Back to the Mac: OS X 10.7 Lion Review
by Andrew Cunningham, Kristian Vättö & Anand Lal Shimpi on July 20, 2011 8:30 AM ESTFileVault isn’t new to OS X, but the thing called FileVault in Lion is pretty drastically different from the FileVault that was first introduced in 10.3. Where the old FileVault would just encrypt a given user’s home folder by encapsulating it in an encrypted DMG disk image, it would leave the rest of the hard drive (all applications, system files, and unencrypted user accounts) unencrypted and potentially vulnerable.
FileVault in Lion makes the switch to volume encryption – the implementation is similar in many ways to the BitLocker drive encryption that ships with the Ultimate and Enterprise editions of Windows 7. Note that FileVault isn’t, strictly speaking, full disk encryption, so any other partitions on your Mac are not encrypted unless you reformat them separately, and non-Lion partitions (a Windows or Snow Leopard partition, for example) cannot be protected by the new FileVault.
A FileVault encryption key
FileVault can still be found in the Security & Privacy System Preference pane. Click Turn on Filevault, and the Mac will generate a 24-digit recovery key that you can use to unlock or decrypt your hard drive in the event that you forget your account password. Losing this key and forgetting your local account’s password can be remedied if you chose to store your recovery key with Apple, who will give it back to you if you can properly answer three security questions they asked you when you setup FileVault. If you lose the key, forget your account password, and either neglect to store your key with Apple or forget the answers to any of your security questions, your data is gone.
This, of course, is how the technology is supposed to work, but it’s important that you know it was designed with no backdoor – you get in with your account’s password or your encryption key, or you don’t get in at all.
When cold booting, a FileVault-encrypted Mac uses the recovery partition we talked about earlier as a bootloader, since the main OS is now on an encrypted volume – you have to use the credentials of an approved user account to login before any OS files load. Once the OS does load, you’ll automatically be logged in as the user who unlocked the computer – you won’t need to login twice.
In the first of our BitLocker comparisons, it’s worth noting that BitLocker uses a small, unencrypted system partition to perform similar checks. If your Mac’s recovery partition is missing (for one reason or another – the most common reasons for this to happen are setting up Lion on a disk with an exotic partitioning scheme, or using a disk imaging program that doesn’t capture the recovery partition), FileVault will simply error out and tell you to reformat your hard drive, where Windows will offer to repartition your drive for you.
If you ever need to connect your hard drive to another Mac (whether through Target Disk Mode or otherwise) to rescue or access data on an encrypted drive, FileVault will allow you to access your data from any Mac running Lion as long as you have either your account password or your encryption key handy – when you plug the disk in, the OS will ask you to unlock it, and once unlocked you can work with the data as you would on an unencrypted drive (you can also unlock the drive manually in Disk Utility). This will only work on Macs running Lion – Macs running Snow Leopard or earlier will tell you that they can’t read the disk.
Also like BitLocker, the new FileVault also offers full volume encryption for any external disks, including Time Machine backup disks – when you plug an external drive into your Mac, the Time Machine dialog box now includes an option to encrypt your drive. Enter a password and a password hint (there is no recovery key for an external drive), and OS X will encrypt the drive for you. You can then use this password to unlock the drive on any Mac running Lion.
Creating an encrypted volume in Disk Utility
Any other volumes you’d like to encrypt can be encrypted using Disk Utility if you reformat the drive using the new Mac OS Extended (Journaled, Encrypted) option – as with Time Machine disks, you’ll be prompted to set a password and password hint, and then you’ll be good to go – the only downside is that there doesn’t appear to be a way to encrypt volumes without also reformatting them.
It should be noted that you don’t have to encrypt your Mac’s internal hard drive in order to encrypt external volumes. Also, remember that any FileVault-encrypted disks will be readable only by Macs running Lion – Snow Leopard, Windows, and all other operating systems won’t be able to interact with them (failing official Apple support for working with FileVault-encrypted volumes in a future Boot Camp update, which I’d say is unlikely to happen).
The new FileVault is a pretty great deal for individuals, and I can comfortably recommend it to any Mac user who travels with sensitive data. It’s a definite improvement over previous implementations, and anyone using FileVault in its current incarnation should appreciate the extra protection. For consumers, it’s a better deal than BitLocker is for Windows users, since BitLocker comes only with the premium Windows versions and works most seamlessly only with TPM hardware that most consumer-level laptops don’t have.
I can also see FileVault being useful for Mac-centric small-to-medium businesses, and businesses who lack the money for more expensive drive encryption software. However, for large businesses, FileVault’s lack of central manageability will probably reduce its potential usefulness. With no central console (which seems like a logical service for OS X Server to provide – get on that one, Apple), there’s no way to easily and automatically track large numbers of encryption keys. Also absent is a way to force encryption, and any administrator account with access to the Security & Privacy pane can decrypt the drive.
Businesses managing their Macs with Open Directory could prevent users from accessing this preference pane, but there’s still no way to prove that each and every Mac is encrypted at all times, which is something that many businesses are required to do.
Facebook
Twitter
RSS
106 Comments
View All Comments
ebolamonkey3 - Thursday, July 21, 2011 - link
Not seeing them :(LeTiger - Thursday, July 21, 2011 - link
Ever fix the 17in Sata 3 bugs????Such a shame to belligerently cripple their flagship laptop...
Conficio - Thursday, July 21, 2011 - link
"There is one huge limitation though: running apps in full screen in multi-monitor setup is unusable."As full screen apps are essentially spaces, there is a huge need (and there was for a long time) to be able to manage spaces per screen. All that would be solved if I coul switch between the spaces in a single screen only or move around entire spaces from one screen to another. That would solve this issue and allow a more task oriented kind of work, where you open a space for every task (or project in a multi tasking sense) you are working on and you can open the various apps you need to work on that project. But then that is the opposite of opening all past docs in an app (?)
Conficio - Thursday, July 21, 2011 - link
"If you were able to include the location in the Quick Add, Quick Add would actually provide a great overall solution for adding new events, but now you need to add the location separately, which kind of defeats the purpose."This concept is as ripe as a green banana. I want to be able to mark the text in an e-mail in order to create an event (with link back to the original e-mail). That way I can work with the lazy people that send invitations in any other format than calendar.
Byt the way go even one more step Appple, and scan all e-mail for addresses, contact info and events and highlight those and with a single click allow me to add the info to my address book or calendar (and with an option send to others in a iCal or vCard format). That would be real progress!
teryan2006 - Saturday, July 23, 2011 - link
umm… I've been doing what you describe, highlighting text in Mail in order to create an event since 10.5. (screenshot: http://cl.ly/25402N2W2E0n281W0r09 )Same thing with the email address and contact info. They've been in Mail ever since they added data detectors. http://cl.ly/3V2q0D1z1x1M1X2q0v1v
If you hover near an email address, time, date, street address, there's a dropdown button that shows up. New in 10.7 is QuickLook style preview for URL in a message
Did you disabled data detectors? Maybe that's why you're not seeing these things?
name99 - Thursday, July 21, 2011 - link
"I don’t find any use for Launchpad. It's one of the less successful iOS imports - it doesn’t fit in, nor does it bring anything truly new,"I think this was a foolish comment. The first sentence is fine, the second is not.
Not every feature in an OS upgrade is targeted at the same collection of users --- I, for example, couldn't care less about full disk encryption.
I know for a fact that naive users (precisely the people who don't understand the file system, a class you seem to accept does exist) are completely unfamiliar with the Applications folder. For THIS sort of user, Launchpad is exactly what they need --- an easily understood way to run programs they don't frequently run.
As for you and I, we can just ignore it --- just I like ignore Japanese input methods, or LDAP support, or a hundred other aspects of my mac that aren't relevant to my particular situation.
name99 - Thursday, July 21, 2011 - link
To follow up on what I said, comparing Launchpad with a Stacks view of the Application folder kinda misses the point. The sort of naive user we're discussing doesn't understand that he may have apps sitting on the desktop, or in the Downloads folder, or in the Utilities folder of /Applications.The Stacks view you describe is limited precisely because it is based on PLACE, not on on TYPE, whereas what users almost always want is based on TYPE.
The fact that it does not honor your pre-existing folder structure is, I would say, in Apple's eyes a temporary issue. Consider iTunes. iTunes doesn't create playlists based on how you grouped songs in the file system --- it assumes that your songs are stored in some bag in the file system somewhere that you will never look at, and imposes its own structure on that content. Launchpad is a vastly simplified version of that same idea, and part of the constant theme throughout Apple's past five+ years of UI work --- arrange content using appropriate metaphors in a high level app, NOT using a limited set of constructs at the file system level.
hanssonrickard - Thursday, July 21, 2011 - link
For example, then macbook pro 15" 2.4 Ghz Core2Duo from early 2008 does NOT support AirDrop.Here is compatiblitly list for it and maybe the article shouldbe updated with some kind of note that not all macs will support airdrop.
Info from "http://support.apple.com/kb/HT4783"
----
Macs that support AirDrop in OS X Lion
The following list shows the earliest of each Mac model type that is supported. If your Mac is the same, or newer than the model listed, then it supports AirDrop.
MacBookPro (Late 2008 or newer)
MacBook Air (Late 2010 or newer)
MacBook (Late 2008 or newer)
iMac (Early 2009 or newer)
Mac Mini (Mid 2010 or newer)
Mac Pro (Early 2009 with AirPort Extreme card, or Mid 2010)
------
makruger - Thursday, July 21, 2011 - link
Too bad it won't run on normal PC hardware without becoming an iHackSapan - Thursday, July 21, 2011 - link
Does anyone know for sure if OSX Lion enables TRIM Support for 3rd Party SSDs?I know 10.6.8 enabled TRIM for Apple SSDs.
Could you provide some background/link to how you got that info please?