Full Disk Encryption

Discussion in 'Mac OS X Lion (10.7)' started by FluJunkie, Jul 20, 2011.

  1. FluJunkie macrumors 6502a

    Joined:
    Jul 17, 2007
    #1
    A question on the new FileVault full-disk encryption:

    I've currently got a Mac Pro, which boots off an SSD, and whose applications are stored there. The rest of my data is stored on a Western Digital hard drive, and I redirected the Home directory to do this automatically for my account using the Advanced Options in the Accounts preference pane.

    I've also got a dedicated Bootcamp hard drive, and a secondary backup hard drive which is simply a clone of the Western Digital data drive.

    What, precisely, will the new FileVault system be encrypting?
     
  2. gnagy macrumors regular

    Joined:
    Sep 7, 2009
    #2
    I'm curious about this one as well. I don't know the answer.
     
  3. mrapplegate macrumors 68030

    Joined:
    Feb 26, 2011
    Location:
    Cincinnati, OH
    #3
    Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_4 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8K2 Safari/6533.18.5)

    With FileVault 2, your data is safe and secure — even if it falls into the wrong hands. FileVault 2 encrypts the entire drive on your Mac, protecting your data with XTS-AESW 128 encryption. Initial encryption is fast and unobtrusive. It can also encrypt any removable drive, helping you secure Time Machine backups or other external drives with ease. Want to start fresh or give your Mac to someone else? FileVault 2 makes it easy to clean data off your Mac. Instant wipe removes the encryption key from your Mac — making the data completely inaccessible — then proceeds with a thorough wipe of all data from the disk.

    http://www.apple.com/macosx/what-is/security.html
     
  4. gnagy macrumors regular

    Joined:
    Sep 7, 2009
    #4
    After playing with it, I think I can answer your questions.

    If you turn on FileVault, it will encrypt your boot/root drive only. In your case, that would be the SSD. The other hard drives will not be touched.

    If you wish to encrypt the other hard drives, the in place encryption won't work as far as I can tell. You will have to copy the data somewhere else. Reformat the drive as an encrypted volume using "Disk Utility", and than copy the data back on it.

    I could be wrong, but this is the only way I was able to get it working.
     
  5. gnagy macrumors regular

    Joined:
    Sep 7, 2009
    #5
    @mrapplegate

    I found that little blurb as well a bit earlier, but I'm not sure on how to do this part: "It can also encrypt any removable drive, helping you secure Time Machine backups or other external drives with ease."

    I mean I found a way to do it, but I wouldn't describe my method as "with ease".
     
  6. gnagy macrumors regular

    Joined:
    Sep 7, 2009
    #6
  7. FluJunkie thread starter macrumors 6502a

    Joined:
    Jul 17, 2007
    #7
    I actually appreciate spamming the thread when it means the question gets answered :)

    So it looks like FileVault won't do that automatically, and would just encrypt the boot volume, but the capacity to use the same system to encrypt a second data drive exists using the same system.

    Neat. Doesn't really matter for this machine, but if I pick up a new laptop, she's going to need encrypting.
     
  8. mrapplegate macrumors 68030

    Joined:
    Feb 26, 2011
    Location:
    Cincinnati, OH
    #8
    Sorry, I missed your reply in the sea of Lion mess.
    I'm not sure. I wrote my reply in the middle of the night. It looks like the page that was linked to just describes how to encrypt via the terminal. I'm not sure how to get the GUI to do so. I have not tried to encrypt an external drive, but will in the future.
    Until then you can play around with the man page for diskutil, especially reading about corestorage, which is filevault2.
     
  9. basher macrumors 6502

    basher

    Joined:
    May 27, 2011
    Location:
    Glendale, AZ USA
    #9
  10. chiefpavvy macrumors 6502a

    Joined:
    Feb 23, 2008
    #10
    Yes of course there will ALWAYS be a performance hit using full-disk encryption. Fortunately, with the latest Intel chips (having accelerated AES functions in hardware) and the raw speed of today's drives this really isn't much of an issue. In the olden days there was a pretty good hit, but not so much today.

    I'm really liking the new FileVault 2 so far. I wish they'd have went with AES-256 but I understand the compromise between security and performance and I think they chose a good medium.
     
  11. JamesM macrumors regular

    Joined:
    Jan 27, 2007
    #11
    Just tried to encrypt a USB flash drive using Core Storage but it returned the following. Was thinking this would've been quite handy.

    Error converting disk to CoreStorage: The given file system is not supported on Core Storage (-69756)
     
  12. mrapplegate macrumors 68030

    Joined:
    Feb 26, 2011
    Location:
    Cincinnati, OH
    #12
    You would think that would have worked. How was it partitioned?
     
  13. JamesM macrumors regular

    Joined:
    Jan 27, 2007
    #13
    32gb drive in 2 partitions. I've just switched it back to 1 partition and its working now.
     
  14. basher macrumors 6502

    basher

    Joined:
    May 27, 2011
    Location:
    Glendale, AZ USA
    #14
    Interesting. I was getting strange errors with a FW data drive that had 2 partitions and encryption. When I would boot up I would get a prompt for the password of the encrypted partion. When I typed it in it would tell me it was wrong. I even saved it in the keychain and it had issues.

    And to top it off even though it didn't take my password it still gave me full access to the encrypted drive. I finally gave up on getting the drive encrypted.

    I'm thinking I might wait a while to see what other issues pop up and how they might be addressed by Apple.
     
  15. escogido macrumors member

    Joined:
    Jun 10, 2011
    #15
    Can somebody tell me how long it takes to encrypt? I started the process, it asked to restart. Restarted to a white blank screen with the usual circle with dashes spinning, it's been like that for 5 hours now. I don't want to force shut it down in fear I will corrupt the files, at the same time I don't know if this is normal? It's a 500gig drive with 350gigs taken up. I thought it was supposed to "encrypt in the backgruond unobtrusively while you're able to continue working"?
     
  16. JamesM macrumors regular

    Joined:
    Jan 27, 2007
    #16
    It should reboot as normal and the encryption runs in the background so you can still use the machine.
     
  17. glitch44 macrumors 65816

    Joined:
    Feb 28, 2006
    #17
    A question on FDE:

    If you give someone the password to a guest account while they then have access to all users files or are each users files encrypted and protected from each other?
     
  18. JamesM macrumors regular

    Joined:
    Jan 27, 2007
    #18
    Users home directories are restricted via permissions, a guest account will have limited access so won't be able to change these.
     
  19. glitch44 macrumors 65816

    Joined:
    Feb 28, 2006
    #19
    But isn't that less secure than each user account having their own encryption key? Would it be possible to escalate permissions within OS X, or is that impossible?
     
  20. exscape macrumors member

    Joined:
    Jul 29, 2008
    #20
    It's always theoretically possible to escalape permissions, but exploits like that are rare (and fixed in security updates or OS X point releases when discovered).

    On the other hand, it is impossible to create a guest account with its own encryption key, unless either the OS (applications and libraries) is unencrypted, OR each account has its own OS install encrypted with that key. Needless to say neither of these are viable, so trusting permissions will have to do.

    I should mention that I don't really have a source for the above, but I'm pretty darn sure about it all.
     
  21. gnagy macrumors regular

    Joined:
    Sep 7, 2009
    #21
    When you turn on full disk encryption guest accounts are completely disabled, and from what I see you can not enable it.
     
  22. Graph101 macrumors newbie

    Joined:
    Jun 29, 2010
    #22
    time machine backups

    are time machine backups encrypted too if firevault is activated?

    if i dont havre access to my macbook, will i be able to grab photos from time machine using a pc? or any mac?
     
  23. exscape macrumors member

    Joined:
    Jul 29, 2008
    #23
    Not by default, no, but AFAIK it is certainly possible to make it happen if you encrypt the external disk manually.

    PC: no.
    Any mac I can't quite answer, but by default, also no. It may be possible, but I wouldn't bet on it.

    EDIT: Oh, I misread the second question; I thought you meant from an encrypted disk.
    Yes, you will be able to fetch it from time machine using any Mac UNLESS you've also encrypted your backup... BUT if you use an encrypted disk with an UNencrypted backup, you're clearly still very vulnerable! Anyone with access to the backup disk can still access all your files, so you probably want to encrypt that as well.
     
  24. Graph101 macrumors newbie

    Joined:
    Jun 29, 2010
    #24
    I basically have 2 time machine backups. Maybe one is chronosync.

    I backup and then store to a safe place. I would want that backup hard drive to be accessible by a pc even if firevault2 was used on the macbook it came from.

    I dont really understand how firevault2 works when files are taken out of the mscbook






     
  25. exscape macrumors member

    Joined:
    Jul 29, 2008
    #25
    Non-Macs can't normally access any Mac-formatted disks, which includes Time Machine backup disks. There are however drivers for this (for at least Windows - MacDrive, and Linux) which should make it work.

    The only problem should be security - since the backup disk can't be encrypted (or it will certainly never work in a Windows computer), you'd have to deal with the risk that if a thief steals your backup disk, he has full access to your data.

    If that's acceptable (perhaps you want to protect the computer while travelling, with the time machine disk is safe(r) at home), it should work just fine.
     

Share This Page