“Take Control of FileVault” Dispels FileVault Misconceptions
Confession time here. I formed my opinion of Apple’s FileVault encryption feature a long time ago in a galaxy far, far away, and if you think back to those days (Mac OS X 10.3 Panther!), you’ll remember that it was terrible, causing performance problems, data reliability issues, and backup frustrations. All that went away in 10.7 Lion, when Apple introduced the completely rewritten FileVault 2. About the only things in common that FileVault 2 and what’s now called Legacy FileVault have are the name, the interface in System Preferences, and the fact that encryption is involved. FileVault 2 is fast, transparent, and far safer than Legacy FileVault. But you know what? I never got
around to trying FileVault 2, even though I’ve heard no reports of trouble with it, in part because I never saw any discussion of FileVault that was sufficiently in depth and from a source I trusted.
So when the idea of Joe Kissell writing “Take Control of FileVault” came up, I was ecstatic, since I’ve long had a nagging feeling that I should be using full-disk encryption on my Macs to protect data in case of theft. That hasn’t happened, thankfully, but now that I’ve read “Take Control of FileVault,” I’m far more comfortable with turning on FileVault, integrating it with my backups (which should also be encrypted now!), and figuring out how I’d work with Find My Mac in the event of theft. If you too have been hesitant to entrust your data to FileVault before understanding how it works, Joe’s 92-page “Take
Control of FileVault” will dispel any misconceptions, answer your questions, and get you running FileVault with confidence. It’s available now for $10.
Here then is the question. If your Mac were stolen, would you worry about the thief — or whoever your Mac was fenced to — seeing your email, photos, financial data, and other sensitive information? Or do you have a Mac that contains business data, such as customer names and addresses, credit card numbers, or the like? In either situation, you should enable FileVault, especially if you’re using a MacBook that you carry around with you. Too many laptops are nicked from coffee shops or left in cabs to risk leaving the drive unencrypted.
In “Take Control of FileVault,” Joe begins by demystifying FileVault in a quick FAQ that explains, among other things, how it is that you can work with your startup drive normally even though all the data on it is encrypted. The FAQ also answers questions about whether FileVault will impact your Mac’s performance (no), what restrictions FileVault imposes (no more automatic login, for one), and exactly when your data is protected (at rest, and what “at rest” means). After the FAQ, Joe provides detailed steps for activating and using FileVault on both your startup volume and external drives. He also explains how FileVault interacts with your backups and how to use Find My Mac
to lock or wipe a stolen Mac’s drive once you’ve turned on FileVault.
Additional topics in “Take Control of FileVault” include making and using encrypted disk images, third-party software that can encrypt just a single file or folder, and accessing special FileVault features from the command line.
Just a quick question: if I took my mac into Apple for repairs, would I have to give them the key to un-encrypt Filevault? I have to give them my administrative password anyways.
"It depends". When I've given Apple a password in the past, it's never been and admin password. They were fine with that.
For hardware repairs, there's really no reason why Apple would need to log in to the device. Most of their tests can be run off an external device. There might be some special cases with disk problems, but if you're concerned about the data on your encrypted disk - decline to provide an account. Whether an Apple Genius will accept that I can't tell you - they vary in skill and knowledge, just like everyone else.
-- Jerry
As Jerry says, it depends. If the repair person needs to boot the Mac and log in to solve the problem, then you'll either have to hand over your FileVault password or, if the Mac is sufficiently functional and you have a current bootable duplicate or Time Machine backup from which you can restore afterwards, erase the internal disk before taking it in for repair. And yes, the book covers this.
I quess I still don't understand why use File Vault if the theif doesn't know a sign-in password, or administrative password, why turn of File Vault?
I had to take my iMac into Apple last month. They required my administrative password. What's the point in encrypting anything if Apple gets the Administrative Password.
As Jerry and Adam said, not all repair work requires logging in to the computer so with FileVault you can trust the technician with your hardware without also having to trust them with your data.
FileVault is not primarily protection against Apple or other technicians working on your computer, those people you're necessarily trusting to some degree. FileVault protects your data against someone who has stolen your computer and against someone coming in your home or office who tries to snoop on your data; it's trivially easy to get past a user password on a drive not encrypted with FileVault.
There was no discussion w me either way about whether they will need the Adminsitrative Password or not. I was required straight up after dropping the iMac off: Give me your administrative password.
So again, what is the point of encrypting anything if Apple demands full access to everything on my iMac if I take it in for repair.
In that scenario, there's no advantage, no point to encryption (unless the machine is stolen from the repair people). Encryption only works if the key / password is secure.
Depending on the nature of the problem, Apple may need your password, yes.
But remember, you don't encrypt your drive to protect your data from Apple repair techs; you encrypt it to protect your data from criminals. If you use no encryption on the chance that you might someday have to have your Mac repaired, and that the repair might require you to divulge your password, your data isn't protected against theft in the meantime. A thief is far more likely to do bad things with your data than Apple.
Here's what I say in my book:
What if Your Mac Needs Repairs?
Here’s a puzzler. Let’s say your Mac starts acting up and you need it repaired—but your disk is encrypted with FileVault. The repairperson may need to boot your Mac and log in to fix the problem, but that means you have to hand over your FileVault password—and trust the repairperson with your confidential data. How can you get around this?
If you can boot the Mac—and you have a complete, recent, bootable duplicate—you could erase the startup volume and reinstall a clean copy of Mac OS X (with a new password). When your Mac returns from the shop, you can restore your old system from your backup.
If you’re unable to boot your Mac at all (even in Recovery mode, or from an external drive) in order to erase its disk, you can ask the repairperson whether there’s any way they can get by without the password—perhaps there is. If not, I have no suggestions other than to bite the bullet, give them your password, and hope for the best.
I created an "Apple Service" account that I set to auto log on before I take my iMac in for service (had the optical drive replaced twice in 5 months this year).
this is where version 1 was actually superior- if the user wasn't logged in then their data wasn't accessible even to (another) admin user.
I now create separate encrypted sparse bundles for different projects, and only attach the ones I need when I need them,
When I try to use Filevault on my third-party SSD it goes through the process and gives me a passcode but then says it can't install file vault on this mac. Do you know if file vault works with third party SSDs?
FileVault should work on any properly partitioned and formatted volume. It's possible that your SSD wasn't partitioned using the GUID Partition Map scheme, which would cause FileVault to fail. You can check this in Disk Utility. If it's wrong, you'll have to make a bootable duplicate and repartition the SSD to use GUID Partition Map, and then restore your backed-up data. Then you should be able to turn on FileVault.
Thanks, Joe, for your response. The only reason I take my iMac into Apple is because I can't boot into the administrative account. Therefore, File Vault is open to prying eyes at Apple, with the required Adm. Password. I'm not saying Apple is suspect, but I am saying my administrative password is on the Apple Store ticket.
You can certainly change your password, but also, make sure you have a bootable duplicate so that if something like this happens again, you can safely wipe the drive before taking it to Apple.
Yes, I always have a backup. The problem was the iMac would not boot. Hard to know when to wipe a drive before it becomes unbootable
I recently had to take my MacBook Pro to the Apple Store, because the login process stopped halfway. The disk was encrypted with FileVault. Somehow the tech guy did manage to get past the login screen. He was able to run diagnostics that determined that the hardware was okay, but there was software corruption. The best option was to erase the drive and reinstall Yosemite. In order to do that he had to decrypt the drive. He told me that he had no way to circumvent the encryption. Since it was near time for the Apple Store to close, he sent me home with the computer to see if the decryption process would eventually succeed. It took a very long time. I was lucky, it did finish and I was able to erase and reinstall Yosemite and now have a working computer. But, one thing became clear to me. Encrypting the drive could have left me with no choice but to replace it, even though it was not damaged, if the broken software had prevented me from decrypting the disk.
Did you have an up-to-date backup? That's essential, especially if you're running FileVault, since even if FileVault is generally fine, it still adds one more point of failure.