Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Any more info on Lion's full disk encryption

RafaelT

RafaelT

macrumors 65816
Original poster
Jun 9, 2010
1,169
15
NM
Just wondering if anyone could share some details about full disk encryption on lion. How does it work with time machine? Is logging out quick?

My only experience with anything encryption wise is FileVault, needles to say that has not been a great experience. Any info would be appreciated!
 
I'd like to know too, but given the lack of responses I guess we'll have to wait a few more weeks for July...
 
RafaelT said:
Just wondering if anyone could share some details about full disk encryption on lion. How does it work with time machine? Is logging out quick?

My only experience with anything encryption wise is FileVault, needles to say that has not been a great experience. Any info would be appreciated!
Click to expand...

It works as well as PGP. No delay logging out. SL filevault was useless, I
have been using Lion's without problems for a few weeks.

s
 
RafaelT said:
Just wondering if anyone could share some details about full disk encryption on lion. How does it work with time machine? Is logging out quick?

My only experience with anything encryption wise is FileVault, needles to say that has not been a great experience. Any info would be appreciated!
Click to expand...

Well, it's not technically "full disk encryption" as really it only encrypts your root partition so far as I can tell. I have a small second partition for downloads and it was untouched.

The process is that once you click the button, it converts said root partition to a Core Storage volume with encryption. This requires a reboot. After rebooting the encryption process starts. You can continue working, even rebooting more if needed, and it'll continue going on in the background until it's done.

Once it's done, you don't really even notice it's there unless you look for it. It's entirely transparent to applications and, being simply an application, it has no problem with time machine. You can tell the system to encrypt the TM backups, but this involves erasing them and starting over. The "convert in place" mechanism so far only applies to the root partition. One can convert a partition to Core Storage manually, but I haven't figured out how to enable encryption manually.

Enabling File Vault also enables a few other security measures. For instance, automatic login is essentially disabled (out of necessity, the concept is incompatible with having the disk encrypted). In fact, you get a "fake" login window that looks more or less exactly like the regular one immediately on boot so as to be able to unlock the disk. Enter your info there and it'll skip the "real" login window though; it's clever like that. It also enables the requirement for a password after sleep or the screensaver comes on. This can be disabled if you like.

It's worth noting that FileVault (the original) was basically a hack based on encrypted disk images. This was the cause for all of its quirks and incompatibilities. FileVault 2 actually encrypts the blocks directly on disk using AES-XTS so there's no extra layer of crap in between; only a decryption process.
 
CyBeRino said:
The process is that once you click the button, it converts said root partition to a Core Storage volume with encryption.
Click to expand...
So it's just an on/off interface like Filevault 1? With options for Time Machine?
That seems a little disappointing, I was hoping it would present all of your volumes, and let you choose which one(s) to encrypt and then enter passwords for each.

I don't suppose you know if this works with software RAID volumes? I'm hoping so as there shouldn't be a reason not to, especially if it's implemented like a new file-system (that just wraps the encrypted, actual file-system).
 
If you go to Lion Features and go to the FileVault 2 section, you will get answers to some (but not all) of your questions. It will encrypt disks other than the system volume if you want it to. It even says so on that web page.
 
CyBeRino said:
Well, it's not technically "full disk encryption" as really it only encrypts your root partition so far as I can tell. I have a small second partition for downloads and it was untouched......
Click to expand...

Thank you, your post definitely answered some of my questions. I appreciate the detailed reply!
 
Bear said:
If you go to Lion Features and go to the FileVault 2 section, you will get answers to some (but not all) of your questions. It will encrypt disks other than the system volume if you want it to. It even says so on that web page.
Click to expand...

Yes, thanks for this pointer.

Some information on this page seems to be directly in conflict with some of the other posts in this thread - which will typically happen as a vendor puts its best foot forward in the marketing materials...

Also, are external drives portable, or are the locked to the original Mac?

Can I make a software RAID array out of encrypted disks?


...and so on and so forth.
 
smithrh said:
Also, are external drives portable, or are the locked to the original Mac?
Click to expand...
I think they should be portable, but you'll need Lion and the password used for encryption in order to access them. If you encrypt your startup disk then I assume the encryption key will be protected by a user password.

smithrh said:
Can I make a software RAID array out of encrypted disks?
Click to expand...
I'm hoping the opposite is true, and you can encrypt a RAID volume, which I think would make more sense.

Chances are this is implemented with a dummy file-system that wraps the actual file-system used by the encrypted volume. At least I hope so, otherwise it might not work with RAID volumes at all.
 
haravikk said:
So it's just an on/off interface like Filevault 1? With options for Time Machine?
That seems a little disappointing, I was hoping it would present all of your volumes, and let you choose which one(s) to encrypt and then enter passwords for each.
Click to expand...

Yes, it's on/off, at least right now.

It is perfectly possible to encrypt other drives, but at least at this point in time that involves reformatting them with encryption. Only the filevault interface appears, currently, to be able to encrypt a partition in-place, and it'll only do that on your startup partition.

I haven't actually tried yet, but from what I can gather at this point, encrypted disks should be readable by Lion only. I do expect a future update to 10.6 to add support for encrypted drives, though. They are definitely portable; it'll simply ask for the password when you try to mount it.


I don't suppose you know if this works with software RAID volumes? I'm hoping so as there shouldn't be a reason not to, especially if it's implemented like a new file-system (that just wraps the encrypted, actual file-system).
Click to expand...

No idea, sorry.
 
Bear said:
If you go to Lion Features and go to the FileVault 2 section, you will get answers to some (but not all) of your questions. It will encrypt disks other than the system volume if you want it to. It even says so on that web page.
Click to expand...

Only way to do this seems to be to format the other volume as encrypted. You will have to copy off then back on any data. The root volume can be encrypted in place.

s
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back