Full Disk Encryption, the good and bad 0

Lock03Since Snow Leopard, OS X machines have been able to encrypt sensitive data on your machine. It has evolved in Lion, and you might indeed want to turn it on, but deciding when and where to do so is something you’ll want to get some background information on.

In the System Preferences page of your Mac, you’ll find the Security Privacy page, which has a tab for FileVault. In Snow Leopard, this would encrypt your User’s Home Directory (./Users/UserName) and nothing else. Good, but that still left a lot of potentially sensitive data unencrypted.

In Lion, FileVault was extended to be able to encrypt the entire system drive. This let you lock up your whole OS X system, including OS binaries and all data that was on the system drive itself. While this still didn’t cover any external drives, it was a huge step forward in data protection.

FileVault in Lion doesn’t seem to slow down processes on Core i type systems, which means that if you bought your Mac after 2009, you probably won’t notice any difference with File Vault enabled. There are some slowdowns on extremely disk-intensive applications (like video editing) but otherwise it should be invisible to you.

The one exception is boot times. Booting up from a powered-down Mac can take a while longer on iMacs and other non-SSD machines when FileVault is on. Personally, it added about 2/3 of a minute to my boot-up times on a 2010 iMac. On an SSD Macbook Air, I noticed no difference in boot times with FileVault enabled, so it appears to be just read/write speed that makes that operation take longer on the iMac and MB Pro.

Now, since only boot times and very intensive applications seem to have any slow-downs, why wouldn’t you use Filevault? Well, there are a couple of reasons:

– You boot into Windows via BootCamp and work a lot with files on your Mac’s system drive. Since the drive is only available while OS X is running, you can’t get into it via BootCamp.

– You use an offline backup tool. This is pretty rare, since most common personal backup software works while you’re logged into your account, but if you back up your Mac while you’re not logged in, there will be issues since the disk is locked out when you’re not logged in.

Otherwise, FileVault is a good idea. Portable devices an be stolen, and using FileVault will help to insure that at least your data doesn’t become public knowledge for thieves. Yes, they’ll still have your Mac – which sucks – but they won’t have access to your bank account information.

Even for non-portable devices, it’s not a bad idea to turn FileVault Full Disk Encryption on. Burglaries do happen, and computers are a hot commodity for thieves. An encrypted system is still lost, but at least your data will not be sitting there waiting to be stolen too.

For external devices, you can encrypt data, but not with FileVault. TrueCrypt is an open-source, free encryption tool that can create a protected directory or even encrypt any non-system drive entirely. Great for use on those removable USB hard drives that might contain private information. There are many tools that can do this, but TrueCrypt is great security at a great price, and actually worth much more than you pay for it (not often true of free software).

So unless you’re editing videos or doing Photoshop work for most of your day, Full Disk Encryption is a good idea. It’s part of the OS, and easy to configure. Not a bad way to take that extra measure of protection without completely changing the way you use your Mac.

Photo Credit: Zitona