File Vault 2 installation and security

Posted on by Mike Evans

Two years ago I bought a subscription to PGP, the gold-standard third-party Mac OS X encryption system. I wrote about it at length and it worked without fault. Committing your hard drive to encryption is a bold step but I never regretted taking up with PGP. I stopped using it when I got my 11in MacBook Air because, at the time, PGP was not compatible with the sleep functions on the little computer. And since instant sleep, instant on are important aids in prolonging battery life, PGP had to go.

The alternative under Snow Leopard, File Vault, was always an ugly ducking. There were so many hard luck and disaster stories that I didn’t feel confident in commiting my home holder to the ministrations of Apple and File Vault.

All has changed under Lion. The only thing File Vault 2 shares with the old File Vault is the name. This is a full-disk encryption similar to PGP’s system and not simply a way of stuffing your home folder into an encrypted sparsebundle. The reviews so far have been positive and, to clinch the deal, File Vault 2 is built into Lion and is free. PGP is expensive and requires an annual maintenance contract.

Thus encouraged, I switched on File Vault 2 on my MacBook Air this evening. It was a very simple process, unlike installing PGP which needs some care. I was provided with a “recovery code” which is a long key to be used in the event of forgetting passwords. I took the option to allow Apple to store this recovery code which I can access by answering three questions of choice.

Encryption of my 128GB SSD took about 45 minutes. Afterwards, the computer works entirely as normal with no apparent speed penalty and with no need to enter an additional unlock code. The standard user password is still current. PGP, on the other hand, introduces an opening screen before the system is loaded and the secure password must be entered before you get to the point of entering the normal user password. It’s a bit of a kludge and does slow down initial access.

Apple seem to have done an excellent job with File Vault 2. It means that I can carry my MacBook Air around without worrying about a thief gaining access to my information. Since it also protects the contents of my Dropbox folder, I will now decide whether or not I need to use encrypted volumes on Dropbox for sensitive material. At the moment I keep my DevonThink Pro database on Dropbox inside an encrypted sparsebundle because the database contains bank statements and other financial information that I wouldn’t want compromised. If the whole disk is encrypted I could manage without additional protection within Dropbox. 

∞ Permalink