Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
FileVault2 - Who's using it
- Thread starter maflynn
- Start date
- Sort by reaction score
I've been using encryption for over 4 months now for my internal disk, my Time Machine disk and a couple of external data disks.
The initial disk encryption process seems very resilient. you can actually sleep or shutdown the machine in the middle of it and it will pick back up. In my case, I had a third party device driver crash the system (not related to the encryption process) during the encryption process. The system recovered fine.
I would recommend only enabling encryption on one drive at a time and wait for it to finish.
I of coursed used system preferences to enable FileVault2 and to also encrypt the Time Machine disk. For the other external drives since they had data on them, I used diskutil to convert them to encrypted disks.
The initial disk encryption process seems very resilient. you can actually sleep or shutdown the machine in the middle of it and it will pick back up. In my case, I had a third party device driver crash the system (not related to the encryption process) during the encryption process. The system recovered fine.
I would recommend only enabling encryption on one drive at a time and wait for it to finish.
I of coursed used system preferences to enable FileVault2 and to also encrypt the Time Machine disk. For the other external drives since they had data on them, I used diskutil to convert them to encrypted disks.
Interesting info regarding the resiliency of FV
I came across this thread https://forums.macrumors.com/threads/1376080/ where the owner of a MBA had his laptop stolen from his house. I'm rethinking not using it and was curious to know how many folks here are using it or were and if they stopped why did they
I came across this thread https://forums.macrumors.com/threads/1376080/ where the owner of a MBA had his laptop stolen from his house. I'm rethinking not using it and was curious to know how many folks here are using it or were and if they stopped why did they
That's another option as well that I'm considering but given the ease of FV its difficult to dispute
I've been using TrueCrypt for years. A big limitation of FV (for me anyway) is the lack of cross-platform. Most of my sensitive data is on external hard dives that I can easily use on any machine. If you use only one machine, or at least only use Macs, then FV is probably fine.
Can you even use TrueCrypt for your boot drive? I'd stick to FileVault 2 on the boot volume to keep things simpler. And also probably on the Time Machine drive.
And as for external drives, if you're using Macs only why risk having OS X patches being incompatible with the TrueCrypt drivers? Although if you need data portability, TrueCrypt does make sense.
I don't think you can. Honestly, I don't have a reason to encrypt my boot drive. Maybe I should just because I can, but I personally have nothing on my boot drive worth encrypting.
Passwords to email accounts? IM Accounts? Passwords to web sites? Copies of tax returns?
Possibly enough information for someone to (help) do an identity theft possibly? Your address book?
There's more on ones computer than most people realize.
Nope, nope, and nope.
- I have some junk email accounts, but the only two that have anything of value are encrypted exchange servers that require tokens to access and I do not store mail locally.
- No instant messenger.
- I never save passwords to websites.
- Tax Returns are stored on encrypted external drives and only accessed via a LiveCD.
- Address book is stored on an encrypted exchange server that requires a token to access.
I'm very security conscious, yet still haven't had a need to use FV. I'm sure it works fine. I just haven't had a need.
I've taken a different approach -- encrypted DMG files (which behave like drives). I tried FileVault2 back with a Lion Developer's Preview and decided against the overhead and potential risk. Among the encrypted DMG, 1Password, and KeyChain everything I want to protect is encrypted.
I can understand not wanting to use beta software for encryption but as I stated in my post, Lion has been out for a while now and no real reports of issues with FV2.
I take this approach, using encrypted DMGs but I find that unless you are very disciplined slowly your sensitive files will make their way into the documents folder and not in the encrypted folder.
FileVault 2 (unlike the original FileVault) has very little overhead. So unless you're running your system at the edge, it shouldn't matter.
And passwords for encrypted DMGs can wind up on the keychain as well, which would of course negate the security you get by using encrypted DMGs. And I suspect using encrypted DMGs would have the same or more of a performance impact than FileVault 2 does.
Agreed, that you're information is still exposed though the usefulness of that data may not be as great as your tax returns or bank statement (at least to most of the thieves).
I'm going to use FV2 because
1. It is seamless
2. it protects the entire volume
3. it has a good track record at this time.
The downsides of FV2 is performance, not accessing the volume outside of OSX.
I'll probably turn it on later today and let it run all day/night. I've spent the last few days cleaning up my boot drive freeing up space. My only issue is that I have a dual boot system and I frequently access my data from from my Lion partition.
Had encryption enabled on my iMac using FV but after a clean install I didn't bother to activate it again. All passwords and administration files are stored in an encrypted dmg-file.
If you use FileVault2 you are still protected by only a single password, the same situation as encrypted DMGs with password saved in the keychain. The performance impact of encrypted DMGs is less because only sensitive information is encrypted. The operating system, application programs, and non-sensitive data are clear.
Also I know that any backups I make will have the sensitive data encrypted since I'm backing up the DMG as a file. I really don't know without investigating what happens to backups with FileVault2. I expect the backup volumes would have to be encrypted as well and since I back up to drives connected to a Snow Leopard Server system FileVault2 isn't available there.
FileVault is going to read and rewrite every block on the disk, whether you have data there or not. Empty or full, it's going to take a long time.
If you intend to use FileVault on new external volumes, you can format them as encrypted using Disk Utility - which only takes a minute or two. Unfortunately, this does not work for boot volumes.
A.
I know, I expect it to take all day and even into the night. That's why I was cleaning up, removing unwanted or unnecessary files.
Nope, I don't use external volumes, I have a NAS and the format of that is such that I cannot and will not encrypt that but the data on that is not sensitive
My point is that if your system disk is not encrypted and your encrypted DMG password winds up on the keychain, that DMG loses its protection.
What we need is to see real performance impact numbers for an encrypted boot volume. And we also need to see performance impacts for encrypted DMGs. One should also probably include mount and dismount times (including user interaction for this to happen).
I feel that for myself, the impact of managing encrypted DMGs is more overhead than the minor performance impact of encrypting the whole disk.
Yes, the backup volume would need to be encrypted as well for proper protection. My Time Machine disk is encrypted.
I don't see the point. When you log in all the disk becomes effectively unencrypted with FileVault II. So if a thief knows your login then can access the entire disk contents. With the encrypted DMGs with passwords in the Keychain (which is also encrypted) you again get access to everything if the login is known, and if the login is not known the keychain and the DMGs remain encrypted and unaccessible. The only difference is that there is no security for the unencrypted portions of the drive, but I already will grant that.
I have Keychain setup with a different password than the login password. So even if somebody somehow gets past the login password, they still won't be able to get account passwords etc from Keychain.
I use FV2 with EFI password protected and a separate keychain password.
I'm not sure I understand your question.
The issue is that if someone stole my laptop then they would not be able to log into my laptop because FV2 has encrypted. They won't have access to keychain and other objects, or am I misunderstanding your post?
As for my encrypted dmg, it only gets mounted if I enter the correct password which is not stored in the keychain