FileVault2 - Who's using it

I've been using encryption for over 4 months now for my internal disk, my Time Machine disk and a couple of external data disks.

The initial disk encryption process seems very resilient. you can actually sleep or shutdown the machine in the middle of it and it will pick back up. In my case, I had a third party device driver crash the system (not related to the encryption process) during the encryption process. The system recovered fine.

I would recommend only enabling encryption on one drive at a time and wait for it to finish.

I of coursed used system preferences to enable FileVault2 and to also encrypt the Time Machine disk. For the other external drives since they had data on them, I used diskutil to convert them to encrypted disks.

 

I don't use it. Any data I want to secure goes in a TrueCrypt volume.

 

I've been using TrueCrypt for years. A big limitation of FV (for me anyway) is the lack of cross-platform. Most of my sensitive data is on external hard dives that I can easily use on any machine. If you use only one machine, or at least only use Macs, then FV is probably fine.

 

Can you even use TrueCrypt for your boot drive? I'd stick to FileVault 2 on the boot volume to keep things simpler. And also probably on the Time Machine drive.

And as for external drives, if you're using Macs only why risk having OS X patches being incompatible with the TrueCrypt drivers? Although if you need data portability, TrueCrypt does make sense.

 

I don't think you can. Honestly, I don't have a reason to encrypt my boot drive. Maybe I should just because I can, but I personally have nothing on my boot drive worth encrypting.

 

I've used Filevault2 on my boot drive and Time Machine drive since day one. I'll eventually migrate my external drives as time goes by. No issues so far.

A.

 

Passwords to email accounts? IM Accounts? Passwords to web sites? Copies of tax returns?
Possibly enough information for someone to (help) do an identity theft possibly? Your address book?

There's more on ones computer than most people realize.

 

Nope, nope, and nope.

• I have some junk email accounts, but the only two that have anything of value are encrypted exchange servers that require tokens to access and I do not store mail locally.
• No instant messenger.
• I never save passwords to websites.
• Tax Returns are stored on encrypted external drives and only accessed via a LiveCD.
• Address book is stored on an encrypted exchange server that requires a token to access.

I'm very security conscious, yet still haven't had a need to use FV. I'm sure it works fine. I just haven't had a need.

 

I've taken a different approach -- encrypted DMG files (which behave like drives). I tried FileVault2 back with a Lion Developer's Preview and decided against the overhead and potential risk. Among the encrypted DMG, 1Password, and KeyChain everything I want to protect is encrypted.

 

FileVault 2 (unlike the original FileVault) has very little overhead. So unless you're running your system at the edge, it shouldn't matter.

And passwords for encrypted DMGs can wind up on the keychain as well, which would of course negate the security you get by using encrypted DMGs. And I suspect using encrypted DMGs would have the same or more of a performance impact than FileVault 2 does.

 

I started using TrueCrypt as well--very nice program indeed.

 

Had encryption enabled on my iMac using FV but after a clean install I didn't bother to activate it again. All passwords and administration files are stored in an encrypted dmg-file.

 

If you use FileVault2 you are still protected by only a single password, the same situation as encrypted DMGs with password saved in the keychain. The performance impact of encrypted DMGs is less because only sensitive information is encrypted. The operating system, application programs, and non-sensitive data are clear.

Also I know that any backups I make will have the sensitive data encrypted since I'm backing up the DMG as a file. I really don't know without investigating what happens to backups with FileVault2. I expect the backup volumes would have to be encrypted as well and since I back up to drives connected to a Snow Leopard Server system FileVault2 isn't available there.

 

FileVault is going to read and rewrite every block on the disk, whether you have data there or not. Empty or full, it's going to take a long time.

If you intend to use FileVault on new external volumes, you can format them as encrypted using Disk Utility - which only takes a minute or two. Unfortunately, this does not work for boot volumes.

A.

 

My point is that if your system disk is not encrypted and your encrypted DMG password winds up on the keychain, that DMG loses its protection.

What we need is to see real performance impact numbers for an encrypted boot volume. And we also need to see performance impacts for encrypted DMGs. One should also probably include mount and dismount times (including user interaction for this to happen).

I feel that for myself, the impact of managing encrypted DMGs is more overhead than the minor performance impact of encrypting the whole disk.

Yes, the backup volume would need to be encrypted as well for proper protection. My Time Machine disk is encrypted.

 

I don't see the point. When you log in all the disk becomes effectively unencrypted with FileVault II. So if a thief knows your login then can access the entire disk contents. With the encrypted DMGs with passwords in the Keychain (which is also encrypted) you again get access to everything if the login is known, and if the login is not known the keychain and the DMGs remain encrypted and unaccessible. The only difference is that there is no security for the unencrypted portions of the drive, but I already will grant that.