Using encryption and password protection where you can is typically a good idea, and macOS provides you with a number of ways to implement it. Best of all, no additional software is required to encrypt files on your Mac, it's all built-in to the operating system that we know and love. Due in large.
FileVault is a disk encryption program in Mac OS X 10.3 and later. It performs on-the-fly encryption with volumes on Maccomputers.
Versions and key features[edit]
FileVault was introduced with Mac OS X Panther (10.3),[1] and could only be applied to a user's home directory, not the startup volume. The operating system uses an encrypted sparse disk image (a large single file) to present a volume for the home directory. Mac OS X Leopard and Mac OS X Snow Leopard use more modern sparse bundle disk images[2] which spread the data over 8 MB files (called bands) within a bundle. Apple refers to this original iteration of FileVault as legacy FileVault.[3]
Mac OS X Lion and newer offer FileVault 2,[3] which is a significant redesign. This encrypts the entire OS X startup volume and typically includes the home directory, abandoning the disk image approach. For this approach to disk encryption, authorised users' information is loaded from a separate non-encrypted boot volume[4] (partition/slice type Apple_Boot).
FileVault[edit]
The original version of FileVault was added in Mac OS X Panther to encrypt a user's home directory.
Master passwords and recovery keys[edit]
When FileVault is enabled the system invites the user to create a master password for the computer. If a user password is forgotten, the master password or recovery key may be used to decrypt the files instead.
Migration[edit]
Migration of FileVault home directories is subject to two limitations:[5]
If Migration Assistant has already been used or if there are user accounts on the target:
If transferring FileVault data from a previous Mac that uses 10.4 using the built-in utility to move data to a new machine, the data continues to be stored in the old sparse image format, and the user must turn FileVault off and then on again to re-encrypt in the new sparse bundle format.
Manual encryption[edit]
Instead of using FileVault to encrypt a user's home directory, using Disk Utility a user can create an encrypted disk image themselves and store any subset of their home directory in there (for example, ~/Documents/private). This encrypted image behaves similar to a Filevault encrypted home directory, but is under the user's maintenance.
Encrypting only a part of a user's home directory might be problematic when applications need access to the encrypted files, which will not be available until the user mounts the encrypted image. This can be mitigated to a certain extent by making symbolic links for these specific files.
Limitations and issues[edit]Backups[edit]
Without Mac OS X Server, Time Machine will back up a FileVault home directory only while the user is logged out. In such cases, Time Machine is limited to backing up the home directory in its entirety. Using Mac OS X Server as a Time Machine destination, backups of FileVault home directories occur while users are logged in.
Because FileVault restricts the ways in which other users' processes can access the user's content, some third party backup solutions can back up the contents of a user's FileVault home directory only if other parts of the computer (including other users' home directories) are excluded.[6][7]
Mac File Level EncryptionIssues[edit]
Several shortcomings were identified in Legacy FileVault. Its security can be broken by cracking either 1024-bit RSA or 3DES-EDE.
Legacy FileVault used the CBC mode of operation (see disk encryption theory); FileVault 2 uses stronger XTS-AESW mode. Another issue is storage of keys in the macOS 'safe sleep' mode.[8] A study published in 2008 found data remanence in dynamic random-access memory (DRAM), with data retention of seconds to minutes at room temperature and much longer times when memory chips were cooled to low temperature. The study authors were able to use a cold boot attack to recover cryptographic keys for several popular disk encryption systems, including FileVault, by taking advantage of redundancy in the way keys are stored after they have been expanded for efficient use, such as in key scheduling. The authors recommend that computers be powered down, rather than be left in a 'sleep' state, when not in physical control by the owner.[9]
Early versions of FileVault automatically stored the user's passphrase in the system keychain, requiring the user to notice and manually disable this security hole.
In 2006, following a talk at the 23rd Chaos Communication Congress titled Unlocking FileVault: An Analysis of Apple's Encrypted Disk Storage System, Jacob Appelbaum & Ralf-Philipp Weinmann released VileFault which decrypts encrypted Mac OS X disk image files.[10]
A free space wipe using Disk Utility left a large portion of previously deleted file remnants intact. Similarly, FileVault compact operations only wiped small parts of previously deleted data.[11]
FileVault 2[edit]Security[edit]
FileVault uses the user's login password as the encryption pass phrase. It uses the AES-XTS mode of AES with 128 bit blocks and a 256 bit key to encrypt the disk, as recommended by NIST.[12][13] Only unlock-enabled users can start or unlock the drive. Once unlocked, other users may also use the computer until it is shut down.[3]
Performance[edit]
The I/O performance penalty for using FileVault 2 was found to be in the order of around 3% when using CPUs with the AES instruction set, such as the Intel Core i and MacOS 10.10.3.[14] Performance deterioration will be larger for CPUs without this instruction set, such as older Core CPUs.
Master passwords and recovery keys[edit]
Broadcom 802.11 n wireless sdio adapter driver windows 10. When FileVault 2 is enabled while the system is running, the system creates and displays a recovery key for the computer, and optionally offers the user to store the key with Apple. The 120 bit recovery key is encoded with all letters and numbers 1 through 9, and read from /dev/random, and therefore relies on the security of the PRNG used in macOS. During a cryptanalysis in 2012, this mechanism was found safe.[15]
Changing the recovery key is not possible without re-encrypting the File Vault volume.[3]
Validation[edit]
Users who use FileVault 2 in OS X 10.9 and above can validate their key correctly works after encryption by running sudo fdesetup validaterecovery in Terminal after encryption has finished. The key must be in form xxxx-xxxx-xxxx-xxxx-xxxx-xxxx and will return true if correct.[16]
Starting the OS with FileVault 2 without a user account[edit]
If a volume to be used for startup is erased and encrypted before clean installation of OS X 10.7.4 or 10.8:
Apple describes this type of approach as Disk Password—based DEK.[12]
See also[edit]References[edit]
Retrieved from 'https://en.wikipedia.org/w/index.php?title=FileVault&oldid=916768414'
To protect your files from hackers and thieves, Macs offer excellent encryption features built-in. You can encrypt your entire hard drive, encrypt an external drive, or just create an encrypted container for your most important files.
File Encryption Tools Mac Os
It’s a better situation than Windows 10, where full disk encryption is only offered on some PCs, and partial encryption depends on third party tools. Mac users don’t need to think about it: if you have a Mac, you have access to powerful encryption.
![]() Encrypt Your Entire System Drive
RELATED:What Is Encryption, and How Does It Work?
The FileVault feature allows you to encrypt your Mac’s entire hard disk. When you enable FileVault, your files are stored on your hard drive in an encrypted, seemingly scrambled format. Someone who gains access to your Mac, removes your hard drive, and attempts to view your files won’t be able to see anything without your encryption key. (Without FileVault enabled, anyone with physical access to your Mac could remove its hard drive and view your files, because they’re stored in an unencrypted form.)
You can choose which user accounts have the ability to unlock your disk. When you turn on your Mac, you’ll have to sign in with one of those user accounts before your drive is unlocked. Your drive will be locked again when you shut down your Mac.
To enable FileVault, click the Apple icon on the menu at the top of your screen, select System Preferences, and click the Security & Privacy icon. Click the “Turn On FileVault” option to enable and configure FileVault.
By default, FileVault will ask you for your Apple ID. This allows you to regain access to the drive if you forget the username and password for the local account on your Mac. If you’d rather not tie your encryption to a (potentially hackable) online account, that’s not a problem: you can opt for a recovery key instead. Keep this key somewhere safe, because it’s the only way you can recover your files should you lose access to the local accounts on your Mac with permission to decrypt the drive.
Once you’re done configuring FileVault, your Mac will begin encrypting your drive in the background. This can take days, so consider keeping your Mac awake overnight.
Encrypt Removable Devices
With macOS you can also encrypt entire external drives. The contents of the drive will be encrypted with a passphrase you choose, and no one will be able to access them without that passphrase. It functions like BitLocker To Go on Enterprise editions of Windows, but it’s available to all Mac users.
To encrypt a drive, simply open the Finder and connect the drive to your Mac. Ctrl+click or right-click the drive in the Finder sidebar and select the Encrypt option.
The disk will be encrypted once you enter your password of choice—be sure to use a secure one! You may have to wait several minutes for the contents of your disk to be encrypted, depending on the size of your drive and its speed.
Don’t lose your password! If you do, you won’t be able to access any files on the encrypted drive.
Encrypt Specific Files With a Disk Image
RELATED:How to Create an Encrypted Disk Image to Securely Store Sensitive Files on a Mac
You can encrypt individual files by creating an encrypted file container, or disk image. Whenever you want to work with your encrypted files just mount the disk image and enter your password. The files will be available to use and any files you save to the disk image will be encrypted. When you unmount the disk image, the files will be locked and no one will be able to access them unless they have your encryption password.
This is a simple method for encrypting files. You don’t have to encrypt any entire devices; you just have to use a single container file. Better yet, the encrypted disk image you create can be synchronized online using a service like Dropbox or Google Drive. You’ll have an online copy and can synchronize it between your computers, but no one will be able to access your files without your encryption key. You won’t have to worry about your sensitive data being compromised if you use a secure password.
Follow our guide to creating and using an encrypted disk image for more information. Remember, if you lose your password, you won’t be able to mount your disk image and access the files inside!
Other encryption utilities like the venerable VeraCrypt will also work on a Mac, but you don’t need them as badly as you do on a Windows PC. The above encryption tools are integrated into macOS.
Photo credit: Tanyapatch/Shutterstock.com
![]()
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |