Apple + Security & Privacy

Is Using FileVault Encryption in macOS Good Enough?

Posted on December 1st, 2016 by

Is Using FileVault Full-Disk Encryption in macOS Good Enough?

There are many ways to use encryption on your Mac. Before you encrypt your Mac, it is vital to know which encryption type is best for you and to be aware of its strengths and weaknesses. This will you decide whether you should use FileVault or some other third-party encryption software to protect your Mac.

For the most part, using encryption is a matter of flipping a switch or checking a box, but what happens behind the scenes when a checkbox is clicked? What kind of encryption is used in macOS and is it any good? And what if the options offered by Apple are not good enough for your needs? In this article, we'll cover some of the encryption types and strengths that are used in macOS, and why you would choose one option over another.

What encryption is used in macOS?

One of the most common encryption ciphers used in the world and the one macOS relies on the most—whether it's FileVault, creating an encrypted disk image, or password protecting an iWork document—is Advanced Encryption Standard (AES). AES is a solid cipher and can be used with 128-bit or 256-bit keys. They are both very good, and if a strong password is used the likelihood of it being cracked are very slim.

For the most part, however, macOS does not offer much of a choice when it comes to encryption. When you password protect a PDF in Preview, macOS uses 128-bit RC4, which is much less secure than the 128 or 256-bit AES that Adobe Acrobat uses. You don't have a choice as all you get is a checkbox to enable it. Password protecting a Pages or Numbers file defaults to 128-bit AES, also without giving you a choice. FileVault uses 128-bit AES as well.

The only place where Apple offers an option is in Disk Utility, when creating an encrypted disk image.
disk-utility-encryption

As Apple mentions, 256-bit AES is more secure but slower. The performance impact when using a 256-bit encrypted disk image is very noticeable. On everything macOS uses AES encryption, it defaults to 128-bit. So you may be asking, why is 256-bit an option in Disk Utility? Most likely it's there because government requires 256-bit AES encryption for "TOP SECRET" files, and if the government requires it, others may as well, so Apple gives them the option to avoid complaints. For everyone else, 128-bit is more than enough to secure data.

What's the weakest link in encryption?

The ability for encryption to protect your sensitive data hinges on the password you set. Creating a 256-bit AES disk image with "password123" won't do you any good if someone gets their hands on it or is motivated to get in. Using that same disk image with "qs2]mHEH#?hY3q^3oZeiNksrk" as the password, now that's a different story. The best lock available will be virtually useless if you leave a spare key under the mat, so make sure the passwords used to encrypt a file, disk or disk image is very strong. Password managers can remember passwords like "qs2]mHEH#?hY3q^3oZeiNksrk," so you won't have to. (I highly recommend the use of a password manager.)

Encryption software options for Mac

TrueCrypt has long been cited as the best 3rd party encryption utility, but development of the utility stopped in May, 2014. TrueCrypt's own website is still online with the latest version available for download, but it mentions, "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues."

VeraCrypt is based on TrueCrypt, but it is still under active development; however, it has enhanced security over the original TrueCrypt and fixed issues and weaknesses found in TrueCrypt. While not as easy to use as the built-in encryption features in macOS, it offers many more encryption algorithms, so if AES is not your preferred encryption algorithm, you can choose from nine others.

You can find VeraCrypt here. However, before experimenting with VeraCrypt, make sure to backup all your data and read their documentation carefully.

FileVault encryption + strong password = secure data

With the exception of perhaps password protecting PDF's, the default encryption macOS offers is strong enough to secure your data. That is, if you use strong passwords.

Using encryption requires processing power, so it's important to know if your Mac is able to use it without impacting performance. That said, the only encryption that requires continuous power is FileVault, all other encryption/decryption is done as a file or when a disk image is created or opened. The only way to see if FileVault is usable on your Mac is to (backup data first) and try it.

Any Mac since 2010 should be able to handle FileVault just fine without impacting performance. It's built-in, it's free and an excellent way to protect your data—using FileVault encryption is strongly recommended!

Have you enabled FileVault full-disk encryption on your Mac? Do you use third-party encryption software, and if so, why do you prefer it over the Mac's built-in features to encrypt files and folders? Drop us a comment below! 

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →
  • 0579186585

    Wondering of the recent CVE-2016-4693 pertaining to the use of 3DES affects previously created encrypted diskimages as well as existing keychains. I have heard that they may use 3DES for certain aspects.

    Security
    Available for: macOS Sierra 10.12.1
    Impact: An attacker may be able to exploit weaknesses in the 3DES cryptographic algorithm
    Description: 3DES was removed as a default cipher.
    CVE-2016-4693: Gaëtan Leurent and Karthikeyan Bhargavan from INRIA Paris

  • Robbo_the_yobbo

    Does anyone know what encryption scheme is used in Notes.app ?

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}