.png)
With all the discussion about encryption and security, I asked Mac consultant (and MILO member), Matthew Bookspan, to write the following Guest Post, which I hope my readers enjoy and find helpful:
Whole Disk Encryption & OS X Lion
First, this is an exciting feature of OS X Lion for business users. I have opined about this feature before in a previous post. However, let’s state the facts: whole disk encryption ensures business users that their data is more secure than in previous releases of the operating system.
Second, let’s get an understanding of what whole disk encryption means for everyone. Security always sounds great, although it has lots of uncertainty. We’ll use the definition from Wikipedia:
Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Disk encryption prevents unauthorized access to data storage. The term “full disk encryption” (or whole disk encryption) is often used to signify that everything on a disk is encrypted, including the programs that can encrypt bootable operating system partitions.
Setting up whole disk encryption (FileVault 2) in OS X Lion
Originally, we had planned to write a “how-to.” However, Apple has done a better job in articulating the setup steps in this knowledge base article. Further, in the Ars Technica review of OS X Lion, there is another great example of how to enable this feature.
Instead, we are going to focus on how you will use whole disk encryption in your daily tasks.
Before we articulate the usage, there is a key missing item from Apple’s article: time to setup. Yes, it takes time (a lot of it) to enable this feature within OS X Lion.
Let’s articulate the time in detail:
- Initial setup (not migrating from FileVault v1): about 10-15mins
- Encryption time: on a brand-new install of OS X Lion, with no additional applications installed, it took just over two hours to enable whole disk encryption on a three year old iMac. This time could decrease or increase based upon your system.
Using FileVault 2: Performance impacts
Once you have Filevault 2 enabled, you will not notice any performance changes. Whether it is real or a matter of perception, your files feel like they open just as fast. Your apps launch without any additional delay. Your backups via Time Machine work the same, etc.
Upon system boot, you will be prompted to login, as you must authenticate with your username and password, even if you previously did not enable this authentication.
Using FileVault 2: Security Benefits
By enabling whole disk encryption, you are adding a new level of security to your Mac. All of your data is now secured using XTS-AES 128 encryption. To translate from technical gobbledygook – this is pretty darn secure.
Utilizing whole disk encryption via FileVault 2 will ensure that if your computer is lost or stolen, your data will not be retrievable. For those with sensitive client data (or business data), utilizing this feature is fundamental to your business security.
Summary
We didn’t spend any time talking about migrating from FileVault v1 to v2 because that is handled in Apple’s Support article mentioned above. Nevertheless, the significant security and performance improvements provided with this whole disk encryption feature is essentially a complete win-win for business users.
If there are any gotchas – there are two:
- DO NOT LOSE YOUR SECURITY KEY.
- DO NOT FORGET YOUR PASSWORD.
Sorry for the yelling, although we wanted to make sure that you received the message loud and clear. 🙂
Of course, if you want to learn more about FileVault 2/whole disk encryption and security, please don’t hesitate to reach out to us here at Blacktip.
About the Author: Matthew Bookspan is the Chief Shark at Blacktip IT Services, an Apple Consulting firm based in Orlando, FL. He’s written this post to to help us learn more about OS X Lion Security and has not recieved compensation for it.
(Note: This article was updated on July 27, 2011, after it’s original publication on July 25, 2011.)
I installed FV2 before migrating any user accounts on my new MBA and I think it took 30-40 minutes! I am thrilled to have this feature!
Before migrating a FV1 user I need to be sure to turn it off on the old MBA, as otherwise I cannot use FV2 on the new MBA (i.e. it will retain FV1 encryption but not FV2). I have yet to do that but it should be easy following Apple suggestions.
Do you know how much space is required to turn FV2 on? With FV1 you needed 2 times the data when initially turning it on. I once did with less and it froze and wouldn’t allow me to boot the computer which required reinstalling from my cloned backup. I am careful to have at least 2 times the capacity of current data, but wondered if you know.
Are you absolutely sure turning on FileVault 2’s full disk encryption will encrypt your data before sending it up to Dropbox’s servers?
If so, that should mean that your files are inaccessible via the web interface and inaccessible through the iOS apps, since they are not FileVault 2 enabled.
Strictly, AES-128 is more secure than AES-256. The best known attack on full AES-256 has a complexity of 2^99.5. There are no public attacks on full AES-128 that are faster than brute force (2^128), and even if one is found, it will affect AES-256 as well.
Forgot to add something. Even with an attack that only takes 2^99.5 time, we’re still talking trillions of trillions of years (not a typo). An attack that makes AES-256 a hundred billion times easier to break is still far beyond the realm of feasibility and will likely remain so for the foreseeable future.
Actually, this seems to confirm that FileVault 2 does nothing to improve Dropbox security: http://jonathanjaffe.wordpress.com/2011/07/25/mac-filevault-does-not-increase-dropbox-security/