Back to the Mac: OS X 10.7 Lion Review
by Andrew Cunningham, Kristian Vättö & Anand Lal Shimpi on July 20, 2011 8:30 AM ESTFileVault isn’t new to OS X, but the thing called FileVault in Lion is pretty drastically different from the FileVault that was first introduced in 10.3. Where the old FileVault would just encrypt a given user’s home folder by encapsulating it in an encrypted DMG disk image, it would leave the rest of the hard drive (all applications, system files, and unencrypted user accounts) unencrypted and potentially vulnerable.
FileVault in Lion makes the switch to volume encryption – the implementation is similar in many ways to the BitLocker drive encryption that ships with the Ultimate and Enterprise editions of Windows 7. Note that FileVault isn’t, strictly speaking, full disk encryption, so any other partitions on your Mac are not encrypted unless you reformat them separately, and non-Lion partitions (a Windows or Snow Leopard partition, for example) cannot be protected by the new FileVault.
A FileVault encryption key
FileVault can still be found in the Security & Privacy System Preference pane. Click Turn on Filevault, and the Mac will generate a 24-digit recovery key that you can use to unlock or decrypt your hard drive in the event that you forget your account password. Losing this key and forgetting your local account’s password can be remedied if you chose to store your recovery key with Apple, who will give it back to you if you can properly answer three security questions they asked you when you setup FileVault. If you lose the key, forget your account password, and either neglect to store your key with Apple or forget the answers to any of your security questions, your data is gone.
This, of course, is how the technology is supposed to work, but it’s important that you know it was designed with no backdoor – you get in with your account’s password or your encryption key, or you don’t get in at all.
When cold booting, a FileVault-encrypted Mac uses the recovery partition we talked about earlier as a bootloader, since the main OS is now on an encrypted volume – you have to use the credentials of an approved user account to login before any OS files load. Once the OS does load, you’ll automatically be logged in as the user who unlocked the computer – you won’t need to login twice.
In the first of our BitLocker comparisons, it’s worth noting that BitLocker uses a small, unencrypted system partition to perform similar checks. If your Mac’s recovery partition is missing (for one reason or another – the most common reasons for this to happen are setting up Lion on a disk with an exotic partitioning scheme, or using a disk imaging program that doesn’t capture the recovery partition), FileVault will simply error out and tell you to reformat your hard drive, where Windows will offer to repartition your drive for you.
If you ever need to connect your hard drive to another Mac (whether through Target Disk Mode or otherwise) to rescue or access data on an encrypted drive, FileVault will allow you to access your data from any Mac running Lion as long as you have either your account password or your encryption key handy – when you plug the disk in, the OS will ask you to unlock it, and once unlocked you can work with the data as you would on an unencrypted drive (you can also unlock the drive manually in Disk Utility). This will only work on Macs running Lion – Macs running Snow Leopard or earlier will tell you that they can’t read the disk.
Also like BitLocker, the new FileVault also offers full volume encryption for any external disks, including Time Machine backup disks – when you plug an external drive into your Mac, the Time Machine dialog box now includes an option to encrypt your drive. Enter a password and a password hint (there is no recovery key for an external drive), and OS X will encrypt the drive for you. You can then use this password to unlock the drive on any Mac running Lion.
Creating an encrypted volume in Disk Utility
Any other volumes you’d like to encrypt can be encrypted using Disk Utility if you reformat the drive using the new Mac OS Extended (Journaled, Encrypted) option – as with Time Machine disks, you’ll be prompted to set a password and password hint, and then you’ll be good to go – the only downside is that there doesn’t appear to be a way to encrypt volumes without also reformatting them.
It should be noted that you don’t have to encrypt your Mac’s internal hard drive in order to encrypt external volumes. Also, remember that any FileVault-encrypted disks will be readable only by Macs running Lion – Snow Leopard, Windows, and all other operating systems won’t be able to interact with them (failing official Apple support for working with FileVault-encrypted volumes in a future Boot Camp update, which I’d say is unlikely to happen).
The new FileVault is a pretty great deal for individuals, and I can comfortably recommend it to any Mac user who travels with sensitive data. It’s a definite improvement over previous implementations, and anyone using FileVault in its current incarnation should appreciate the extra protection. For consumers, it’s a better deal than BitLocker is for Windows users, since BitLocker comes only with the premium Windows versions and works most seamlessly only with TPM hardware that most consumer-level laptops don’t have.
I can also see FileVault being useful for Mac-centric small-to-medium businesses, and businesses who lack the money for more expensive drive encryption software. However, for large businesses, FileVault’s lack of central manageability will probably reduce its potential usefulness. With no central console (which seems like a logical service for OS X Server to provide – get on that one, Apple), there’s no way to easily and automatically track large numbers of encryption keys. Also absent is a way to force encryption, and any administrator account with access to the Security & Privacy pane can decrypt the drive.
Businesses managing their Macs with Open Directory could prevent users from accessing this preference pane, but there’s still no way to prove that each and every Mac is encrypted at all times, which is something that many businesses are required to do.
Facebook
Twitter
RSS
106 Comments
View All Comments
mrcaffeinex - Wednesday, July 20, 2011 - link
I purchased a MacBook Pro when Leopard was due to come out. Apple mailed me a free upgrade DVD about a month after I purchased the MacBook. When Snow Leopard came out I purchased the upgrade DVD for something in the neighborhood of $30 if I remember correctly. I've done clean installations from all of the media and never run into an activation/registration problem.On the flip side, I paid $149 for Windows XP, another $149 for XP 64-bit (if only there had been driver support back in the day...), $199 for Vista and another $149 for 7. Granted these were over a slightly longer time period. Still, I can't help but think that some of the initial investment cost of the Mac has been offset by not having to spend significantly more on software upgrades to get the features or functionality that I enjoy having at my disposal.
Factor in the inconvenience of having several iterations of Windows that were more or less junk, but still cost the same and it slides the scale further in favor of OS X in my experience. Now I can also get what is essentially a household upgrade in Lion for approximately $30 if I decide it is worthwhile.
Don't take this as an attack on Microsoft and their Windows operating system, though. It is still an integral part of my computing experience every day and I really enjoy Windows 7 (in fact, it runs better on my MacBook than on most notebooks I've worked on). I just wish they would adopt a strategy that would make upgrading Windows more affordable for the do-it-yourself PC enthusiast.
GotThumbs - Wednesday, July 20, 2011 - link
The amount of money Apple made on your purchase of their hardware more than covers the cost of the OS. Microsoft does not sell their own brand of computers. You can purchase a PC laptop for hundreds less than you can purhcase an Apple MAC.Think McFly, think!
xype - Thursday, July 21, 2011 - link
I love it how PC people have such a sweet feeling of entitlement.Have you ever had/bought/found a product that you were simply content with paying a premium for because it just worked well for you? Have you ever overtipped a waiter because the service was really good?
You know, some people don’t have a problem rewarding either individuals or, yes, teh ebil corburayshns, for work/services well done.
GotThumbs - Thursday, July 21, 2011 - link
??? "feeling of entitlement" ???Not sure what you mean, but I do work hard for my money and do have a choice of where I spend it and how much I'm willing to pay for a product or service. There is a HUGE difference between tipping a waiter for working hard to provide you the best experience, than a company who sells consumers the same technology I can get elsewhere for less and be just as satisfied with my purchase. I'm not a 'Scrooge', but I'm also not a fool. Meaning: A fool and his money are quickly parted.
I build my own systems so I not just satisfied with what is put out by the large PC sellers either. Most readers here are not satisfied with being 'spoon fed' what we should be satisfied with.
If you or anyone else wish to purchase apple products, your free to do so. Just don't expect me to give you a pat on the back for it.
steven75 - Friday, July 22, 2011 - link
You seem to have missed the entire point that Microsoft OS upgrades are *hundreds of dollars* per copy and Mac OSX upgrades are $30 for multiple copies.wicko - Sunday, July 24, 2011 - link
Umm, currently it is roughly 100$ for Home Premium (I paid 125 when I preordered Win7 Pro Upgrade edition), less at some retailers.Not to mention, you glossed over the fact that there does exist a "mac tax", which you would have paid on every mac you own, offsetting the total cost.
Say I spend 2400 on 3 PCs (including OS) and you spend 3000 on 3 Macs. Performance is identical. It will cost me 300 to upgrade each one to Win7. It will cost you 30$ to upgrade all of your Macs. 2700 vs 3030, Interesting. I will have to go through another version of Win7 in order to catch up with you in cost. And I'm being generous with respect to the difference in price before upgrades.
But, you know, you can install it on as many Macs as you'd like, so go nuts. Just don't pretend you're somehow spending less than those who buy Windows licenses.
anactoraaron - Sunday, July 24, 2011 - link
Sure, but let's compare apples to apples (pun intended). If Microsoft were to charge $150 for what little differences there are from 10.6 and 10.6 + hybrid iOS called 10.7 windows discs would never sell (who the hell buys MS discs retail that reads AT anyway?? Newegg has always sold oem discs MUCH cheaper-wait apple person NM). But to sit there and tell me that there isn't any major changes from XP to 7... that's just ridiculous.xyn081s - Monday, August 1, 2011 - link
I think you're the one who missed the point. Even with all these Win licenses, it'll still be cheaper than a Mac. Plus, you can get the Family pack, 3 licenses for $150...ex2bot - Friday, August 5, 2011 - link
I know this comment was a few days ago, but I had a laugh at your comment, so I just had to open my digital mouth and reply:"2400 for 3 PCS ($800 ea.) and $3000 for your [POS] Mac".
If you paid $40,000 for three Chevy Malibus and I paid $80,000 for my one souped-up Corvette" I would have gotten RIPPED OFF! (No, actually I would have received A LOT OF TICKETS!!)
A better comparison is
$800 PC vs. $1400 iMac . Not 800 vs. 3000. * Incidentally, you can sell your used Mac for a lot more than the technically equiv. PC. I've used that to upgrade my Macs several times.
-Ex2bot
Mac Fanbot
* Think an $800 PC = Mac Pro? The Mac Pros have Xeon processors. You know better than I that Xeons are $400 or $500 each. The cheapest Mac Pro has *dual* E5620s @ 2.66. You can't build a octo-core Xeon machine for $800. And you've got to have a motherboard and a, what, case? Power supply? And a few other parts, right?
nafhan - Wednesday, July 20, 2011 - link
So, you bought four copies of Windows for a single computer? You may be the only person to have done this... A more typical experience over that time period is: Windows XP "free" with new PC, and $100 to upgrade to Windows 7.With the amount of money you spent on OS licenses, you could have purchased both a Win XP computer (OS included) and a Windows 7 box (OS included) outright.