Starting in OS X 10.7 Lion Apple introduced a new version of FileVault, referred to as FileVault 2.
FileVault 2 is Apple’s answer to a longstanding complaint that the Mac users lacked the option of operating securely from a workspace that includes full disk encryption. Previous versions of FileVault, going back to OS 10.4, worked by encrypting the User directory on a user by user basis, which was fine, but did not protect files stored outside of these directories…in the Application or System folders for example.
As a result, this left some potentially problematic security vulnerabilities for individuals and companies that needed the absolute highest level of data protection.
FileVault 2 addressed this issue by encrypting the entire system volume including all Users, Applications and System files. This, of course, also means that FileVault becomes an all-or-nothing proposition for users who share the same computer. If one elects to operate using FileVault 2, all must.
The problem alluded to in the above title for this Tech Tails article becomes evident when some not-so-uncommon issues crop up that are less difficult to deal with on unencrypted disks, but can result in catastrophic losses on FileVaulted volumes if you are not properly prepared.
The first is the the loss of an administrative password for a login account. For non-encrypted volumes without a firmware password in place, there are workarounds that allow you to reset a user’s password (although not their keychain!). This usually means they can get access to their files again, but may need to re-enter passwords for email and other accounts.
On a FileVault 2 protected volume this is not an option, and well it should not be. The whole point of a secure volume is that the security should not be easy to circumvent. In order to login and decrypt the volume, at least one of the user accounts must have a known password. No password? Bye-bye data. All of it. Or maybe not…
Apple realized that people DO forget passwords, so they did leave in one backdoor for exactly this situation; however you need to know about it to use it. The “backdoor” I refer to is called the Recovery Key. This key is generated at the time FileVault 2 is turned on for a volume. It looks something like this: GTE3-HWEZ-76FG-45WD-WKS4-PX13. Apple encourages you to document this key and store it in a safe place (hint: not in a file on your encrypted volume!)
In fact, this key is so important that they even offer to let you store it with them (Apple) for future use, assuming you can answer the three security questions you provide answers for. If you enter the wrong user login password for a FileVault 2 volume 3 times, you will be asked for the Recovery Key. To access this Recovery Key from Apple at a later date, you will need to call AppleCare, provide your computer’s serial number AND answer the three questions you provided answers for when first encrypting the FileVault 2 volume.
That’s not so bad…assuming you keep track of your Recovery Key. Right? Well there is another situation we run into pretty often in the Service Department, and that is the case where a drive is suffering from bad physical sectors or corruption to the partition structure. For unencrypted drives, we can sometimes work around these flaws and recover most of the data on a drive. However, depending on where this damage occurs on a FileVault 2 protected drive, it may prevent the volume from being mounted and decrypted at all. And because the data stored on the disk is all encrypted we cannot pick and choose just the good stuff.
This potential shortcoming should give folks pause, but it is not necessarily a reason not to use FileVault 2, if your situation demands it. What it does underscore is the need to have a good TimeMachine Backup. And TimeMachine Backups, as we all know, can be stored either encrypted or NOT encrypted…even if they are made from a FileVault 2 protected volume.
So the moral of the story is that FileVault 2 is a powerful tool. Think carefully about what its use means, and the implications for your data should something go wrong. Document your Recovery Key, and consider storing a copy with Apple. And certainly, without exception, make sure you have a TimeMachine backup of your drive stored somewhere securely, just in case.
(Editor’s note: to reiterate one of Jeremy’s points, FileVault encryption is very secure. If you lose access to your data for one of the reasons he describes, the chances of recovery are basically zero. If you have only a few files you need to secure, you can create an encrypted sparse disk image in Disk Utility and keep sensitive files there. Be careful; there is no backdoor savior in this scenario!!)