I’ve been using FileVault to encrypt the drive on my travel machine for a while now, but I’ve only recently enabled it on my everyday machine. I rarely take it anywhere, but since I bought a nice new tiny laptop that will change. (I’ll discuss the mechanics of enabling it another time.)

Mostly this hasn’t made any difference in how I use my laptop, but here and there I run into something. (If you don’t already have your Mac configured to require a password, FileVault will enable that. Many people do, and many corporate IT policies require it.)

I had to take the new machine in for repair this week, and as part of the routine intake process they ask for the login and password. Uh, no. That’s pretty normal for me, I usually wipe a machine before I hand it over but I didn’t have time. Now if the service issue were software, this obviously wouldn’t work. But so far I’ve not needed to take something in overnight for anything other than broken hardware.

I dutifully inform them the encrypted state of the drive, and they will get back to me if there is a problem. But what exactly does that mean for them? FileVault 2 is full-disk encryption (unlike the original FileVault) so when you start up the machine you immediately get a login screen. If you don’t log in, it won’t even finish booting. After replacing my logic board, the repair tech will have to attach another bootable volume, use the Option key on startup to select where to boot from, and test it that way.

When I travel, I always shut down the machine before I pack it away. Not only does that mean it can’t accidentally wake up in transit (risking your hard drive if you have the old spinning kind, or your battery either way) but if anybody steals it there is no chance someone is getting into my hard drive. Now if they had my password-protected laptop and it were only sleeping, technically it would be “easier” to gain access. But by that I mean if a skilled and determined attacker were interested, there might be weaknesses in the OS or other things that could be compromised to allow unauthorized access. Might. If you are being tracked by a government agency and your laptop gets taken off in a black helicopter, perhaps you have some concern. The sketchy dude who lifted your MacBook Air from Starbucks? Unlikely.

Now one thing Sketchy Dude is likely to do is open it up to see if it works. If your laptop is able to connect to a wireless network and you have some kind of location tracking program enabled, then you might be able to find out where Sketchy Dude is. That wouldn’t happen if the machine were shut down. (It also wouldn’t happen if he wipes the drive before connecting it to a network, which thieves who know anything about computers will do.)

I haven’t enabled Find My Mac because if someone has taken off with my laptop, I’m not counting on getting it back. (It’s fully backed up, after all.) It also means it’s not constantly reporting its location, and there’s one less source of information about me to exist in somebody’s giant database. (I do use it on my phone, as that’s a different story.)

So enabling disk encryption hasn’t changed anything for me, but that might not be the same for someone else. If you really hate entering a password, you aren’t going to like FileVault.

Update:

Well, I did find one thing: Safe Boot doesn’t work with FileVault (see the link in the comments.) When I was having migration problems, the Apple tech recommended I restart with Safe Boot but I couldn’t. Unfortunately she also didn’t know that was on purpose. (Fortunately, for FV2 anyway, the migration issue didn’t seem to be related to encryption.)

Resources:
Complete guide to FileVault 2 in Lion

Rich Trouton’s blog posts about FileVault 2 (for hardcore IT folks)

3 Comments

  1. Steven says:

    I have always been torn about FileVault. Encryption = Good, usually, but do you feel that you take any performance hits from it?

  2. feorlen says:

    I didn’t see any difference when I enabled it, so although there must be some overhead it doesn’t seem much. But there are problems with Safe Boot and, from what I can tell, Migration Assistant. (I’m going to update the post after I confirm.)

    Here is the documentation about Safe Boot and FV2, and it consists entirely of “Disable FileVault.” Grr.

    OS X Lion: How to perform a Safe Boot if FileVault 2 is enabled

    Btw, this is apparently not widely known. I called AppleCare about migration problems and the tech wanted me to Safe Boot, knowing full well I was using FileVault.

  3. feorlen says:

    While I’m at it, here’s another related blog post (from Rich Trouton) about boot emergencies and FV2:

    Booting into single-user mode on a FileVault 2-encrypted Mac

Leave a Reply