Apple’s first pass at built-in encryption was, frankly, terrible. The original FileVault, introduced with 10.3 Panther in 2003, only encrypted a user’s home directory, and had a number of functional and implementation problems. FileVault 2 appeared in 2011 with 10.7 Lion, and had almost nothing to do with the original except the name.
FileVault 2 offers full-disk encryption (FDE). When enabled, the entire contents of the startup drive are encrypted. When your computer is powered off, the drive’s data is fully unrecoverable without a password. It also lets you use Find My Mac to wipe your drive in a matter of seconds remotely if you’re concerned about into whose hands your computer has fallen. You can enable FileVault 2 with an existing Mac, but starting with 10.10 Yosemite, OS X now encourages turning on FileVault 2 during setup of a laptop.
This has made some law-enforcement officials unhappy, who seemingly don’t want your data to be protected this strongly, so they can get access in the unlikely event that they need it. Relatively few people engage in criminal activities, and of them, even fewer ever have their computers seized and examined. It’s a good sign as to how well FileVault 2 works that officials are so morose about it.
FileVault 2 takes advantage of the ever-improving processor speed and features in Macs to perform on-the-fly encryption and decryption. Every chunk of data read from and written to disk, whether of the spinning variety or SSD, has to go through this process. Macs introduced starting in 2010 and 2011, and every model since, can use encryption circuitry in the processor, boosting performance.
FileVault 2 works hand in hand with OS X Recovery, a special disk partition that lets you run Disk Utility from the same drive you may be having trouble with, restore or install OS X via the Internet, restore a Time Machine backup, or browse Safari. With FileVault 2 enabled, your computer boots into the Recovery volume, prompting you to login with any account that’s been allowed to start up the computer.
On a system without FileVault 2 already in place, you need to turn it on, which converts your startup drive from its unencrypted state to fully encrypted. This comes with a few big flashing red warnings and pieces of advice before you proceed. (You can encrypt secondary and external drives by Control-clicking a drive’s icon and select Encrypt “Drive Name,” but it doesn’t tie in with login: you set a password for the drive, and have to enter it to mount it.)
Warning 1! During the setup, OS X creates a Recovery Key for your drive. As with Apple’s two-step verification for Apple ID accounts, this Recovery Key is critical to retain. Without it, if you lose or forget the account password to all FileVault 2–enabled accounts, your drive is permanently inaccessible. Keep a copy of the Recovery Key, probably printed out, for emergencies.
Warning 2! Once you start the conversion, there’s no stopping it. It has to complete, and it consumes CPU resources like mad, slowing down your machine and likely firing up the fan to high speed. Your computer also has to remain plugged in. The operation takes many hours. A friend’s niece accidentally accepted the option to enable FileVault 2 when upgrading to Yosemite a few evenings ago, and had her machine—needed for a computer-science class the next morning—slow to a crawl.
Apple provides step-by-step details in a Knowledge Base note, so I won’t repeat all of that, but will highlight the critical parts.
Only accounts enabled with FileVault 2 can unlock the volume at boot time after a cold start (when shut down) or restart. For accounts you don’t opt to enable, restarting or starting up will require an account with permission logs in, then logs out. If you’re helping set up FileVault 2 for a novice user who trusts you, you may ask them to create an account for you that would let you log in if they can’t.
Accounts that use an iCloud password for login do provide a way out if you forget or lose an account password, but also offers a security risk if someone obtains your iCloud account information. (During a Yosemite upgrade, you can choose this explicitly when enabled FileVault 2 by checking a box that reads “Allow my iCloud account to unlock my disk.” Oddly, Apple has no information about this option on its support site.) Atm hack codes 2017 usa.
The option to store your Recovery Key on Apple’s servers is secure, in that Apple apparently can only unlock the key given information you provide, exactly as it’s typed, including capitalization. It doesn’t retain enough information to unlock it independently. However, it does put the key in the hands of a party other than yourself, making it possible under the right circumstances for a government agency or ne’er-do-wells to legally or socially engineer access to your recovery key.
Once the conversion is complete, the startup drive is fully protected within the limits of exposure I note above.
What’s even niftier is that with Find My Mac enabled on the computer, you have a sort of secret weapon. Find My Mac works when the computer is booted and connected to a network. You can play a sound, lock the computer, locate it (if Wi-Fi networks or other cues to location are nearby), and erase it. Because FileVault 2 relies on a stored encryption key, erasing the drive wipes that key, rendering the drive unrecoverable, even by you.
But the extra-secret secret weapon is Guest mode. When a user logs in as a guest and connects to a network, or the Mac automatically connects to a known network, Find My Mac continues to work. Thus, if someone finds your computer, any message you send with the Lock option can appear, even if it was online before they log in as a guest. But so too can an Erase request make its way through silently.
FileVault 2 can make nations quake, apparently, but it’s just a bit of good information hygiene, letting you make choices about the degree of vulnerability you want to tolerate for your locally stored data and any software or stored passwords for services in your accounts. With it off, you’re not risking everything, but with it on, you have a high degree of assurance about who can access what.
OS X 10.7 Lion brought many changes to Apple’s desktop operating system. Some of these changes were met with dismay by longtime Mac users, but most Apple customers were excited to see at least one new feature: Apple’s implementation of FileVault 2.
Although sharing the same name, FileVault 2 is an entirely different scheme than its predecessor. Instead of just encrypting the user’s home folder, FileVault 2 employs a technique called “whole disk encryption” (or “full disk encryption”) which, as you can undoubtedly guess from its name, encrypts the entire Mac system volume.
This change brings several improvements over Legacy FileVault. First, as we’ve already mentioned, FileVault 2 encrypts the entire Mac system drive. This solves the issue with the original FileVault whereby hackers or thieves could access any data on the drive that wasn’t inside the user’s encrypted home folder. Second, FileVault 2 utilizes a stronger form of encryption, called XTS-AES 128.
When the Mac is shut down, the entire drive is encrypted and protected; when an authorized user boots the Mac and logs in with the correct password, the entire drive is unlocked. This helps prevent issues like software incompatibility because the whole drive is unlocked when in use, and installed apps generally don’t even know the drive is encrypted at all. However, this also means that your Mac is more vulnerable when booted. Even with the best whole disk encryption, a thief or hacker who gains access to your Mac while it’s booted and logged in will be able to see all of the drive’s data. Only when the Mac is completely shut down is the data on its drive locked up.
As you can probably surmise, booting an encrypted drive (FileVault 2) is a bit more complex than booting a non-encrypted drive that merely contains some encrypted files (Legacy FileVault). In order to accomplish this feat, Apple uses another key OS X feature that was introduced in OS X 10.7 Lion: the Recovery Partition. Once FileVault is enabled and the Mac system drive is encrypted, the Mac will seamlessly boot first to the OS X Recovery Partition in order to give the user the opportunity to enter their password and unlock the main encrypted volume. To the user, this processes presents itself with a simple login prompt. The only clue that something different from a normal boot process is happening is the presence of the gray background that accompanies pre-OS EFI tasks on modern Macs.
And that’s truly the “magic” of FileVault 2. Apple’s implementation, with few exceptions, protects user data with a process that is transparent to the end user. Excluding the initial setup, users with FileVault 2 enabled need only to enter their account password when booting their Mac. Practically all other aspects of using OS X are the same as with a non-encrypted drive.
Despite the improvements offered by FileVault 2, it’s still far from perfect, and there are many issues for users to consider. First, and most importantly, you’ll need to remember your user account password or recovery key (a replacement for Legacy FileVault’s Master Password, which we’ll discuss further below). This is absolutely essential; without one of these items, you’ll be unable to decrypt your drive, and your data (plus the data from any other user accounts) will be permanently trapped inside the encrypted volume. As a backup for this scenario, you can choose to store a copy of your recovery key on Apple’s servers when you enable FileVault. This is generally a safe option, but those with critical business or personal data on their Macs may not want to take the risk. If you do decide to store a backup copy of your recovery key with Apple, you’ll need to set three security questions. Note that you must submit the exact same answers to these questions if you ever need to retrieve the key from Apple, so make sure to pick questions with unambiguous answers.
Another issue to consider is performance. Because the Mac will have to encrypt and decrypt data as the user calls for it, there will be a slight performance hit when it comes to reading and writing data. The magnitude of this performance hit will depend on your Mac. Users with older Macs and slower processors will feel it more, but those with newer Macs may hardly notice a difference thanks to a combination of faster processors, faster drives, and hardware encryption capabilities built into newer Intel CPUs.
FileVault 2 also cannot be used with every Mac and every drive configuration. In general, FileVault 2 can only be enabled on a single system drive containing only the OS X and Recovery partitions. Download lagu ran jauh dimata dekat dihati mp3 stafaband. Users report problems when enabling FileVault on drives with additional partitions, and FileVault can’t be used at all on RAID volumes. Further, FileVault protects only the system drive. If you have a Mac with multiple internal or external hard drives, the data on those drives won’t be encrypted by FileVault, something that may be an important consideration for power users (although there are ways to manually encrypt additional drives in OS X).
If these FileVault drawbacks are outweighed by its benefits, then FileVault whole disk encryption may be right for you and your Mac. While we’ve touched on many of the steps necessary to enable FileVault, straightforward instructions on the process are listed below.
Learn how to enable FileVault on page 3.