FileVault Question

[PaulNI]

I need to leave my Macbook Air into the Apple store to get a part fixed, nothing major, should take them around 45 minutes to fix.

This is my work computer and has a lot of sensitive data on it.

If I put FileVault on the laptop to encrypt the drive will that protect the data?

I don't know a great deal about the technical savey of Apple staff but I'm in two minds about whether to just encrypt the drive or take all my data off it and reformat the drive.

My concern would be if they have encryption keys that could unlock my own encryption and access my data.

Might sound paranoid but I run a company and I can't risk any of the key data on my laptop being compromised no matter how slim the risk.

Also how long does it take for FileVault to encrypt the drive? I have a 120GB HD

 

[talmy]

My experience has been that they require you to provide an account on the computer so they can access it. Even though I use FileVault, giving them an account with administrator privileges would allow them to assess any of my files.

If you are concerned, move the files off the system first or use a encrypted disk image (dmg) to contain your secure data.

 

[PaulNI]

My experience has been that they require you to provide an account on the computer so they can access it. Even though I use FileVault, giving them an account with administrator privileges would allow them to assess any of my files.

Would providing a quest account for them be sufficient?

If you are concerned, move the files off the system first or use a encrypted disk image (dmg) to contain your secure data.

Thanks for the advice Talmy

 

[talmy]

Frankly I didn't check to see if a guest account (or just one without admin privileges) would suffice. I was caught off-guard the first time, when they asked for my password (!), so I've set up an admin account for them since.

You might call and see if they require access for what you are having done, and recently they seem to be using netboot although still asking for that password for some reason.

 

[devincco]

My experience, and from a friend that used to work at the Apple store, they're more interested in getting the thing fixed and out the door so they can move onto the next item. I wouldn't worry too much about it unless they're actually replacing your entire unit or drive.

Quick question for you. Are you running Lion or Mountain lion? If so, FileVault 2 is used. If you are anything before Lion or Mountain Lion, then skip FileVault because the first version sucked.

Now with that said, this may help. I don't have my Mac with me to test, but I think if you setup a user acct. with standard access, not admin access, that "should" prevent them from accessing your files as long as your files are under your profile, not scattered around on your drive. Just remember to allow that user to login to FileVault. It allows them to log into the machine, test what they need to test and log out. You're basically relying on filesystem permissions to keep them out. There are ways around it but it would take them some work to do it.

Since the MacBook Air has an SSD, encrypting it shouldn't take too long. 2hrs at the most I would think. If you are working with sensitive data anyway, you should probably go ahead and turn FileVault on. FileVault encrypts the entire drive, not just specific files or folders. It's more for securing the data on your machine in the event it is lost or stolen. If someone has your machine, they will have to enter in a password to log in. If they try to boot up the machine from a boot disk, slave the drive off, etc. then they will have to provide the correct credentials to get into the drive. If they don't, they can't get in.

The other thing to remember with encryption is to make sure you have backups. And backups of the backups. And backups of the backups of the backups. If a FileVault encrypted drive fails, there is little chance of recovering the data on it.

If you're in a time crunch or haven't played with FileVault much, then move your files off for the time being.

Here is a link with more info on FileVault.
http://support.apple.com/kb/ht4790

 

[Weaselboy]

Would providing a quest account for them be sufficient?

If you turn on Filevault2, it disables the guest account feature, so you would need to make a new admin account for Apple to use... and that gets them into Filevault (albeit in another account). If this is really sensitive data, I would not risk it and I would take it off the machine.

If somehow even unintentionally that data gets out, it won't look good for your business. JMO

 

[PaulNI]

Hi Devincco I'm running Lion OS

Thanks for all your advice guys, I think I'm gonna just take my data off my computer, that seems like the least amount of hassle considering my time frame and not wanting to take any risk of my data being compromised.

 

[flynz4]

First of all... I would strongly recommend that you (and everyone) run FVII on their computers... unless you do not care about compromised data in the event of physical access to your machine.

Regarding how it works: FV2 encrypts the entire boot drive... and it is unlocked at power-on with any subset of the user logon passwords that you specify. Hence... if you must give your repair facility the ability to logon... you will be giving them access to unlock FV2. I do not believe there is any way around this.

Clearly... some situations may require that you keep strict legal control over the data. You also may want to do so for your own protection. In such cases... I would make a full TM backup (or maybe two) and then clean install the OS before giving to the repair facility. Restoring from TM is a pretty straight forward process.

/Jim

 

[talmy]

If they are given a regular account rather than an administrative account they won't be able to access your account contents (except for Public). With an administrative account they could do a "sudo su" and get root privileges and access anything not in an encrypted disk image (with it's own password).