FileVault or Vile Fault?

ByMike Moffit

Starting in OS X 10.7 Lion Apple introduced a new version of FileVault, referred to as FileVault 2.

FileVault 2 is Apple’s answer to a longstanding complaint that the Mac users lacked the option of operating securely from a workspace that includes full disk encryption. Previous versions of FileVault, going back to OS 10.4, worked by encrypting the User directory on a user by user basis, which was fine, but did not protect files stored outside of these directories…in the Application or System folders for example.

As a result, this left some potentially problematic security vulnerabilities for individuals and companies that needed the absolute highest level of data protection.

FileVault 2 addressed this issue by encrypting the entire system volume including all Users, Applications and System files. This, of course, also means that FileVault becomes an all-or-nothing proposition for users who share the same computer. If one elects to operate using FileVault 2, all must.

The problem alluded to in the above title for this Tech Tails article becomes evident when some not-so-uncommon issues crop up that are less difficult to deal with on unencrypted disks, but can result in catastrophic losses on FileVaulted volumes if you are not properly prepared.

The first is the the loss of an administrative password for a login account. For non-encrypted volumes without a firmware password in place, there are workarounds that allow you to reset a user’s password (although not their keychain!). This usually means they can get access to their files again, but may need to re-enter passwords for email and other accounts.

On a FileVault 2 protected volume this is not an option, and well it should not be. The whole point of a secure volume is that the security should not be easy to circumvent. In order to login and decrypt the volume, at least one of the user accounts must have a known password. No password? Bye-bye data. All of it. Or maybe not…

Apple realized that people DO forget passwords, so they did leave in one backdoor for exactly this situation; however you need to know about it to use it. The “backdoor” I refer to is called the Recovery Key. This key is generated at the time FileVault 2 is turned on for a volume. It looks something like this: GTE3-HWEZ-76FG-45WD-WKS4-PX13. Apple encourages you to document this key and store it in a safe place (hint: not in a file on your encrypted volume!)

In fact, this key is so important that they even offer to let you store it with them (Apple) for future use, assuming you can answer the three security questions you provide answers for. If you enter the wrong user login password for a FileVault 2 volume 3 times, you will be asked for the Recovery Key. To access this Recovery Key from Apple at a later date, you will need to call AppleCare, provide your computer’s serial number AND answer the three questions you provided answers for when first encrypting the FileVault 2 volume.

That’s not so bad…assuming you keep track of your Recovery Key. Right? Well there is another situation we run into pretty often in the Service Department, and that is the case where a drive is suffering from bad physical sectors or corruption to the partition structure. For unencrypted drives, we can sometimes work around these flaws and recover most of the data on a drive. However, depending on where this damage occurs on a FileVault 2 protected drive, it may prevent the volume from being mounted and decrypted at all. And because the data stored on the disk is all encrypted we cannot pick and choose just the good stuff.

This potential shortcoming should give folks pause, but it is not necessarily a reason not to use FileVault 2, if your situation demands it. What it does underscore is the need to have a good TimeMachine Backup. And TimeMachine Backups, as we all know, can be stored either encrypted or NOT encrypted…even if they are made from a FileVault 2 protected volume.

So the moral of the story is that FileVault 2 is a powerful tool. Think carefully about what its use means, and the implications for your data should something go wrong. Document your Recovery Key, and consider storing a copy with Apple.  And certainly, without exception, make sure you have a TimeMachine backup of your drive stored somewhere securely, just in case.

(Editor’s note: to reiterate one of Jeremy’s points, FileVault encryption is very secure. If you lose access to your data for one of the reasons he describes, the chances of recovery are basically zero. If you have only a few files you need to secure, you can create an encrypted sparse disk image in Disk Utility and keep sensitive files there. Be careful; there is no backdoor savior in this scenario!!)

Similar Posts

  • iPod nano: My Must-Have Summer Item!

    As I have said a million times, my 5th generation (most current) iPod nano ($149.99-$179.99) is my favorite product ever. It’s the perfect…

  • About the Onyx OS X Maintenance App

    Several times I’ve mentioned that Onyx is my primary OS X maintenance program. It’s free and easy to use. Click here to visit…

  • Consume – App Review

    AT&T’s myWireless Mobile can be a useful app for monitoring and managing your wireless usage. However, its clunky interface and limited functionality has…

  • KB Covers Final Cut Pro Review

    by Davin@Smalldog.com (Posted by Ed) Being in the video editing industry I use Final Cut a fair amount, I also don’t have a…

  • M-Audio AV-40 Review

    I’ve put off buying new speakers for months. I just could not justify the expense of them, and did not want to waste money on cheap speakers with poor quality. There had, however, been a set of speakers I’ve listened to and sold extensively in-store that interested me. After moving into my new apartment, I decided my bedroom would not be complete without them.

    I realized that when buying my computer, I put a huge amount of effort into making sure my operation of it went unburdened, but scrutinizing monitors, keyboards, mice and mousepads. But I never considered my ears as important in being one of the senses that uses the computer. Boy was I wrong.

    The Studiophile AV 40s are a set of studio reference monitors sold by M-Audio. As studio monitors, they have a very precise sound that most home computer speakers can’t match, and the clarity is generally botched by cheaper hardware. They also, being more precise, don’t fill a room in the same manner other 2.1 subwoofer/satellite speaker combos do. As M-Audio outlines right in their included comic-book style instructions, there is a very specific way to configure them on your desk based on your room and sitting position. This said, cranking them is certainly capable of filling my entire house with clean, crisp music and decent bass. The AV 40s also sound fabulous on their quietest setting, for listening to podcasts at 7AM when your housemate is asleep.

    Their precision has also led me to turn off my iTunes EQ entirely, I don’t think I’ll ever use it again. Lastly, because they’re so precise, I’m finding that they’re incredibly great for gaming, as they convey the virtual world your mind is struggling to become a part of so well. Sounds like rifle shots are far different than grenades, or a peaceful flowing waterfall, which other speakers can’t put such a space between.

    The packaging is pretty basic, but does the job. I like the minimal, wasteless packaging. M-Audio was also good enough to include rubber pads to adhere to the bottom of them, so they don’t slide on my glass desk. The enclosures are a soft black, with pretty solid mesh protection over the cones. On the front of the left speaker are two jacks, one for aux-in and one for headphones. This way I can conveniently connect a laptop or iPad to them when I want to switch computers. Of course, they’re classy enough to include a blue LED on the volume knob, so they’re a perfect match for my monitor, keyboard and mouse!

    I give these a huge thumbs up.

    $149.99. For more information, “click here”:http://www.smalldog.com/product/73166 to check them out!