With all the discussion about encryption and security, I asked Mac consultant (and MILO member), Matthew Bookspan, to write the following Guest Post, which I hope my readers enjoy and find helpful:
Whole Disk Encryption & OS X Lion
First, this is an exciting feature of OS X Lion for business users. I have opined about this feature before in a previous post. However, let’s state the facts: whole disk encryption ensures business users that their data is more secure than in previous releases of the operating system.
Second, let’s get an understanding of what whole disk encryption means for everyone. Security always sounds great, although it has lots of uncertainty. We’ll use the definition from Wikipedia:
Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Disk encryption prevents unauthorized access to data storage. The term “full disk encryption” (or whole disk encryption) is often used to signify that everything on a disk is encrypted, including the programs that can encrypt bootable operating system partitions.
Setting up whole disk encryption (FileVault 2) in OS X Lion
Originally, we had planned to write a “how-to.” However, Apple has done a better job in articulating the setup steps in this knowledge base article. Further, in the Ars Technica review of OS X Lion, there is another great example of how to enable this feature.
Instead, we are going to focus on how you will use whole disk encryption in your daily tasks.
Before we articulate the usage, there is a key missing item from Apple’s article: time to setup. Yes, it takes time (a lot of it) to enable this feature within OS X Lion.
Let’s articulate the time in detail:
- Initial setup (not migrating from FileVault v1): about 10-15mins
- Encryption time: on a brand-new install of OS X Lion, with no additional applications installed, it took just over two hours to enable whole disk encryption on a three year old iMac. This time could decrease or increase based upon your system.
Using FileVault 2: Performance impacts
Once you have Filevault 2 enabled, you will not notice any performance changes. Whether it is real or a matter of perception, your files feel like they open just as fast. Your apps launch without any additional delay. Your backups via Time Machine work the same, etc.
Upon system boot, you will be prompted to login, as you must authenticate with your username and password, even if you previously did not enable this authentication.
Using FileVault 2: Security Benefits
By enabling whole disk encryption, you are adding a new level of security to your Mac. All of your data is now secured using XTS-AES 128 encryption. To translate from technical gobbledygook - this is pretty darn secure.
Utilizing whole disk encryption via FileVault 2 will ensure that if your computer is lost or stolen, your data will not be retrievable. For those with sensitive client data (or business data), utilizing this feature is fundamental to your business security.
We didn’t spend any time talking about migrating from FileVault v1 to v2 because that is handled in Apple’s Support article mentioned above. Nevertheless, the significant security and performance improvements provided with this whole disk encryption feature is essentially a complete win-win for business users.
If there are any gotchas – there are two:
- DO NOT LOSE YOUR SECURITY KEY.
- DO NOT FORGET YOUR PASSWORD.
Sorry for the yelling, although we wanted to make sure that you received the message loud and clear.
Of course, if you want to learn more about FileVault 2/whole disk encryption and security, please don’t hesitate to reach out to us here at Blacktip.
About the Author: Matthew Bookspan is the Chief Shark at Blacktip IT Services, an Apple Consulting firm based in Orlando, FL. He’s written this post to to help us learn more about OS X Lion Security and has not recieved compensation for it.
(Note: This article was updated on July 27, 2011, after it’s original publication on July 25, 2011.)