FileVault2 - Who's using it

Who is (or was) using FileVault2

  • I initially used it but disabled it (explain why below)

    Votes: 2 7.4%
  • I want my data safe so I have it enabled

    Votes: 14 51.9%
  • I'm not concerned so I don't use it

    Votes: 11 40.7%

  • Total voters
    27

maflynn

Moderator
Original poster
Staff member
May 3, 2009
65,930
32,280
Boston
Given the maturity of Lion, who has opted to use FileVault2?

If you used it but then disabled it, why did you turn it off?
 

Bear

macrumors G3
Jul 23, 2002
8,089
4
Sol III - Terra
I've been using encryption for over 4 months now for my internal disk, my Time Machine disk and a couple of external data disks.

The initial disk encryption process seems very resilient. you can actually sleep or shutdown the machine in the middle of it and it will pick back up. In my case, I had a third party device driver crash the system (not related to the encryption process) during the encryption process. The system recovered fine.

I would recommend only enabling encryption on one drive at a time and wait for it to finish.

I of coursed used system preferences to enable FileVault2 and to also encrypt the Time Machine disk. For the other external drives since they had data on them, I used diskutil to convert them to encrypted disks.
 
Comment

grapes911

Moderator emeritus
Jul 28, 2003
6,995
3
Citizens Bank Park
That's another option as well that I'm considering but given the ease of FV its difficult to dispute
I've been using TrueCrypt for years. A big limitation of FV (for me anyway) is the lack of cross-platform. Most of my sensitive data is on external hard dives that I can easily use on any machine. If you use only one machine, or at least only use Macs, then FV is probably fine.
 
Comment

Bear

macrumors G3
Jul 23, 2002
8,089
4
Sol III - Terra
I don't use it. Any data I want to secure goes in a TrueCrypt volume.
That's another option as well that I'm considering but given the ease of FV its difficult to dispute
Can you even use TrueCrypt for your boot drive? I'd stick to FileVault 2 on the boot volume to keep things simpler. And also probably on the Time Machine drive.

And as for external drives, if you're using Macs only why risk having OS X patches being incompatible with the TrueCrypt drivers? Although if you need data portability, TrueCrypt does make sense.
 
Comment

grapes911

Moderator emeritus
Jul 28, 2003
6,995
3
Citizens Bank Park
Can you even use TrueCrypt for your boot drive? I'd stick to FileVault 2 on the boot volume to keep things simpler.
I don't think you can. Honestly, I don't have a reason to encrypt my boot drive. Maybe I should just because I can, but I personally have nothing on my boot drive worth encrypting.
 
Comment

Alrescha

macrumors 68020
Jan 1, 2008
2,157
315
I've used Filevault2 on my boot drive and Time Machine drive since day one. I'll eventually migrate my external drives as time goes by. No issues so far.

A.
 
Comment

Bear

macrumors G3
Jul 23, 2002
8,089
4
Sol III - Terra
I don't think you can. Honestly, I don't have a reason to encrypt my boot drive. Maybe I should just because I can, but I personally have nothing on my boot drive worth encrypting.
Passwords to email accounts? IM Accounts? Passwords to web sites? Copies of tax returns?
Possibly enough information for someone to (help) do an identity theft possibly? Your address book?

There's more on ones computer than most people realize.
 
Comment

grapes911

Moderator emeritus
Jul 28, 2003
6,995
3
Citizens Bank Park
Passwords to email accounts? IM Accounts? Passwords to web sites? Copies of tax returns?
Possibly enough information for someone to (help) do an identity theft possibly? Your address book?

There's more on ones computer than most people realize.
Nope, nope, and nope.

  • I have some junk email accounts, but the only two that have anything of value are encrypted exchange servers that require tokens to access and I do not store mail locally.
  • No instant messenger.
  • I never save passwords to websites.
  • Tax Returns are stored on encrypted external drives and only accessed via a LiveCD.
  • Address book is stored on an encrypted exchange server that requires a token to access.

I'm very security conscious, yet still haven't had a need to use FV. I'm sure it works fine. I just haven't had a need.
 
Comment

talmy

macrumors 601
Oct 26, 2009
4,709
267
Oregon
I've taken a different approach -- encrypted DMG files (which behave like drives). I tried FileVault2 back with a Lion Developer's Preview and decided against the overhead and potential risk. Among the encrypted DMG, 1Password, and KeyChain everything I want to protect is encrypted.
 
Comment

maflynn

Moderator
Original poster
Staff member
May 3, 2009
65,930
32,280
Boston
I tried FileVault2 back with a Lion Developer's Preview and decided against the overhead and potential risk.
I can understand not wanting to use beta software for encryption but as I stated in my post, Lion has been out for a while now and no real reports of issues with FV2.

I take this approach, using encrypted DMGs but I find that unless you are very disciplined slowly your sensitive files will make their way into the documents folder and not in the encrypted folder.
 
Comment

Bear

macrumors G3
Jul 23, 2002
8,089
4
Sol III - Terra
I've taken a different approach -- encrypted DMG files (which behave like drives). I tried FileVault2 back with a Lion Developer's Preview and decided against the overhead and potential risk.
FileVault 2 (unlike the original FileVault) has very little overhead. So unless you're running your system at the edge, it shouldn't matter.

I take this approach, using encrypted DMGs but I find that unless you are very disciplined slowly your sensitive files will make their way into the documents folder and not in the encrypted folder.
And passwords for encrypted DMGs can wind up on the keychain as well, which would of course negate the security you get by using encrypted DMGs. And I suspect using encrypted DMGs would have the same or more of a performance impact than FileVault 2 does.
 
Comment

maflynn

Moderator
Original poster
Staff member
May 3, 2009
65,930
32,280
Boston
And passwords for encrypted DMGs can wind up on the keychain as well, which would of course negate the security you get by using encrypted DMGs. And I suspect using encrypted DMGs would have the same or more of a performance impact than FileVault 2 does.
Agreed, that you're information is still exposed though the usefulness of that data may not be as great as your tax returns or bank statement (at least to most of the thieves).

I'm going to use FV2 because
1. It is seamless
2. it protects the entire volume
3. it has a good track record at this time.

The downsides of FV2 is performance, not accessing the volume outside of OSX.

I'll probably turn it on later today and let it run all day/night. I've spent the last few days cleaning up my boot drive freeing up space. My only issue is that I have a dual boot system and I frequently access my data from from my Lion partition.
 
Comment

RoelJuun

macrumors 6502
Aug 31, 2010
427
168
Netherlands
Had encryption enabled on my iMac using FV but after a clean install I didn't bother to activate it again. All passwords and administration files are stored in an encrypted dmg-file.
 
Comment

talmy

macrumors 601
Oct 26, 2009
4,709
267
Oregon
And passwords for encrypted DMGs can wind up on the keychain as well, which would of course negate the security you get by using encrypted DMGs. And I suspect using encrypted DMGs would have the same or more of a performance impact than FileVault 2 does.
If you use FileVault2 you are still protected by only a single password, the same situation as encrypted DMGs with password saved in the keychain. The performance impact of encrypted DMGs is less because only sensitive information is encrypted. The operating system, application programs, and non-sensitive data are clear.

Also I know that any backups I make will have the sensitive data encrypted since I'm backing up the DMG as a file. I really don't know without investigating what happens to backups with FileVault2. I expect the backup volumes would have to be encrypted as well and since I back up to drives connected to a Snow Leopard Server system FileVault2 isn't available there.
 
Comment

Alrescha

macrumors 68020
Jan 1, 2008
2,157
315
I've spent the last few days cleaning up my boot drive freeing up space.
FileVault is going to read and rewrite every block on the disk, whether you have data there or not. Empty or full, it's going to take a long time.

If you intend to use FileVault on new external volumes, you can format them as encrypted using Disk Utility - which only takes a minute or two. Unfortunately, this does not work for boot volumes.

A.
 
Comment

maflynn

Moderator
Original poster
Staff member
May 3, 2009
65,930
32,280
Boston
FileVault is going to read and rewrite every block on the disk, whether you have data there or not. Empty or full, it's going to take a long time.
I know, I expect it to take all day and even into the night. That's why I was cleaning up, removing unwanted or unnecessary files.

If you intend to use FileVault on new external volumes, you can format them as encrypted using Disk Utility - which only takes a minute or two. Unfortunately, this does not work for boot volumes.
Nope, I don't use external volumes, I have a NAS and the format of that is such that I cannot and will not encrypt that but the data on that is not sensitive
 
Comment

Bear

macrumors G3
Jul 23, 2002
8,089
4
Sol III - Terra
If you use FileVault2 you are still protected by only a single password, the same situation as encrypted DMGs with password saved in the keychain. The performance impact of encrypted DMGs is less because only sensitive information is encrypted. The operating system, application programs, and non-sensitive data are clear.
...
My point is that if your system disk is not encrypted and your encrypted DMG password winds up on the keychain, that DMG loses its protection.

What we need is to see real performance impact numbers for an encrypted boot volume. And we also need to see performance impacts for encrypted DMGs. One should also probably include mount and dismount times (including user interaction for this to happen).

I feel that for myself, the impact of managing encrypted DMGs is more overhead than the minor performance impact of encrypting the whole disk.

Also I know that any backups I make will have the sensitive data encrypted since I'm backing up the DMG as a file. I really don't know without investigating what happens to backups with FileVault2. I expect the backup volumes would have to be encrypted as well and since I back up to drives connected to a Snow Leopard Server system FileVault2 isn't available there.
Yes, the backup volume would need to be encrypted as well for proper protection. My Time Machine disk is encrypted.
 
Comment

maflynn

Moderator
Original poster
Staff member
May 3, 2009
65,930
32,280
Boston
My point is that if your system disk is not encrypted and your encrypted DMG password winds up on the keychain, that DMG loses its protection.
Agreed, my encrypted DMG's password is NOT in the keychain for that very reason.
 
Comment

talmy

macrumors 601
Oct 26, 2009
4,709
267
Oregon
Agreed, my encrypted DMG's password is NOT in the keychain for that very reason.
I don't see the point. When you log in all the disk becomes effectively unencrypted with FileVault II. So if a thief knows your login then can access the entire disk contents. With the encrypted DMGs with passwords in the Keychain (which is also encrypted) you again get access to everything if the login is known, and if the login is not known the keychain and the DMGs remain encrypted and unaccessible. The only difference is that there is no security for the unencrypted portions of the drive, but I already will grant that.
 
Comment

Weaselboy

Moderator
Staff member
Jan 23, 2005
30,000
9,659
California
My point is that if your system disk is not encrypted and your encrypted DMG password winds up on the keychain, that DMG loses its protection.
I have Keychain setup with a different password than the login password. So even if somebody somehow gets past the login password, they still won't be able to get account passwords etc from Keychain.

I use FV2 with EFI password protected and a separate keychain password.
 
Comment

maflynn

Moderator
Original poster
Staff member
May 3, 2009
65,930
32,280
Boston
I don't see the point. When you log in all the disk becomes effectively unencrypted with FileVault II.
I'm not sure I understand your question.

The issue is that if someone stole my laptop then they would not be able to log into my laptop because FV2 has encrypted. They won't have access to keychain and other objects, or am I misunderstanding your post?

As for my encrypted dmg, it only gets mounted if I enter the correct password which is not stored in the keychain
 
Comment

Similar threads

Replies
4
Views
424
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.