Back to the Mac: OS X 10.7 Lion Review

FileVault isn’t new to OS X, but the thing called FileVault in Lion is pretty drastically different from the FileVault that was first introduced in 10.3. Where the old FileVault would just encrypt a given user’s home folder by encapsulating it in an encrypted DMG disk image, it would leave the rest of the hard drive (all applications, system files, and unencrypted user accounts) unencrypted and potentially vulnerable.

FileVault in Lion makes the switch to volume encryption – the implementation is similar in many ways to the BitLocker drive encryption that ships with the Ultimate and Enterprise editions of Windows 7. Note that FileVault isn’t, strictly speaking, full disk encryption, so any other partitions on your Mac are not encrypted unless you reformat them separately, and non-Lion partitions (a Windows or Snow Leopard partition, for example) cannot be protected by the new FileVault.

A FileVault encryption key

FileVault can still be found in the Security & Privacy System Preference pane.  Click Turn on Filevault, and the Mac will generate a 24-digit recovery key that you can use to unlock or decrypt your hard drive in the event that you forget your account password. Losing this key and forgetting your local account’s password can be remedied if you chose to store your recovery key with Apple, who will give it back to you if you can properly answer three security questions they asked you when you setup FileVault. If you lose the key, forget your account password, and either neglect to store your key with Apple or forget the answers to any of your security questions, your data is gone.

This, of course, is how the technology is supposed to work, but it’s important that you know it was designed with no backdoor – you get in with your account’s password or your encryption key, or you don’t get in at all.

When cold booting, a FileVault-encrypted Mac uses the recovery partition we talked about earlier as a bootloader, since the main OS is now on an encrypted volume – you have to use the credentials of an approved user account to login before any OS files load. Once the OS does load, you’ll automatically be logged in as the user who unlocked the computer – you won’t need to login twice.

In the first of our BitLocker comparisons, it’s worth noting that BitLocker uses a small, unencrypted system partition to perform similar checks. If your Mac’s recovery partition is missing (for one reason or another – the most common reasons for this to happen are setting up Lion on a disk with an exotic partitioning scheme, or using a disk imaging program that doesn’t capture the recovery partition), FileVault will simply error out and tell you to reformat your hard drive, where Windows will offer to repartition your drive for you.

If you ever need to connect your hard drive to another Mac (whether through Target Disk Mode or otherwise) to rescue or access data on an encrypted drive, FileVault will allow you to access your data from any Mac running Lion as long as you have either your account password or your encryption key handy – when you plug the disk in, the OS will ask you to unlock it, and once unlocked you can work with the data as you would on an unencrypted drive (you can also unlock the drive manually in Disk Utility). This will only work on Macs running Lion – Macs running Snow Leopard or earlier will tell you that they can’t read the disk.

Also like BitLocker, the new FileVault also offers full volume encryption for any external disks, including Time Machine backup disks – when you plug an external drive into your Mac, the Time Machine dialog box now includes an option to encrypt your drive. Enter a password and a password hint (there is no recovery key for an external drive), and OS X will encrypt the drive for you. You can then use this password to unlock the drive on any Mac running Lion.

Creating an encrypted volume in Disk Utility

Any other volumes you’d like to encrypt can be encrypted using Disk Utility if you reformat the drive using the new Mac OS Extended (Journaled, Encrypted) option – as with Time Machine disks, you’ll be prompted to set a password and password hint, and then you’ll be good to go – the only downside is that there doesn’t appear to be a way to encrypt volumes without also reformatting them.

It should be noted that you don’t have to encrypt your Mac’s internal hard drive in order to encrypt external volumes. Also, remember that any FileVault-encrypted disks will be readable only by Macs running Lion – Snow Leopard, Windows, and all other operating systems won’t be able to interact with them (failing official Apple support for working with FileVault-encrypted volumes in a future Boot Camp update, which I’d say is unlikely to happen).

The new FileVault is a pretty great deal for individuals, and I can comfortably recommend it to any Mac user who travels with sensitive data. It’s a definite improvement over previous implementations, and anyone using FileVault in its current incarnation should appreciate the extra protection. For consumers, it’s a better deal than BitLocker is for Windows users, since BitLocker comes only with the premium Windows versions and works most seamlessly only with TPM hardware that most consumer-level laptops don’t have.

I can also see FileVault being useful for Mac-centric small-to-medium businesses, and businesses who lack the money for more expensive drive encryption software. However, for large businesses, FileVault’s lack of central manageability will probably reduce its potential usefulness. With no central console (which seems like a logical service for OS X Server to provide – get on that one, Apple), there’s no way to easily and automatically track large numbers of encryption keys. Also absent is a way to force encryption, and any administrator account with access to the Security & Privacy pane can decrypt the drive.

Businesses managing their Macs with Open Directory could prevent users from accessing this preference pane, but there’s still no way to prove that each and every Mac is encrypted at all times, which is something that many businesses are required to do.