not encrypted and your encrypted DMG password winds up on the keychain, that DMG loses its protection.
Agreed, my encrypted DMG's password is NOT in the keychain for that very reason.

talmy
May 29, 2012, 11:25 AM
Agreed, my encrypted DMG's password is NOT in the keychain for that very reason.

I don't see the point. When you log in all the disk becomes effectively unencrypted with FileVault II. So if a thief knows your login then can access the entire disk contents. With the encrypted DMGs with passwords in the Keychain (which is also encrypted) you again get access to everything if the login is known, and if the login is not known the keychain and the DMGs remain encrypted and unaccessible. The only difference is that there is no security for the unencrypted portions of the drive, but I already will grant that.

Weaselboy
May 29, 2012, 11:29 AM
My point is that if your system disk is not encrypted and your encrypted DMG password winds up on the keychain, that DMG loses its protection.

I have Keychain setup with a different password than the login password. So even if somebody somehow gets past the login password, they still won't be able to get account passwords etc from Keychain.

I use FV2 with EFI password protected and a separate keychain password.

maflynn
May 29, 2012, 12:31 PM
I don't see the point. When you log in all the disk becomes effectively unencrypted with FileVault II.
I'm not sure I understand your question.

The issue is that if someone stole my laptop then they would not be able to log into my laptop because FV2 has encrypted. They won't have access to keychain and other objects, or am I misunderstanding your post?

As for my encrypted dmg, it only gets mounted if I enter the correct password which is not stored in the keychain

Bear
May 29, 2012, 01:07 PM
I don't see the point. When you log in all the disk becomes effectively unencrypted with FileVault II. So if a thief knows your login...And how would the thief know your password for logging in to your Mac?

Shouldn't one do what is reasonable to protect the safety and security of their data? Not encrypting the boot drive makes it as easy to get to your data as not having locks on your home makes it to get in to the home.

talmy
May 29, 2012, 01:22 PM
And how would the thief know your password for logging in to your Mac?


They wouldn't, which is why an encrypted DMG with the key stored in the encrypted keychain is just as secure as a Filevault II drive. I only care about encrypting financial and other sensitive data. I see no reason to care about having encrypted applications, music, video, photos...

bogatyr
May 29, 2012, 01:35 PM
Having run with and without FV2, I can say on my MBA laptops (2 of them), there has been no performance difference for me (coder/I.T. Manager). With all the information that can be put in temporary/cache files on your main drive, in my opinion FV2 is essential.

If you want to use TrueCrypt on external drives, no issue. But your main drive which applications can and do store data without notifying you should also be encrypted completely - which is where FV2 comes in.

One note you should be aware of is that having a TB or FireWire port makes any memory based encryption key vulnerable:
http://www.frameloss.org/2011/09/18/firewire-attacks-against-mac-os-lion-filevault-2-encryption/

The article mentions ways to avoid those problems as well.

I have lots of information I don't want people to access on my laptop - family photos, copies of all my taxes for the last 5 years, bank information, photos of my passport / ID documents, and more.

Two weekends ago I had my backpack and gym bag stolen out of my car. In my backpack were two MBAs (personal / work) and in my gym bag was my iPad. I remote wiped my iPad using Find my Device in iCloud (thankfully it was on ATT's network) but my two laptops were encrypted and the thief wouldn't have been able to use them. I wasn't the least bit worried about identity theft or losing money due to the laptops being stolen. That peace of mind was well worth the small amount of time it took to enable FV2.

(As an aside, I did get all my equipment back - $5000 worth of electronics and work stuff)