Site icon Zit Seng's Blog

Securing Your Mac With FileVault

The Mac has had built-in full disk encryption since the launch of Mac OS X 10.7 Lion in July 2011. The feature is called FileVault. With full disk encryption, if by some misfortune your Mac gets stolen or falls into the wrong hands, the data contained in it remains safe and cannot be decrypted by anyone without your password.

The current incarnation of FileVault is also known as FileVault 2, because it’s Apple’s second attempt at encrypting data in your Mac. The original FileVault, which Apple refers to as Legacy FileVault, had a number of shortcomings, both in usage limitations and more importantly the security of the encryption. The second generation FileVault resolves most of the problems with the original FileVault. For clarity, this article is about the new FileVault.

In principle, FileVault encrypts the entire contents of your hard disk, or flash storage as is more commonly the case nowadays. When you power up your Mac, you will need to enter your account password to unlock the encrypted storage. Mac OS X doesn’t begin booting until after you have unlocked the storage. If someone steals your Mac, there is no way to get access to your data. Booting into recovery, or accessing the Mac via Target Disk Mode, or removing the hard disk or flash storage and reattaching to another computer will not work, because the data is encrypted.

Turning on FileVault is really simple. Just go to System Preferences, select Security & Privacy, then under the FileVault tab, turn on FileVault.

You will be asked about recovery options, which are alternative methods to unlock your disk in case you forget your account password. You can either allow your iCloud account to recover access to your disk, or use a recover key that is generated by FileVault. The recovery key is a string comprising 6 groups of 4 alphanumeric characters. I prefer to use the recover key method, since there is no reliance on a cloud service. However, since the recovery key isn’t something you can easily remember, you’ll have to record it somewhere, and then make sure that it doesn’t get lost.

If you forget your account password, and also lose your recovery methods, then your encrypted disk is as good as lost. There is no other way to decrypt the disk.

When you first turn on FileVault, your Mac will need to reboot. Thereafter, your disk encryption will commence in the background. It may take some time, but you can use your Mac at the same time.

If you should change your mind, you can also easily turn off FileVault at the same panel. Turning off FileVault also requires a reboot, and then the decryption happens in the background. It is relatively risk-free to try out FileVault.

Some people, like me for example, had hesitated about turning on FileVault because of performance overheads. FileVault involves extra steps of encryption and decryption whenever you write and read data. Just how bad is the performance penalty?

Well, I’ve finally gotten around to running some benchmarks. This is for a late-2013 model 13-inch Retina MacBook Pro with 256GB flash storage. I have two of these notebooks. Oddly enough I get quite different benchmark results between the two of them, but the difference between FileVault on and off in each of them is quite acceptable.

RMBP #1 RMBP #2
FileVault OFF ON OFF ON
Blackmagic Disk Speed Test
Write (MB/s) 672 663 273 275
Read (MB/S) 726 719 615 614
Bonnie++
Write (MB/s) 691 627 376 370
Rewrite (MB/s) 403 309 186 152
Read (MB/s) 756 768 548 468

This is not an extensive or really thorough benchmark test. I just wanted some quick results, and the above table does show that FileVault doesn’t cripple your Mac. There are indeed some strange numbers, which do suggest that the tests should be rerun several more times to get more data points. I’m more surprised that the two Retina MacBook Pros have rather different performance, particularly in writes, even though they are identical make, and differing only in the amount of RAM. The Bonnie++ tests were run with cache purged each step of the way, so the results are not impacted by the effect of caching.

The main reason why FileVault should not be too much of a burden for modern Macs is that the core of the work, which involves AES encryption and decryption, can be directly handled by the AES instruction set on the processor. Hence, AES operations can be performed very efficiently.

Internally, FileVault encrypts data using a volume master key. The volume master key itself is stored encrypted on another part of the physical disk. The decrypted volume master key can be derived using the user account password, or recovery options that have been configured. Once the volume master key has been obtained, FileVault can begin to read and write the encrypted storage. To help keep your sanity, FileVault syncs the password use at pre-boot for deriving the volume master key to the same account password in your Mac. (Things may be a little different when your Mac is configured to login with a directory account.)

To an end-user, once FileVault has been activated, the full disk encryption is largely transparent. There are few visible difference. The main obvious difference is in how you boot up the Mac. Without FileVault, the Mac boots the operating system first, before presenting you with the login screen. With FileVault, the Mac shows you a pre-boot login screen very early, before booting up the operating system. Once the operating system has booted up, you are automatically logged into that account used during pre-boot.

The pre-boot login screen looks almost identical to the normal login screen. The most telltale sign of the presence of FileVault is whether the OS boot-up progress bar shows before or after the login screen.

As a side effect, Guest accounts work differently on a FileVault enabled system. When FileVault is enabled, logging into a guest account requires a reboot, then starting up in a severely restricted environment that only runs Safari. Guest mode does not have access to any system wide configuration such as wireless passwords.

FileVault adds a really good deal of security to a Mac. If you need to send in your Mac to AppleCare for repairs, FileVault will ensure that the technicians cannot read your personal data. You also need to consider the risk of computer theft and having your personal data falling into the wrong hands. With the speed of today’s flash storage, power of modern processors with built-in AES instructions, it seems there is little reason to not want to use FileVault.

PS: If you’re interested, here’s a security analysis of FileVault: Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption

Exit mobile version