FileVault 2 vs Disk Utility Encryption

[nim6us]

So I was doing some research on disk encryption issues and options, and I stumbled across the FileVault 2 utility. In the past I'd alway just gone into Disk Utility and encrypted my drives that way. I'd read that users had run into issues with encrypted drives locking up, or locking them out and that FileVault 2 was "encryption-light" that offered you high level encryption options, but with a lot more recovery and back doors to get in should you be locked out and to ensure the encrypted drive plays nice with OS X. While that seems appealing, the reason I wanted to encrypt my drive was so that it was a paperweight without the encrypt key. All the recovery options, and on the fly encryption in FireVault 2 makes me nervous that a would be attacker just has more avenues of attack.

I'm getting a lot of conflicting information, and I'm just trying to understand, if FileVault 2 is whole disk encryption what's the benefit to using it as opposed to the standard Disk Utility encryption?

 

[mfram]

A couple advantages I can think of.

1. FV2 is pretty low-level. It happens at the block-level below the filesystem. That is, once unencrypted at boot the computer behaves as normal. Time Machine just works and it behaves to the user as an unencyprted disk. You don't have to mount the encrypted part manually later, it's all encrypted. The filesystem doesn't even know it's on an encrypted disk.

2. FV2 does give you the oppotunity to save a "recovery" key to help get the data back later if there's a problem. You have the option to upload that "recovery key" back to Apple's server if you want. I don't opt to do that. I keep my data backed up with Time Machine, so if there's a problem I can restore from there.

At boot time, you are prompted for a password to your account. That password is used to unlock the disk. The computer continues booting and your are logged into your account. Everything is encrypted, even most of the operating system. Only the stuff at boot to unlock the disk is unencrypted.

If the computer sleeps then it doesn't need you to re-enter the password to unencrypt the data. You still have to enter a password to get passed the screen lock though. If the machine hibernates then you will have to re-enter the password to unencrypt the data again. The computer then comes up where it left off.

Assuming you don't keep the recovery key where someone can get to it, your data will be safe from hackers.

The best part is, you can turn on or off FV2 at any time. You don't have to re-install. Only a reboot is required. The conversion happens in-place.

 

[nim6us]

At boot time, you are prompted for a password to your account. That password is used to unlock the disk. The computer continues booting and your are logged into your account.

This is something else that concerned me, I liked that my encryption key was different than my user password. I mean I can see the convenience aspect, but having two levels of passwords just makes you more secure. Is there an option not to link the two?

Also just out of curiosity, since my disk is already encrypted with the Disk Utility, if I activated FileVault could they run in parallel or would you have to chose?

Lastly, thanks for all the good bullet points. I don't mean to side step the effort you put into answering my original volley of questions. I'm just a curious cat

 

[NoBoMac]

Well, the passcode is kinda separated from the disk encryption: password is used to decrypt a blob that has an encryption key that decrypts the randomly generated encryption key which in turn decrypts the disk.

Or to actually separate, create an account just for unlocking the disk and setup your normal account(s) to not be able to decrypt the drive. Decrypt with special account, logout, login to other account(s).

 

[Mr. Retrofire]

2. FV2 does give you the oppotunity to save a "recovery" key to help get the data back later if there's a problem.

...and this key is pretty weak (120 Bit), compared to a long passphrase.

.dmg files use AES-256 with the appropriate long keys. But AES-256 is useless without a strong key/passphrase.

 

[NoBoMac]

That paper got it wrong re: bits in the recovery key, I believe.

The recovery key is, excluding the dashes, 24 A-Z and 0-9. ASCII characters are 7 bit values. So, 24x7 is 168 bits. Round it up to full bytes, 192. Add the non-random dashes, you now have a key that is 232 bits.

How they got to 120 was I think they overlooked that the recovery key is not an Apple UID type value, hexadecimal values. If hex values, 24x4=96. And if you add in the dashes and treat them as 4-bit characters (also wrong), that's 116 bits with one unused hex digit to pad out the last byte of info and 120 bits.

The recovery key is darn strong: 24 characters yielding 2.25x10^37 possible combinations.

 

[Weaselboy]

Also just out of curiosity, since my disk is already encrypted with the Disk Utility, if I activated FileVault could they run in parallel or would you have to chose?

I think you may be confusing things a bit.

Filevault (FV) encryption and OS X disk encryption use exactly the same encryption and are identical as far as the disk encryption itself goes.

The only difference is when you turn on FV, it changes the way the Mac boots so it can work with FV encryption on.

Normally your Mac boots straight to the OS on the main drive. When you turn on FV, it encrypts the main partition and when you boot you are actually booting from the recovery partition which displays the login screen. Once you enter your password, the FV disk is unlocked and you can then boot to it.

But the underlying encryption and technology of FV vs. encrypting a non-boot disk is identical. They both work by converting the volume into an encrypted core storage volume.

Can you explain exactly what you are trying to do? If you want to encrypt the boot volume, you will need to use FV, otherwise there is no easy way to boot to the OS disk.