Is there any reason NOT to use Filevault 2 in Lion?

Discussion in 'MacBook Air' started by Spacemarine, Aug 15, 2011.

  1. Spacemarine macrumors newbie

    Joined:
    Aug 2, 2011
    #1
    A few weeks ago, I got my new MBA, 11", 2GB Ram, 64 GB Toshiba SSD.

    I've just measued the difference in SSD speed between the unencrypted and the encrypted system. Due to the encryption, my SSD gets about 20% slower. (180 MB/s vs. 220 MB/s)

    Since the new Intel Core I processors support the AES-NI, the CPU usage during encryption is negligible. (The Truecrypt benchmark shows over 800 MB/s of AES in Ram)

    This means: All the benefits of encryption come pretty much for free.
    Now just imagine you loose your MBA or it gets stolen. The thief can read all of your emails, look at all your pictures on your MBA. He can also put your emails and pictures onto the web together with you full name. Maybe he can also log into your facebook-account and write messages to your friends under your name. Does this sound like something you would like?

    So my question is: Why is not everyone using encryption? What reasons do you have to keep it turned off?
     
  2. KPOM macrumors G5

    Joined:
    Oct 23, 2010
    #2
    I encrypted mine but one reason not to would be if you are sharing the drive/partition with another OS (e.g. OS X 10.6 or Windows 7) that does not support encryption. Boot Camp adds drivers to Windows to let it read HFS+ partitions, but not encrypted ones.
     
  3. misterneums macrumors 6502

    Joined:
    Nov 2, 2009
    #3
    I hear Time Machine backups from the encrypted take FOREVER
     
  4. X5-452 macrumors 6502

    X5-452

    Joined:
    Feb 16, 2006
    Location:
    Calgary, Canada
    #4
    What's the average speed for a hard disk? I haven't turned in on simply because I remember what a nightmare it was when I enabled it while using Leopard on my '06 MacBook.
     
  5. KPOM macrumors G5

    Joined:
    Oct 23, 2010
    #5
    A decent non-RAID hard disk might put out about 1/3 of the numbers of an encrypted SSD. If you are switching from a HDD model, don't worry about the impact on speed. The SSD will still blow it away.
     
  6. Cynicalone macrumors 68040

    Cynicalone

    Joined:
    Jul 9, 2008
    Location:
    Okie land
    #6
    How does it change the login?

    Does it add extra steps to the login?

    Would I need to completely redo my backups?

    Would other computers on my home network work with it?


    These and many other questions and worries have kept me from doing it. I need my MacBook Air to just work. Not add an extra layer of protection that creates more work for me down the road.

    FileVault version 1 was a mess, I'm kinda waiting to see what problems version 2 creates.
     
  7. KPOM macrumors G5

    Joined:
    Oct 23, 2010
    #7
    The main difference now is that you have to enter in a password whenever you open the lid. The option to turn off the password or login is disabled (which makes sense)

    If you use Time Machine, it handles it automatically. If you use Carbon Copy Cloner, note that you'd need to encrypt your external drive first. Otherwise, CCC will make an unencrypted clone of your SSD's contents.

    As long as it is on, it should work. I don't have a home network, though.
     
  8. flynz4 macrumors 68040

    Joined:
    Aug 9, 2009
    Location:
    Portland, OR
    #8
    FV2 is very different (vastly superior) than FV1.

    To directly answer your questions:

    Does it add extra steps to the login? It changes the order of things during login. Your login ID comes up almost immediately (right after power on tests)... and once you log in... then the machine boots. You go immediately into your login account.

    Would I need to completely redo my backups? No, I do not believe so. FV2 operates as part of the file system... so the data is encrypted during write and read operations from the drive. TM backups are actually written in unencrypted format. You can still encrypt your backup... or use password protected drives (ex: TC), but that is independent from FV2.

    Would other computers on my home network work with it? Yes... for the same reason identified above. FV2 is part of the file system. Data is presented to the OS unencrypted.

    For me... FV2 is the most important enhancement to OSX 10.7 Lion. I have always felt that my MBA was the weak link in my computing system because it is subject to theft... and because login passwords are trivial to circumvent. The OP laid out a few scenarios (such as someone sending messages to your FB friends)... that grossly understate the security issue. I would be more worried about a full blown identity theft.

    I initially only applied FV2 to my family's 3 MBAs. It worked so well I turned it on for both iMacs as well.

    /Jim
     
  9. Rusty33 macrumors 6502

    Rusty33

    Joined:
    Jul 8, 2011
    Location:
    Australia
    #9
    You hear incorrectly...the initial back up ON TO an encrypted drive can take some time, but subsequent backups are quite snappy.
     
  10. flynz4, Aug 15, 2011
    Last edited: Aug 15, 2011

    flynz4 macrumors 68040

    Joined:
    Aug 9, 2009
    Location:
    Portland, OR
    #10
    I have been using TM/TC for a long time. I also use Crashplan+ for cloud backups.

    Prior to Lion, I was NOT encrypting my HDD/SSD. Since Lion, I have been using FV2. I have not noticed any differences in time to backup whatsoever. If there are differences, it is not noticeable to me.

    I back up my machines via TM every hour. I back up to the cloud (Crashplan+) every 15 minutes. My backup set is about 1TB in size.

    /Jim
     
  11. jim468 macrumors regular

    Joined:
    Jun 14, 2009
    #11
    I am not sure if you have bootcamp installed. But does the Lion optional boot-screen (the one which also has the boot from Recovery HD link and wifi option) come before the new login screen or after that?
     
  12. Cynicalone macrumors 68040

    Cynicalone

    Joined:
    Jul 9, 2008
    Location:
    Okie land
    #12
    Thank you both for the info.

    I really think for the the first time I might encrypt my laptop.

    I take my Air on location a lot and sometimes I have to leave it unattended. Encryption would certainly relieve some stress about carry it everywhere I go.
     
  13. flynz4 macrumors 68040

    Joined:
    Aug 9, 2009
    Location:
    Portland, OR
    #13
    Sorry, I have not installed Bootcamp. The few times I considered it... I always found alternatives.

    Having said that... I do not think that FV2 does anything with the BC partition. You would need to check with a BC user to be sure.

    /Jim
     
  14. KPOM macrumors G5

    Joined:
    Oct 23, 2010
    #14
    If you hold down the option key while you reboot, the first thing that comes up is the menu to choose the OS X or Windows 7 partition. If you select OS X, then the login for the encryption comes up.
     
  15. jim468 macrumors regular

    Joined:
    Jun 14, 2009
    #15
    Thank you both for your replies.

    ----------


    The only reason stopping me from using FV2 is that tools like http://preyproject.com/ may not work. This is because such tools require a user to login for them to work.

    I think once the "find my mac" feature hits public, it may be good alternative to Prey.
     
  16. Patriot24 macrumors 68030

    Patriot24

    Joined:
    Dec 29, 2010
    Location:
    California
    #16
    I was just looking into enabling this today. Great info in this thread. I'll definitely be using FV2 as of tomorrow.

    Can anyone confirm that Prey doesn't work with FV2 enabled?
     
  17. Spacemarine thread starter macrumors newbie

    Joined:
    Aug 2, 2011
    #17
    Important a tip to safe time and increase security:

    For the encryption you should choose a pretty long password. This password must resist brute-force attacs of billions of password per second. (If someone removes your hard drive and trys to decrypt it.)

    In contrast, you should choose a rather short user-password, otherwise you will waste a lot of time, typing your long password just to work on some system settings or to unlock your screen or resume from standby. This password only has to withstand someone sitting in front of your computer and trying various passwords by typing them in. This means it can be considerably weaker and still provide adequate security.

    With Filevault 2, you can achieve these to goals at the same time!
    Here is how I did it:
    I have only one user that is able to decrypt the drive, he is called "decryptor". On startup, I will enter his 30-character passwort and the system will start and he will be logged in. As soon as he is logged in, I log him out and log in with my real username. This user only has a very short password (6 characters) and is unable to decrypt the system.

    Now I can lock the screen or suspend my Macbook and I only have to enter a very short password when I return. But it is still safe enough when I loose it!

    What happens if a thief starts my Macbook? It will resume from standby and ask for my short user-password, which is still strong enough against someone trying a few thousand passwords on my keyboard. So when he has no luck unlocking my account, all he can do is remove the harddrive and use some specialized software to crack my password. This software could be able to try millions or billions of passwords per second, therefore it could crack my user-password within seconds. But this doesen't help him at all, because now he has to crack my high-security 30-character long password, which is practically impossible.

    One other thing you should also do, is to disable deep-sleep, or "suspend-to-disk" how it is often called. (Although this will eat up your battery a little if you leave your Mac suspendend for a long time) If you would put your Mac to deep-sleep, the contents of your ram would get written onto the disk, exposing your decryption key to anyone who removes your disk.

    You can disable deep-sleep by doing: sudo pmset -a hibernatemode 0
     
  18. jim468 macrumors regular

    Joined:
    Jun 14, 2009
    #18
    You don't always need to have a very long password to increase your encryption strength. You can have a shorter password but use special characters/symbols and it should still be OK.

    FYI: http://en.wikipedia.org/wiki/Password_strength
     
  19. Spacemarine thread starter macrumors newbie

    Joined:
    Aug 2, 2011
    #19
    That is absolutely right! I just didn't want to make my post too complicated.

    So as it turns out, it seems that there aren't any real reasons not to use a Full-System-Encryption like Filevault 2. I just wonder how many people actually use it?
     

Share This Page