Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Full Disk Encryption

F

FluJunkie

macrumors 6502a
Original poster
Jul 17, 2007
618
1
A question on the new FileVault full-disk encryption:

I've currently got a Mac Pro, which boots off an SSD, and whose applications are stored there. The rest of my data is stored on a Western Digital hard drive, and I redirected the Home directory to do this automatically for my account using the Advanced Options in the Accounts preference pane.

I've also got a dedicated Bootcamp hard drive, and a secondary backup hard drive which is simply a clone of the Western Digital data drive.

What, precisely, will the new FileVault system be encrypting?
 
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_4 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8K2 Safari/6533.18.5)

FluJunkie said:
A question on the new FileVault full-disk encryption:

I've currently got a Mac Pro, which boots off an SSD, and whose applications are stored there. The rest of my data is stored on a Western Digital hard drive, and I redirected the Home directory to do this automatically for my account using the Advanced Options in the Accounts preference pane.

I've also got a dedicated Bootcamp hard drive, and a secondary backup hard drive which is simply a clone of the Western Digital data drive.

What, precisely, will the new FileVault system be encrypting?
Click to expand...

With FileVault 2, your data is safe and secure — even if it falls into the wrong hands. FileVault 2 encrypts the entire drive on your Mac, protecting your data with XTS-AESW 128 encryption. Initial encryption is fast and unobtrusive. It can also encrypt any removable drive, helping you secure Time Machine backups or other external drives with ease. Want to start fresh or give your Mac to someone else? FileVault 2 makes it easy to clean data off your Mac. Instant wipe removes the encryption key from your Mac — making the data completely inaccessible — then proceeds with a thorough wipe of all data from the disk.

http://www.apple.com/macosx/what-is/security.html
 
After playing with it, I think I can answer your questions.

If you turn on FileVault, it will encrypt your boot/root drive only. In your case, that would be the SSD. The other hard drives will not be touched.

If you wish to encrypt the other hard drives, the in place encryption won't work as far as I can tell. You will have to copy the data somewhere else. Reformat the drive as an encrypted volume using "Disk Utility", and than copy the data back on it.

I could be wrong, but this is the only way I was able to get it working.
 
@mrapplegate

I found that little blurb as well a bit earlier, but I'm not sure on how to do this part: "It can also encrypt any removable drive, helping you secure Time Machine backups or other external drives with ease."

I mean I found a way to do it, but I wouldn't describe my method as "with ease".
 
I actually appreciate spamming the thread when it means the question gets answered :)

So it looks like FileVault won't do that automatically, and would just encrypt the boot volume, but the capacity to use the same system to encrypt a second data drive exists using the same system.

Neat. Doesn't really matter for this machine, but if I pick up a new laptop, she's going to need encrypting.
 
gnagy said:
@mrapplegate

I found that little blurb as well a bit earlier, but I'm not sure on how to do this part: "It can also encrypt any removable drive, helping you secure Time Machine backups or other external drives with ease."

I mean I found a way to do it, but I wouldn't describe my method as "with ease".
Click to expand...

Sorry, I missed your reply in the sea of Lion mess.
I'm not sure. I wrote my reply in the middle of the night. It looks like the page that was linked to just describes how to encrypt via the terminal. I'm not sure how to get the GUI to do so. I have not tried to encrypt an external drive, but will in the future.
Until then you can play around with the man page for diskutil, especially reading about corestorage, which is filevault2.
 
Yes of course there will ALWAYS be a performance hit using full-disk encryption. Fortunately, with the latest Intel chips (having accelerated AES functions in hardware) and the raw speed of today's drives this really isn't much of an issue. In the olden days there was a pretty good hit, but not so much today.

I'm really liking the new FileVault 2 so far. I wish they'd have went with AES-256 but I understand the compromise between security and performance and I think they chose a good medium.
 
Just tried to encrypt a USB flash drive using Core Storage but it returned the following. Was thinking this would've been quite handy.

Error converting disk to CoreStorage: The given file system is not supported on Core Storage (-69756)
 
JamesM said:
Just tried to encrypt a USB flash drive using Core Storage but it returned the following. Was thinking this would've been quite handy.

Error converting disk to CoreStorage: The given file system is not supported on Core Storage (-69756)
Click to expand...

You would think that would have worked. How was it partitioned?
 
JamesM said:
32gb drive in 2 partitions. I've just switched it back to 1 partition and its working now.
Click to expand...

Interesting. I was getting strange errors with a FW data drive that had 2 partitions and encryption. When I would boot up I would get a prompt for the password of the encrypted partion. When I typed it in it would tell me it was wrong. I even saved it in the keychain and it had issues.

And to top it off even though it didn't take my password it still gave me full access to the encrypted drive. I finally gave up on getting the drive encrypted.

I'm thinking I might wait a while to see what other issues pop up and how they might be addressed by Apple.
 
Can somebody tell me how long it takes to encrypt? I started the process, it asked to restart. Restarted to a white blank screen with the usual circle with dashes spinning, it's been like that for 5 hours now. I don't want to force shut it down in fear I will corrupt the files, at the same time I don't know if this is normal? It's a 500gig drive with 350gigs taken up. I thought it was supposed to "encrypt in the backgruond unobtrusively while you're able to continue working"?
 
escogido said:
Can somebody tell me how long it takes to encrypt? I started the process, it asked to restart. Restarted to a white blank screen with the usual circle with dashes spinning, it's been like that for 5 hours now. I don't want to force shut it down in fear I will corrupt the files, at the same time I don't know if this is normal? It's a 500gig drive with 350gigs taken up. I thought it was supposed to "encrypt in the backgruond unobtrusively while you're able to continue working"?
Click to expand...

It should reboot as normal and the encryption runs in the background so you can still use the machine.
 
A question on FDE:

If you give someone the password to a guest account while they then have access to all users files or are each users files encrypted and protected from each other?
 
glitch44 said:
A question on FDE:

If you give someone the password to a guest account while they then have access to all users files or are each users files encrypted and protected from each other?
Click to expand...

Users home directories are restricted via permissions, a guest account will have limited access so won't be able to change these.
 
JamesM said:
Users home directories are restricted via permissions, a guest account will have limited access so won't be able to change these.
Click to expand...

But isn't that less secure than each user account having their own encryption key? Would it be possible to escalate permissions within OS X, or is that impossible?
 
glitch44 said:
But isn't that less secure than each user account having their own encryption key? Would it be possible to escalate permissions within OS X, or is that impossible?
Click to expand...
It's always theoretically possible to escalape permissions, but exploits like that are rare (and fixed in security updates or OS X point releases when discovered).

On the other hand, it is impossible to create a guest account with its own encryption key, unless either the OS (applications and libraries) is unencrypted, OR each account has its own OS install encrypted with that key. Needless to say neither of these are viable, so trusting permissions will have to do.

I should mention that I don't really have a source for the above, but I'm pretty darn sure about it all.
 
glitch44 said:
A question on FDE:

If you give someone the password to a guest account while they then have access to all users files or are each users files encrypted and protected from each other?
Click to expand...

When you turn on full disk encryption guest accounts are completely disabled, and from what I see you can not enable it.
 
time machine backups

are time machine backups encrypted too if firevault is activated?

if i dont havre access to my macbook, will i be able to grab photos from time machine using a pc? or any mac?
 
Graph101 said:
are time machine backups encrypted too if firevault is activated?
Click to expand...
Not by default, no, but AFAIK it is certainly possible to make it happen if you encrypt the external disk manually.

Graph101 said:
if i dont havre access to my macbook, will i be able to grab photos from time machine using a pc? or any mac?
Click to expand...
PC: no.
Any mac I can't quite answer, but by default, also no. It may be possible, but I wouldn't bet on it.

EDIT: Oh, I misread the second question; I thought you meant from an encrypted disk.
Yes, you will be able to fetch it from time machine using any Mac UNLESS you've also encrypted your backup... BUT if you use an encrypted disk with an UNencrypted backup, you're clearly still very vulnerable! Anyone with access to the backup disk can still access all your files, so you probably want to encrypt that as well.
 
I basically have 2 time machine backups. Maybe one is chronosync.

I backup and then store to a safe place. I would want that backup hard drive to be accessible by a pc even if firevault2 was used on the macbook it came from.

I dont really understand how firevault2 works when files are taken out of the mscbook






exscape said:
Not by default, no, but AFAIK it is certainly possible to make it happen if you encrypt the external disk manually.


PC: no.
Any mac I can't quite answer, but by default, also no. It may be possible, but I wouldn't bet on it.

EDIT: Oh, I misread the second question; I thought you meant from an encrypted disk.
Yes, you will be able to fetch it from time machine using any Mac UNLESS you've also encrypted your backup... BUT if you use an encrypted disk with an UNencrypted backup, you're clearly still very vulnerable! Anyone with access to the backup disk can still access all your files, so you probably want to encrypt that as well.
Click to expand...
 
Graph101 said:
I basically have 2 time machine backups. Maybe one is chronosync.

I backup and then store to a safe place. I would want that backup hard drive to be accessible by a pc even if firevault2 was used on the macbook it came from.

I dont really understand how firevault2 works when files are taken out of the mscbook
Click to expand...
Non-Macs can't normally access any Mac-formatted disks, which includes Time Machine backup disks. There are however drivers for this (for at least Windows - MacDrive, and Linux) which should make it work.

The only problem should be security - since the backup disk can't be encrypted (or it will certainly never work in a Windows computer), you'd have to deal with the risk that if a thief steals your backup disk, he has full access to your data.

If that's acceptable (perhaps you want to protect the computer while travelling, with the time machine disk is safe(r) at home), it should work just fine.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back