FileVault

From BNL Physics Computing

[edit]

Overview

FileVault is on-the-fly encryption software available in Mac OS X (10.3 and above). When FileVault is turned on, it will create a separate encrypted volume for your home directory and copy the current contents of your home directory into the encrypted volume. FileVault uses the AES-128 encryption standard. During the encryption process, you can have the software do a secure erasure of the original files, if you wish. After turning FileVault on, when you log into the computer, the encrypted volume will be mounted and made accessible to you with any new files you create being transparently encrypted and any existing files you read being transparently unencrypted.

[edit]

Pros and Cons

Pros:

  • Built into the Operating System.
  • Only the home directory is encrypted (no impact on the rest of the disk).
  • Files are transparently encrypted when written and transparently unencrypted when read.

Cons:

  • Files cannot be accessed from another account on the machine.
  • Some backup software will not work since it cannot see the contents of the encrypted volume and cannot backup the volume as a whole.
  • If you forget your account password and the master password, the contents of your home directory will be irretrievable.
[edit]

Turning FileVault On

Since FileVault encrypts an entire home directory, a common method of turning on encryption on a Mac is to create a second account where any sensitive files will reside and to turn on FileVault for the second account. This method leaves the primary account free of any encryption side effects.

To turn on FileVault for a home directory, perform the following steps:

  • You must have administrative privileges.
  • In the account where you want to enable FileVault, open "System Preferences" and click on the "Security" icon.
  • If you have not set a master password for the system, set one now by clicking on "Set Master Password" and entering and verifying a password.
  • If you want to securely delete your original, unencrypted files, check the "Use secure erase" box.
  • Click on "Turn on FileVault".

You will be logged out of the account while the process of creating the encrypted volume takes place. Depending on the size of the home directory, the process can take anywhere from a few minutes to a few hours. When the process has completed, you simply log back into the machine and use the system normally.

Retrieved from "http://www.phy.bnl.gov/computing/index.php/FileVault"