Login  |  Register  |  Contact

Tutorial: How To Use Mac FileVault Safely

Welcome TidBITS readers and other Mac fans.

While for the most part I’ve had great luck encrypting my Mac, there are definitely a few things to be aware of and extra precautions to take. I’ve learned some lessons over the past 18 months or so of encrypting my drive, and here are my recommendations for safely using FileVault.

WARNING: FileVault is still risky and not recommended for every user. I don’t recommend it for desktop Macs or user accounts without anything sensitive in them. Don’t encrypt just because the cool kids are- make sure you’re willing to be diligent about backups and other precautions.

Okay, now for the step by step:

Picture 1-3

  1. Move your iTunes and iPhoto libraries into /Users/Shared. FileVault takes your entire home folder and encrypts it into one big file; by moving iPhoto, iTunes, and movie files out, you can keep the size of this file down and improve reliability. In iTunes, go into Prefereces:Advanced, and select where to keep your iTunes Library. Make sure you check the box that says “Keep iTunes Music Library Organized” (this screenshot should help). Then go into Advanced:Consolidate Library and iTunes will move all your files for you. For iPhoto, just move your iPhoto Library. The next time you launch iPhoto it will ask you to point it towards your library. Then again, if you have, shall we say photographs of a “private” nature, you might want to leave them where they are so the will be encrypted.

  2. Create a maintenance user account with administrative privileges. In System Preferences just click on Accounts and add the user there – make sure it’s an Administrator account. I call mine “Maintenance” (yeah, I’m so original), and gave it a really big passphrase (an obscure movie quote, with a number at the end). This account is critical- without it, if your FileVault gets corrupted, you are in serious trouble.

  3. Optional Get a whole-drive backup solution. I use SuperDuper, and an external drive. I like having a bootable backup for when things REALLY go wrong. Yes, I’ve had to use it more than once, for reasons other than FileVault.

  4. Mandatory Get an incremental backup solution. Odds are Retrospect came with your external drive and many users like that. Or just wait until Mac OS X 10.5 (“Leopard”) is released, and you can use the built-in Time Machine (I’m REALLY looking forward to that). Incremental backups keep track of changed files, while a whole-drive backup is just a clone of everything. The risk of having only a clone is that your backup might be corrupt, and without the copies of your files you won’t be able to restore.

  5. Log into your Maintenance account. Do a complete backup of your Mac to the external drive.

  6. Log back in as yourself, and back up all your files using Retrospect or whatever solution you picked.

  7. Sit down in a dark room. Light a candle. Stare at the flame. Contemplate the existence of the universe, and whether or not you’re really willing to commit to backing up every single day. If not, stop here.

  8. Go into System Preferences; click on Security. Set a master password for your computer. Make it hard to remember, and write it down in at least 3 places at home; this might be the same as the Maintenance password, since they both provide control over this computer (albeit in different ways). A safe is a good place. Your laptop bag is a bad place.

  9. Check the settings on the bottom to Require a password to wake this computer, Disable automatic login, and Use secure virtual memory.

  10. Get ready for bed, or to go out for the weekend.

  11. Click the button at the top to Turn on FileVault.

  12. Go to sleep. Take a vacation. Pick up a new hobby that takes at least a day or so to learn.

Picture 2-1

  1. When you return, your Security preferences should look like this screenshot.

That’s it! You’re now the proud owner of an encrypted home directory, and all your personal files are nice and safe. Make sure you stay up to date on those backups.

Every now and then, usually after you’ve added or deleted a lot of files, your Mac will prompt you to recover extra space from your encrypted drive. Make sure you have the time to let this run- the longest mine has taken is 20 minutes or so, but it usually finishes in 5 minutes. You don’t want to turn your Mac off during this process.

If something does crash, or the recovering space seems to take too long, you can always hold your power key down for 10 seconds to force your Mac to turn off. I don’t recommend this since it might cause some problems, but I have personally had to do it a few times. That’s why those backups are so critical.

Did I say Backups?!?

—Rich

No Related Posts
Previous entry: Network Security Podcast, Episode 76 | | Next entry: Repeat After Me: These Loss Numbers Are Meaningless

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Liquidmatrix Security Digest » Security Brie  on  09/12  at  05:57 PM

[...] Tutorial: How To Use Mac FileVault Safely [...]

By ippimail.com » Blog Archive » The Ghos  on  09/13  at  02:31 AM

[...] year decided it was time to follow my own advice and protect my laptop (you can read more about how I use FileVault on my [...]

By The Ghost in My FileVault  on  09/13  at  02:41 AM

[...] year decided it was time to follow my own advice and protect my laptop (you can read more about how I use FileVault on my [...]

By Article Published On TidBITS | securosis.com  on  09/13  at  03:23 AM

[...] (Here’s a quick link to my tutorial on using FileVault) [...]

By Matt  on  10/05  at  05:46 PM

Thanks for the advice. I don’‘t have anything sensitive on my Mac (I keep that in a TrueCrypt file on my PC) that I need to encrypt and haven’‘t tried it out because of some things I’‘ve heard about FileVault.

The tips you provided should give anyone comfort in using FileVault if they really need it. One that I would have over looked would be moving the iTunes and iPhoto libraries.

By mds  on  11/04  at  06:59 PM

Unfortunately, Time Machine doesn’‘t provide direct support for FileVault, i.e. incremental backup doesn’‘t work and for full backup, you have to be logged out. In consequence, SuperDuper! remains the best solution for FileVault users (provided a Leopard compatible version will become available sooner or later!).

By John P  on  12/03  at  08:27 AM

Please consider adding the year to the "Posted on ..." datestamp. Was this posted in Sep 2006? Will anyone ever read this? :-)

In leopard, FileVault is no longer "one big file." The on-disk format is called sparsebundle; ‘‘man hdiutil" documents it. One can create a sparsebundle with Disk Utility and poke around to view the structure. The encrypted data store consists of numerous 8 MB "bands." My FileVault enabled login has, at the moment, 169 of them.

With encryption spread across numerous "bands," it is not clear what is gained by an incremental backup solution. There is no way to predict which band is modified when a particular file is modified in the sparsebundle disk.

By rbp  on  01/23  at  03:56 AM

So, Rich:

Now that you’‘ve (I believe) moved to Leopard and left behind the world of SuperDuper! (for the nonce, anyway) are you still Filevaulting, using Time Machine, etc…

Any issues?

By rmogull  on  01/24  at  03:36 AM

I can’‘t use Time Machine yet- it doesn’‘t play well with FileVault. I’‘ve been hand-copying my home directory to my NAS, but I’‘ve been told that Carbon Copy Cloner is updated and Leopard compatible, so I’‘ll be installing it this weekend.

I really hope they figure out Time Machine, since that’s what I’‘d prefer to use for good incrementals. I’‘m also about to dig into CrashPlan.

By rbp  on  01/24  at  03:43 AM

I didn’‘t realize that FileVault and Time Machine were incompatible. That seems a tad shortsighted on Apple’s part.

According to the SuperDuper! blog, it’s a few days away from being ready for Leopard.

One of these days I’‘ll feel safe enough to move to Leopard…

By Encrypting your hard disk or a few files) «  on  08/29  at  08:38 PM

[...] If you are interested in this level of security: Mac users can look into FileVault, a built in feature at Control Panel -> Security->FileVault. Here are some useful & important tips. [...]

By sascha  on  03/27  at  02:36 AM

Hello:

I read this too late. I have a boot failure (gray screen/apple logo/spinning wheel/but no boot) and looks like i’ll need a rep-install. I am using 10.6.2 on an old macbook (2006) and i seem to be locked out of my home folder. I have no maintenance account. I have only one backup, 2 months old.

Am i fragged?

By Lizzie  on  05/05  at  05:23 AM

I Do wish I had found this advice sooner - File Vault is corrupted and I am trying to find out how to recover many years of files :-(

I have managed to set up an alternative admin account - luckily my partner had a little-used “standard” account that I could use to get in by the back door.

I started a trial backup with BackBlaze, which seemed fine, then forgot to take out a proper subscription and a couple of weeks later - WHAM!

I had all my photos and music on my iPhone but File Vault went down immediately after I had restored it to upgrade the Firmware - and I had decided to NOT synch anything back straight away in order to do a “tidy up” first. Kicking myself, or what!?!

If you have any recommendations for recovering from this situation . . . I will search your site and continue Googling.

Many thanks for such a brilliant, clear tutorial.

I am with the other poster though - dated posts would help determine relevance. Today is May 6th 2010 :-)

Lizzie
(Leopard on MacBook Pro)

Name:

Email:

Remember my personal information

Notify me of follow-up comments?