Apple + Recommended + Security & Privacy

Take that FBI! OS X Yosemite Encrypts Disks by Default, Better Protecting Privacy

Posted on October 20th, 2014 by

With the release of OS X Yosemite, Apple has blown a loud raspberry in the direction of law enforcement agencies and data thieves round the world.

The reason? The latest version of Apple's operating system for desktops and laptops positively encourages users to turn on full disk encryption, in the shape of FileVault 2.

FileVault is nothing new. It has been around in its "FileVault 2" incarnation since OS X Lion. (Prior to that, FileVault was available in a form that didn't encrypt the whole drive—and as such offered considerably weaker security.)

But what's new in OS X Yosemite, is that more users are likely to enable FileVault than ever before—as at installation you have to consciously opt-out of having your hard drive encrypted, rather than opt-in.

FileVault enabled by default

As The Guardian reports, the fact that more people than ever before will be taking advantage of OS X's powerful cryptographical technology is unlikely to go down well with those who may have an interest in deciphering our data. Last week, the FBI’s director, James Comey, decried the company’s decision to offer similar tools on mobile devices running iOS 8:

“With Apple’s new operating system, the information stored on many iPhones and other Apple devices will be encrypted by default,” Comey told the Brookings Institute in Washington DC. “Shortly after Apple’s announcement, Google announced plans to follow suit with its Android operating system. This means the companies themselves won’t be able to unlock phones, laptops, and tablets to reveal photos, documents, email, and recordings stored within.”

Of course, computers with encrypted hard drives make it not only harder for law enforcement agencies to unlock their secrets, it also makes life much tougher for data thieves, too.

FileVault encrypts your entire hard drive using XTS-AES 128, a secure encryption algorithm. The reason why you should strongly consider enabling the feature on your Macs and MacBooks is if your hard drive isn't fully encrypted, anyone who manages to steal your computer can access any data upon it.

With FileVault, however, as soon as your Mac is shut down, its entire drive is encrypted and locked up. Only when an authorised user turns on and logs into the Mac are the drive's contents unlocked. (Yet another reason why it's a good idea not to have an obvious password.)

Although FileVault takes a while to initially encrypt your hard drive's contents, you can continue working (and even turn off your computer if you want) during the process. It will just pick up where it left off at the next opportunity.

And when your system's hard drive has been entirely encrypted, you shouldn't even notice any difference in behaviour or performance (on a newer Mac at least). As far as you're concerned, the computer acts as normal, your files are accessible as usual without any jiggerypokery, because FileVault 2 is doing all the crafty work invisibly and silently in the background.

Encryption that is so seamless it "just works?" That's how it should be.

In my opinion, it's a good thing that Apple is better protecting its customers by leaving FileVault enabled by default.

If you haven't yet given FileVault a go, it's easy to enable.

Make sure you have logged into OS X with an account that has admin privileges, and go to System Preferences > Security & Privacy > FileVault. Once there, press Turn on FileVault.

Further Reading:

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • jasper robinson

    I’d read somewhere (no, of course I can’t find it now!) that you can hack into a Mac by turning on in Target Disk Mode before reseting the pass in Terminal. FV2 stops this if the Mac is fully shut down but not if it’s sleeping. Can anyone confirm/refute please?

    • Rider_X

      You need to restart the computer in order to boot into Target Disk Mode (firmware driven). As such, you will need to provide a password to decrypt the drive

  • Rich Lee

    Your title is entirely misleading. I just upgraded to Yosemite, and FileVault was not turned on by default.

    2. “as soon as your Mac is shut down, its entire drive is encrypted and locked up” I hope not. Surely the drive is encrypted all the time.

    • gserraes ッ

      It is indeed misleading, I had the same experience upgrading to Yosemite (from Yosemite beta) and wasn’t asked by the installer to encrypt, then I realized that my Mac wasn’t in good shape and decided better a clean install (should have done that from the beginning), now I came across the option and of course I agreed to encrypt.

    • Aristocrates

      If the drive was encrypted all the time how would you be able to view any files? If you are able read your files then the encryption key has to be somewhere in your computer’s memory, meaning the drive is only truly encrypted when everything is turned off

  • cbspamit

    this is not new in Yosemite. Apple has offered this even with File Vault on install process for a while. It has been a PITA for Applecare reps as people enabled it without knowing the repercussions.

  • Ben Barker

    i have a macbook pro early 2011 full spec and have struggled for weeks to fix my computer, it is usually lightning fast but after installing yosemite it became utterly unresponsive, this it turned out was caused by file vault being on, when i say unresponsive, i mean it, you could do NOTHING for twenty minutes then you could click maximise on a window and BOOM nothing for another twenty minutes, this sounds like a good idea in theory bit if you have a older model MBP, even if it’s usually lightning fast, be very cautious about using filevault

    • Joe Agvbiti

      what did you do to fix it? I’m having the same problem. my mac is insanely slow now, during the encryption process, it’s been at the halfway point all day and idk what to do

      • Bachsau

        How about some patience? Don’t trust a status bar. It’s done when it’s done. Remember: All your Data has to be encrypted and written back to disk. Your security should be worth it.

  • JOduMonT

    Hi; Effectively,

    1′ One of my customer have a MacBook Air and I’d upgraded it into Yosemite and FileVault still disactived.

    2′ FileVault crypted files when the computer not working, when your Mac working all your files are accessible by you and all software you allow to run.

    3″ I bypass FileVault encryption today for another customer, just by booting into single mode.


    • Rob Pickering

      I call BS. If the drive was properly encrypted with FileVault 2, booting single user would give you access to the machine, but the drive itself would have to be mounted using a valid FV2 user and password. Otherwise, it would be unreadable.

  • Brianna

    I was told by Apple that Firevault, required Macbook to run in promiscuous mode, I see a log in console for en3, promiscuous mode enabled succeeded . Anyone know anything about this?

  • jhencken

    I have two questions. Sorry if they seem dumb.

    First, isn’t the weak spot in the system that your security is only as good as the password protection of the computer? If someone can defeat that, the files are all decrypted as soon as they get past the password protection, right? So how is FileVault actually safer than just good PW protection of the system?

    Second, how does FV interact with DropBox? If it encrypts my DropBox files, won’t it prevent me from being able to read them from a different system?

    • Mikko Ahlroth

      The login password is used to encrypt the contents of the drive. The password itself is not stored unencrypted, so the only way to decrypt the drive is to know the password (or the master key, but that is not saved unencrypted either). So it’s (currently) not possible to “get past” the password protection without knowing the password. Given a strong enough password, it becomes completely unfeasible to try to decrypt the drive by bruteforcing (by trying different passwords until one matches).

      FileVault is safer than a normal password login in the way that if someone takes the drive off your computer and connects it to another one, they cannot read anything (because it’s all encrypted). With a normal password login the only protection you get is that they cannot log in, but they can take the drive and read everything on it with a different computer.

      When you start the computer and input your password, it is used to decrypt the drive. So from then on any files you have are decrypted (until you log out or shut down the computer) and your programs won’t ever see them in their encrypted form. So it won’t affect your DropBox files at all, because DropBox will only ever see the decrypted files.

  • SewerCat

    DO NOT, UNDER ANY CIRCUMSTANCES USE FILEVAULT. Last night it corrupted my entire SSD when it stalled on encryption. I can’t even reinstall OSX now. It bricked my Macbook until I can save up for a whole new SSD

    And also File Vault 2’s been easily broken with a $1000 tool since 2012. So not only catastrophically bad, completely useless even when it works.

    • Dan Doughty

      I know you wrote this 3 months ago, however I felt all the misinformation needed to be cleared up for anyone coming across it.

      1. You are an exception, not the rule. 99.9% of the time Firevault encrypts without issue.
      2. The tool you speak of can only crack encryption if there is a live image in memory. That means someone has to take your mac while it is on. Memory is lost/wiped when it loses power.

  • Andre Van Jaarsveldt

    I am a new apple user. But sins i got my “oldish” laptop i first disabled FV and it was working fine. Then after a month or so enabling it. Still works fine. A lot of you are talking about FileVault 2, is the FileVault that comes standard with Yosemite FileVault2 or am i missing something? In regards to government surveillance. Lets say the FBI wants accesses to my laptop all they have to do is ask apple for my accesses to my icloud as icloud can unlock the encryption? So my basic question is how secure is my icloud account?

    • Dev.

      A very good info security expert or apple engineer could use the algorithms used in the encryption process to have access to your encrypted disk via brute force if your login password is weak (if it’s strong, you rule out the possibility of a brute force any time soon. But it isn’t convenient since you will use it every time you log in). After you use File Vault, it will ask you if you want the ‘recovery key’ to be backed up in your iCloud account or given to you as plain text for you to save/store it somewhere. To answer your question, if you choose to backup your ‘recovery key’ to iCloud, yes, the FBI or anyone with a court order could go to Apple and retrieve this key to have access to your drive. I hope you aren’t onto something illegal. Cheers

  • coololcatz

    1.The encryption key is not on the computer.
    2. Everybody should encrypt by default.

  • Nakamoto Katsutoshi Choi Akuma

    File Vault do not work on my macbook: When I start OS X i can choose between “Mount my HDD with FileVault Password” and “Admin Account”. So why can I use it without password ?

    Or is there something wrong with the configuration of it ?