PDA

View Full Version : Using FileVault




ideal.dreams
May 14, 2013, 08:48 PM
I have a MacBook Pro with Retina display (specs in my signature) and have a few questions about using FileVault.


Is there any degradation to SSD speed?
Is there any degradation to the startup/shutdown time?
Is there any degradation to the overall speed of the computer?
Can I still use Time Machine to back up my data to an external hard drive?
Is it possible to disable FileVault after enabling it?


Thanks!



mrapplegate
May 14, 2013, 09:14 PM
I have a MacBook Pro with Retina display (specs in my signature) and have a few questions about using FileVault.


Is there any degradation to SSD speed?
Is there any degradation to the startup/shutdown time?
Is there any degradation to the overall speed of the computer?
Can I still use Time Machine to back up my data to an external hard drive?
Is it possible to disable FileVault after enabling it?


Thanks!

Nope.
Nope.
Nope.
Yes.
Yes.

Sky Blue
May 14, 2013, 09:15 PM
Nope.
Nope.
Nope.
Yes.
Yes.

This.

ideal.dreams
May 14, 2013, 09:16 PM
Fantastic. Thanks for the replies!

ColdCase
May 14, 2013, 09:32 PM
There is some impact to SSD data transfers, but you probably won't notice it unless you run a benchmark tool or do disk intensive video or photo processing. Startup and overall speed impacts you won't notice. Video encoding is just noticeably slower on my rMBP. Safe boot will not work.

You can disable file fault at any time and the OS will decrypt the entire drive for you (safe boot will then work).

ideal.dreams
May 14, 2013, 09:39 PM
There is some impact to SSD data transfers, but you probably won't notice it unless you run a benchmark tool or do disk intensive video or photo processing. Startup and overall speed impacts you won't notice. Video encoding is just noticeably slower on my rMBP. Safe boot will not work.

You can disable file fault at any time and the OS will decrypt the entire drive for you (safe boot will then work).

I convert movies pretty often with Handbrake; is that slowed down at all?

Also are there any extra steps required to use Time Machine while using FileVault? And what happens to all of my previous backups without FileVault enabled?

ColdCase
May 15, 2013, 07:50 AM
I convert movies pretty often with Handbrake; is that slowed down at all?

Also are there any extra steps required to use Time Machine while using FileVault? And what happens to all of my previous backups without FileVault enabled?

I don't think you will notice it, I think handbrake is more limited by CPU power. If too slow for you, you can always turn file vault off. FV will decrypt the drive for you and you are back to the pre FV config.

OS 10.8 file vault and TM works a bit different than previous iterations. Only thing file vault does is scramble data on your disk. For a TM backup, the OS unscrambles the files before sending them to your TM backup drive. The backup is unencrypted unless you also check off the encrypt backup in the TM settings.

Weaselboy
May 15, 2013, 10:35 AM
I convert movies pretty often with Handbrake; is that slowed down at all?

Also are there any extra steps required to use Time Machine while using FileVault? And what happens to all of my previous backups without FileVault enabled?

There is some slow down in normal ops. and startup with FV2, but it is minimal. Here (http://www.anandtech.com/show/4485/back-to-the-mac-os-x-107-lion-review/18) is a test showing with/without FV2 on.

Your TM backup will not be impacted by FV2.... it will just keep on going. If you are concerned about security, you may also want to turn on encryption for your TM backups.

ideal.dreams
May 15, 2013, 12:14 PM
I tried encrypting my Time Machine backups disk but it failed with the error that "The given disk is in use by a driver." Is there something I'm missing?

Weaselboy
May 15, 2013, 01:05 PM
I tried encrypting my Time Machine backups disk but it failed with the error that "The given disk is in use by a driver." Is there something I'm missing?

That is a new one on me. I Googled that error message and all I could find were some reports of that message when turning on FV2? Are you sure the FV encryption was finished when you did this?

ideal.dreams
May 15, 2013, 01:11 PM
That is a new one on me. I Googled that error message and all I could find were some reports of that message when turning on FV2? Are you sure the FV encryption was finished when you did this?

FileVault was definitely done encrypting my SSD when I tried to encrypt my backup drive. I had a movie running off of the drive so I'm assuming that caused the issue. I closed the movie, unplugged the drive to make sure nothing was using it and am trying it again. Hopefully that'll work.

Bear
May 15, 2013, 02:28 PM
I tried encrypting my Time Machine backups disk but it failed with the error that "The given disk is in use by a driver." Is there something I'm missing?Do you have more than one partition on the Time Machine drive? If the answer is yes, that is the issue.

ideal.dreams
May 15, 2013, 02:43 PM
Do you have more than one partition on the Time Machine drive? If the answer is yes, that is the issue.

Nope, I haven't partitioned the drive. It's been encrypting for the last hour or so and it's only up to 6%. Is this normal? It's a 1TB drive.

Bear
May 15, 2013, 03:43 PM
Nope, I haven't partitioned the drive. It's been encrypting for the last hour or so and it's only up to 6%. Is this normal? It's a 1TB drive.The initial encryption of the drive is done in such a way that it has minimal impact on performance if you are using the system while the disk is being encrypted. And that sounds about normal based on the last couple of disks I encrypted.

Note that you can sleep and even do a shutdown while the encryption process is going on. It'll continue the process when woken from sleep or started up.

ideal.dreams
May 15, 2013, 04:50 PM
The initial encryption of the drive is done in such a way that it has minimal impact on performance if you are using the system while the disk is being encrypted. And that sounds about normal based on the last couple of disks I encrypted.

Note that you can sleep and even do a shutdown while the encryption process is going on. It'll continue the process when woken from sleep or started up.

Is there a way to speed up the encryption of the disk?

Bear
May 15, 2013, 05:00 PM
Is there a way to speed up the encryption of the disk?It speeds up a little bit if you aren't using the computer, but not enough to worry about.

That's why I mentioned it was safe to sleep and shutdown the computer during encryption.

Weaselboy
May 15, 2013, 05:12 PM
Nope, I haven't partitioned the drive. It's been encrypting for the last hour or so and it's only up to 6%. Is this normal? It's a 1TB drive.

That is about what I experienced also. Just have to wait it out.

kebs.kebs
May 15, 2013, 08:47 PM
Does FileVault2 have any affect on the "wear levelling" on SSDs? does it lower its life?

ColdCase
May 16, 2013, 06:01 AM
Does FileVault2 have any affect on the "wear levelling" on SSDs? does it lower its life?

No affect on wear leveling for the typical OEM drive apple uses. Most sandisk controllers take advantage of compression to achieve throughput and encrypted data is not compressible. So any throughput advantage those drive may have is mitigated. Since there may be more data being written you could postulate that there may be some additional wear, but I dunno if anyone has quantified the impact. Again only applies to those SSDs that use data compression. Otherwise it just bits and bytes.

Bear
May 16, 2013, 06:17 AM
No affect on wear leveling for the typical OEM drive apple uses. Most sandisk controllers take advantage of compression to achieve throughput and encrypted data is not compressible. So any throughput advantage those drive may have is mitigated. Since there may be more data being written you could postulate that there may be some additional wear, but I dunno if anyone has quantified the impact. Again only applies to those SSDs that use data compression. Otherwise it just bits and bytes.Actually encrypted data can be compressed but it may not be compressed as much. And if you think about it certain types of datafiles (compressed image and music formats) can't be compressed much either.

All in all, I don't think using Filevault will have much extra wear even on SSDs that use compression.

jafingi
May 16, 2013, 06:50 AM
Also, remember to encrypt your Time Machine backup.

ColdCase
May 16, 2013, 07:02 AM
Actually encrypted data can be compressed but it may not be compressed as much. And if you think about it certain types of datafiles (compressed image and music formats) can't be compressed much either.

All in all, I don't think using Filevault will have much extra wear even on SSDs that use compression.

If the data is encrypted well it will look like a random set of unpredictable bits without any pattern that will not compress and be recoverable (although there are some theoretical methods). You can compress data prior to it being encrypted, however, and some FDE drives use that technique. Both video and music are not as random and could be brute force compressed a bit, but encoding is a better compression method for reducing their size.

The biggest reason some SSDs do not do well in a striped RAID environment is compression.

ideal.dreams
May 16, 2013, 10:36 AM
So with FileVault enabled, what are the chances of data being recovered from the SSD should anything ever happen to my MacBook?

Weaselboy
May 16, 2013, 10:45 AM
So with FileVault enabled, what are the chances of data being recovered from the SSD should anything ever happen to my MacBook?

Pretty much zero. I have not seen any reports of anybody cracking the FV2 encryption.

scaredpoet
May 16, 2013, 12:00 PM
You might also want to enable "Find My Mac" in the iCloud Preference pane. Although the location function is hit or miss (it requires WiFi be on and in range of hotspots, and won't work if WiFi is off and say, you're connected over ethernet), you can still do things like remote-wiping the mac if the data on it is something you're concerned about.

----------

So with FileVault enabled, what are the chances of data being recovered from the SSD should anything ever happen to my MacBook?

None so far. BUT, there's an optional backdoor that may cause you concern, depending on what you want to keep safe on that Mac. It's the security key that OS X offers to send to Apple, to unlock FileVault if the password is forgotten.

If you're absolutely paranoid about law enforcement or someone with social-engineering skills gaining access, then you will want to avoid sending the security key to Apple.

ideal.dreams
May 16, 2013, 12:23 PM
You might also want to enable "Find My Mac" in the iCloud Preference pane. Although the location function is hit or miss (it requires WiFi be on and in range of hotspots, and won't work if WiFi is off and say, you're connected over ethernet), you can still do things like remote-wiping the mac if the data on it is something you're concerned about.

----------



None so far. BUT, there's an optional backdoor that may cause you concern, depending on what you want to keep safe on that Mac. It's the security key that OS X offers to send to Apple, to unlock FileVault if the password is forgotten.

If you're absolutely paranoid about law enforcement or someone with social-engineering skills gaining access, then you will want to avoid sending the security key to Apple.

Yeah I opted out of sending my key to Apple. I have it stored in a safe physical location at my house so it looks like everything should be secure.

ColdCase
May 16, 2013, 02:08 PM
So with FileVault enabled, what are the chances of data being recovered from the SSD should anything ever happen to my MacBook?

The biggest security vulnerability is your password. A 8 character password can be brute forced cracked by the average perp within hours, an 16 character a lot longer. It would be easier to break the PW than the encryption, but that also can be done by a sophisticated adversary. I don't think any of us have information valuable enough to make that worthwhile, and of course none of us are involved in criminal activity.....

Weaselboy
May 16, 2013, 02:29 PM
It would be easier to break the PW than the encryption, but that also can be done by a sophisticated adversary.

I have not seen any evidence of anybody even claiming, much less proving they can crack FV2 encryption. Have you seen any reliable claims on this?

ColdCase
May 16, 2013, 03:17 PM
I have not seen any evidence of anybody even claiming, much less proving they can crack FV2 encryption. Have you seen any reliable claims on this?

Let me be perhaps clearer... poor passwords and password protection will foil even the best encryption.

Its not so much the encryption, its the key management or authentication. If I so happen to be looking over the shoulder of someone entering their password, I have the key and have the data.... a simple case.

Two factor authentication done right would be much more secure. But what we have is certainly good enough for personal data protection of 99% of us and for a machine that is simply lost, if we use strong passwords and protect them.

Wonder why Apple hired all those fingerprint reader experts...

Weaselboy
May 16, 2013, 03:33 PM
Let me be perhaps clearer... poor passwords and password protection will foil even the best encryption.

Its not so much the encryption, its the key management or authentication. If I so happen to be looking over the shoulder of someone entering their password, I have the key and have the data.... a simple case.

Two factor authentication done right would be much more secure. But what we have is certainly good enough for personal data protection of 99% of us and for a machine that is simply lost, if we use strong passwords and protect them.

Wonder why Apple hired all those fingerprint reader experts...

I understand that, but when you said "but that also can be done by a sophisticated adversary" it sounded like you were saying the encryption could be cracked.

ColdCase
May 16, 2013, 04:23 PM
I understand that, but when you said "but that also can be done by a sophisticated adversary" it sounded like you were saying the encryption could be cracked.

If someone takes possession of the machine, it becomes just a math problem.

Weaselboy
May 16, 2013, 04:30 PM
If someone takes possession of the machine, it becomes just a math problem.

I feel like we are going in circles here. I am saying I have seen no evidence anybody has ever been able to crack FV2 encryption. If you have some evidence I am mistaken, I would be interested to see it.