Just a quick question: if I took my mac into Apple for repairs, would I have to give them the key to un-encrypt Filevault? I have to give them my administrative password anyways.
"It depends". When I've given Apple a password in the past, it's never been and admin password. They were fine with that.
For hardware repairs, there's really no reason why Apple would need to log in to the device. Most of their tests can be run off an external device. There might be some special cases with disk problems, but if you're concerned about the data on your encrypted disk - decline to provide an account. Whether an Apple Genius will accept that I can't tell you - they vary in skill and knowledge, just like everyone else.
As Jerry says, it depends. If the repair person needs to boot the Mac and log in to solve the problem, then you'll either have to hand over your FileVault password or, if the Mac is sufficiently functional and you have a current bootable duplicate or Time Machine backup from which you can restore afterwards, erase the internal disk before taking it in for repair. And yes, the book covers this.
I quess I still don't understand why use File Vault if the theif doesn't know a sign-in password, or administrative password, why turn of File Vault?
I had to take my iMac into Apple last month. They required my administrative password. What's the point in encrypting anything if Apple gets the Administrative Password.
As Jerry and Adam said, not all repair work requires logging in to the computer so with FileVault you can trust the technician with your hardware without also having to trust them with your data.
FileVault is not primarily protection against Apple or other technicians working on your computer, those people you're necessarily trusting to some degree. FileVault protects your data against someone who has stolen your computer and against someone coming in your home or office who tries to snoop on your data; it's trivially easy to get past a user password on a drive not encrypted with FileVault.
There was no discussion w me either way about whether they will need the Adminsitrative Password or not. I was required straight up after dropping the iMac off: Give me your administrative password.
So again, what is the point of encrypting anything if Apple demands full access to everything on my iMac if I take it in for repair.
In that scenario, there's no advantage, no point to encryption (unless the machine is stolen from the repair people). Encryption only works if the key / password is secure.
Depending on the nature of the problem, Apple may need your password, yes.
But remember, you don't encrypt your drive to protect your data from Apple repair techs; you encrypt it to protect your data from criminals. If you use no encryption on the chance that you might someday have to have your Mac repaired, and that the repair might require you to divulge your password, your data isn't protected against theft in the meantime. A thief is far more likely to do bad things with your data than Apple.
Here's what I say in my book:
What if Your Mac Needs Repairs?
Here’s a puzzler. Let’s say your Mac starts acting up and you need it repaired—but your disk is encrypted with FileVault. The repairperson may need to boot your Mac and log in to fix the problem, but that means you have to hand over your FileVault password—and trust the repairperson with your confidential data. How can you get around this?
If you can boot the Mac—and you have a complete, recent, bootable duplicate—you could erase the startup volume and reinstall a clean copy of Mac OS X (with a new password). When your Mac returns from the shop, you can restore your old system from your backup.
If you’re unable to boot your Mac at all (even in Recovery mode, or from an external drive) in order to erase its disk, you can ask the repairperson whether there’s any way they can get by without the password—perhaps there is. If not, I have no suggestions other than to bite the bullet, give them your password, and hope for the best.
I created an "Apple Service" account that I set to auto log on before I take my iMac in for service (had the optical drive replaced twice in 5 months this year).
this is where version 1 was actually superior- if the user wasn't logged in then their data wasn't accessible even to (another) admin user.
I now create separate encrypted sparse bundles for different projects, and only attach the ones I need when I need them,
When I try to use Filevault on my third-party SSD it goes through the process and gives me a passcode but then says it can't install file vault on this mac. Do you know if file vault works with third party SSDs?
FileVault should work on any properly partitioned and formatted volume. It's possible that your SSD wasn't partitioned using the GUID Partition Map scheme, which would cause FileVault to fail. You can check this in Disk Utility. If it's wrong, you'll have to make a bootable duplicate and repartition the SSD to use GUID Partition Map, and then restore your backed-up data. Then you should be able to turn on FileVault.
Thanks, Joe, for your response. The only reason I take my iMac into Apple is because I can't boot into the administrative account. Therefore, File Vault is open to prying eyes at Apple, with the required Adm. Password. I'm not saying Apple is suspect, but I am saying my administrative password is on the Apple Store ticket.
You can certainly change your password, but also, make sure you have a bootable duplicate so that if something like this happens again, you can safely wipe the drive before taking it to Apple.
Yes, I always have a backup. The problem was the iMac would not boot. Hard to know when to wipe a drive before it becomes unbootable
I recently had to take my MacBook Pro to the Apple Store, because the login process stopped halfway. The disk was encrypted with FileVault. Somehow the tech guy did manage to get past the login screen. He was able to run diagnostics that determined that the hardware was okay, but there was software corruption. The best option was to erase the drive and reinstall Yosemite. In order to do that he had to decrypt the drive. He told me that he had no way to circumvent the encryption. Since it was near time for the Apple Store to close, he sent me home with the computer to see if the decryption process would eventually succeed. It took a very long time. I was lucky, it did finish and I was able to erase and reinstall Yosemite and now have a working computer. But, one thing became clear to me. Encrypting the drive could have left me with no choice but to replace it, even though it was not damaged, if the broken software had prevented me from decrypting the disk.
Did you have an up-to-date backup? That's essential, especially if you're running FileVault, since even if FileVault is generally fine, it still adds one more point of failure.