Disk Utility encryption vs. FileVault 2

Posted:
in macOS edited January 2014
I'm doing a clean install of Lion onto my iMac and I would like to have full disk encryption. I'm booting to a Lion DVD and have just zero wiped my hard drive as "Mac OS Extended (Journaled)". I see an option for format as "Mac OS Extended (Journaled, Encrypted)" and was wondering if there are any differences or advantages/disadvantages to encrypt the boot disk in Disk Utility rather than FileVault 2. During research of FileVault 2 I discovered a drawback; one must shut down the computer to take advantage of the encryption:



From Macworld



"While your Mac is booted, anyone with physical access to the computer?someone who sits down in front of it, breaks in remotely (however unlikely that seems at the moment with a Mac), or runs away with your laptop?could access your data. So get used to shutting down your Mac when it's not in use, or when it's out of your control, rather than putting it to sleep."



Any info much appreciated!

Comments

  • Reply 1 of 5
    Quote:
    Originally Posted by hanguolaohu View Post


    ...During research of FileVault 2 I discovered a drawback; one must shut down the computer to take advantage of the encryption...



    No, you only need to log our of the account you wish to protect... you don't have to actually "shut down"... you'll also want to have it set so that it doesn't automatically log in to that account at start up.



    Still an inconvenience to some folks, but not as bad as shutting down.



    As for encrypting the entire disk, I couldn't tell you for sure, but I would imagine it would be the same circumstance... but in that case you might really need to shut down the computer to get the protection (and if so, then you'll need to enter the password every time you start up.)



    I woud think the best compromise between security and convenience would be to use File Vault, and set your account to automatically log out (but not shut down) after a certain interval. (As well as disabling auto-login.)
  • Reply 2 of 5
    I use System Preference "Require password immediately after sleep or screen saver begins", and I have a hot corner for screensaver activation which I use whenever I leave my desk. Not exactly logging out right, so am I safe???
  • Reply 3 of 5
    Quote:
    Originally Posted by hanguolaohu View Post


    I use System Preference "Require password immediately after sleep or screen saver begins", and I have a hot corner for screensaver activation which I use whenever I leave my desk. Not exactly logging out right, so am I safe???



    I'm pretty sure you're encryption key is still open during screen saver and sleep ... FileVault doesn't actually "lock" the encryption until you actually log out. then it saves your entire home folder as an encrypted file.
  • Reply 4 of 5
    But I believe for a thief it's not possible to access the contents without using included restore disc to change password, which would require a restart. Or someone pulling the hard drive out to physically restore from the drive, which would require shutting down also. So I guess unless I forget to password lock my Mac, then it would be safe
  • Reply 5 of 5
    MarvinMarvin Posts: 15,309moderator
    Quote:
    Originally Posted by KingOfSomewhereHot View Post


    No, you only need to log our of the account you wish to protect... you don't have to actually "shut down"... you'll also want to have it set so that it doesn't automatically log in to that account at start up.



    Are you sure that's the case? I understood filesystem encryption to mean that it all gets unlocked or it's all shut down.



    Filevault 1 created a sparse disk image and copied all the contents of the home folder into it per user so each folder had an isolated filesystem.



    Filevault 2 encrypts the drive while it's mounted so it can work in the background but it should mean that while the drive is accessible, the files are unecrypted. Even if you logged out, another admin user could login and sudo your home folder. It also should mean that remote exploits are possible while being logged out.



    Apple's encryption method could work differently of course and encrypt each home folder contents using the individual login passwords but your system files won't be.



    This can be tested by enabling Filevault 2 and creating a separate admin user, logging out of the first admin user and then using the test admin account to sudo open a file or just do a directory listing from the terminal into the logged out user's folder. If it's possible to do this, the files are unencrypted until you shut down, which I'd expect is the case, especially considering multiple admins can boot an encrypted machine.



    I don't see this as a bad thing because Filevault 2 has major benefits over Filevault 1 and generally you'd expect that you can trust other local users and that remote exploits aren't possible. However, if you absolutely had to protect against remote access to files or local users accessing confidential documents, I'd say disk utility's encryption is still necessary. But it depends on how Apple has implemented this.
Sign In or Register to comment.