Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > FileVault: I'm So Impressed

FileVault: I'm So Impressed
Thread Tools
jessejlt
Mac Enthusiast
Join Date: Feb 2003
Location: Portland, Oregon
Status: Offline
Reply With Quote
Oct 10, 2003, 09:23 PM
 
Apple really hit the nail on the head with this one. FileVault works so well on my iBook and surprisingly there is no noticeable performance impact which is amazing for such a thing. What's more, my iMac is capable of mounting my iBook's encrypted home directory and add, delete, view files as though they were part of my iMac. I'm truly amazed.
THANK YOU SO MUCH APPLE!
Only drawback ( not much of one at that ) is that it took nearly 120 minutes for the initial encryption / enabling of FileVault... But considering the piece of mind I now have in knowing that my data won't fall into someone else's hands if I were to loose my iBook makes it worth every second of that 120 minutes.
God I love this thing!
jesse ;-)
     
SMacTech
Mac Elite
Join Date: Nov 2001
Location: Trafalmadore
Status: Offline
Reply With Quote
Oct 10, 2003, 09:42 PM
 
Just don't forget that password!
     
iDriveX
Mac Elite
Join Date: Nov 2001
Location: SoCal
Status: Offline
Reply With Quote
Oct 10, 2003, 10:16 PM
 
I wish I could enable FileVault on my PowerBook 12" but when I tried to I got an error message saying that I didn't have enough room on my hard drive to enable FileVault...

Version 4.0 - Now Powered By iWeb
     
AU_student_iceBook
Senior User
Join Date: Oct 2001
Location: Indiana
Status: Offline
Reply With Quote
Oct 10, 2003, 10:28 PM
 
Originally posted by iDriveX:
I wish I could enable FileVault on my PowerBook 12" but when I tried to I got an error message saying that I didn't have enough room on my hard drive to enable FileVault...
How full is your hd?
     
jessejlt  (op)
Mac Enthusiast
Join Date: Feb 2003
Location: Portland, Oregon
Status: Offline
Reply With Quote
Oct 10, 2003, 11:25 PM
 
Originally posted by iDriveX:
I wish I could enable FileVault on my PowerBook 12" but when I tried to I got an error message saying that I didn't have enough room on my hard drive to enable FileVault...
I'm not 100% sure about this, but I think that when you first enable FileVault it creates an exact duplicate of your home directory, this is the directory that is encrypted. Once the initial encryption process is completed, your old unencrypted home folder is deleted. So you need free space on your HDD >= to the size of your home folder. I didn't have enough room the first time I tried it as well, so I created a backup of my home folder on my iMac and then deleted pretty much everything in my home folder and then I enabled FileVault. After it was encrypted, I started importing files back into my home folder.
So maybe something like that would work for you. I tell you what, it may be a pain having to do all that, but it's absolutely worth it for a mobile user. I mean, if I lost my laptop ( God forbid ) and someone got ahold of all my financial information on my HDD I would be screwed! I have documentation going back 5+ years on that thing. Ouch!
jesse ;-)
     
Mike S.
Senior User
Join Date: Jun 2002
Status: Offline
Reply With Quote
Oct 11, 2003, 12:02 AM
 
Maybe I'm wrong about how FV works but how is it more secure?

If you reset your admin password from an OS X CD does the keychain password also reset? If so, and Keychain is your access to your encrypted home folder then your data is theirs.

If they hack your log-in password (does Panther still ignore anything longer than 8 characters?) and your keychain auto-unlocks on log-in (default behavior) then you've got no more security then you had before.

Jaguar apparently does not make it very hard to get the password file dumped, any user can get at it at which point you can run that file through a brute force cracking app. Is that oversight fixed in Panther?

Assuming the keychain password is not reset with an admin password then it's OK to deter a casual thief but it seems to me that FileFault's security is only as good as your Keychain's password so it should be different then your log-in password, Keychain should not be set to auto-unlock upon log-in and the password should be very strong.

Then, and only then, do you have some level of security but a determined attacker is going to be able to crack that password and gain access.

Then again, maybe I'm just missing something...
     
Disgruntled Head of C-3PO
Professional Poster
Join Date: Jul 2001
Location: In bits and pieces on Cloud City
Status: Offline
Reply With Quote
Oct 11, 2003, 12:07 AM
 
I am not even touching this one for a couple revisions.
"Curse my metal body, I wasn't fast enough!"
     
timmerk
Mac Elite
Join Date: Jan 2001
Status: Offline
Reply With Quote
Oct 11, 2003, 12:29 AM
 
Why not? I don't have 10.3, but he seems to make a valid point with the Keychain.
     
Disgruntled Head of C-3PO
Professional Poster
Join Date: Jul 2001
Location: In bits and pieces on Cloud City
Status: Offline
Reply With Quote
Oct 11, 2003, 12:48 AM
 
Originally posted by timmerk:
Why not? I don't have 10.3, but he seems to make a valid point with the Keychain.
Why not? What if the drive is slightly messed or you have a certain configuration and POOF, we have ourselves another iTunes installer or 10.2.8
"Curse my metal body, I wasn't fast enough!"
     
timmerk
Mac Elite
Join Date: Jan 2001
Status: Offline
Reply With Quote
Oct 11, 2003, 12:51 AM
 
Maybe we are talking about different things - I thought you were talking about the post Mike S. wrote about with the keychain.

Are we talking about different things?
     
iDriveX
Mac Elite
Join Date: Nov 2001
Location: SoCal
Status: Offline
Reply With Quote
Oct 11, 2003, 02:01 AM
 
Originally posted by AU_student_iceBook:
How full is your hd?
I have 3.86 GB left on the original 40 GB Hard Drive that came with my computer. My Home Directory is 27.51 GB. Looks like it's time to upgrade my laptop's hard drive, eh?

I was also wondering about the FileVault thing as well. In OS 9 it was very easy to get at other user's folders...Does FileVault make this harder to do?

Version 4.0 - Now Powered By iWeb
     
Cipher13
Clinically Insane
Join Date: Apr 2000
Status: Offline
Reply With Quote
Oct 11, 2003, 02:30 AM
 
AES-128? Pfft. No thanks.

Anyway... my home directory is over 50 GB - I think I'll pass on that.

Tell me - what happens when doing something drive intensive like video editing? Does it unencrypt a 10GB scratch file on the fly? Does it unencrypt it and THEN use it? That'd mean a massive performance impact on some machines.

I don't know much about how FV works, but I think I'll pass for the moment...

Can I select folders to excempt from encryption? Like my Music folder, which is 30GB alone?

I don't NEED my Movies folder, Music folder, etc, encrypted.

I really only want my Pictures, Documents, Library, and so forth encrypted.
     
Disgruntled Head of C-3PO
Professional Poster
Join Date: Jul 2001
Location: In bits and pieces on Cloud City
Status: Offline
Reply With Quote
Oct 11, 2003, 02:47 AM
 
Originally posted by timmerk:
Maybe we are talking about different things - I thought you were talking about the post Mike S. wrote about with the keychain.

Are we talking about different things?
I am just talking about FileVault, who wants to encrypt ALL there work with a 1.0 product? Not me!
"Curse my metal body, I wasn't fast enough!"
     
jessejlt  (op)
Mac Enthusiast
Join Date: Feb 2003
Location: Portland, Oregon
Status: Offline
Reply With Quote
Oct 11, 2003, 03:07 AM
 
FV requires both your user login password, and a master password. How secure is this thing? Hell I don't know, but I would bet it's more so than no encryption. I'm sure more details will surface soon after Panther hits shelves.
Also, about the comment with drive intensive work. I think it goes w/o saying that if you're doing drive intensive work such as video editing that you would do so in a folder / partition outside of your home directory if you have FV enabled.
Also, I'm sure Apple doesn't intend FV to be a one-size-fits-all product. For those of us that have very sensitive information that we're packing around with us everyday, this ads a level of security that is very welcomed.
I for one am thrilled with it, and I commend Apple for putting forth the effort in engineering such a piece of software.
jesse ;-)
     
timmerk
Mac Elite
Join Date: Jan 2001
Status: Offline
Reply With Quote
Oct 11, 2003, 04:51 AM
 
Originally posted by Disgruntled Head of C-3PO:
I am just talking about FileVault, who wants to encrypt ALL there work with a 1.0 product? Not me!
Ah, I see - heh, I knew we must have been talking about something else.
     
HiRez
Fresh-Faced Recruit
Join Date: Oct 2003
Location: San Francisco, CA
Status: Offline
Reply With Quote
Oct 11, 2003, 05:35 AM
 
1. What kind of a performance hit is there? (FYI, I am on an 800 MHz DVI PowerBook G4, soon to have a 7200rpm internal drive though.)

2. Besides the extra space needed for initial setup (double your user folder seems like an insane requirement to me), does the encryption take up any extra space?

3. What if my user folder resides on a separate partition? Any issues with that?

4a. What about backups? Let's say I copy my user folder to an external hard drive to back it up (using ditto). Are those copied files on the external drive encrypted or unencrypted?

4b. If the backup files from 4a are encrypted, what happens if my startup disk gets gorrupted/lost? Now how would I access the files when the system tracking my master/home passwords is gone?

Thanks for any light you can shed on this, FileVault looks interesting but very scary too. It seems like there's a lot that could go wrong that might totally hose you...

"I don't want to achieve immortality through my work. I want to achieve it through not dying." --Woody Allen
     
SoGood
Fresh-Faced Recruit
Join Date: Dec 2001
Status: Offline
Reply With Quote
Oct 11, 2003, 07:13 AM
 
One should consider carefully what is the value of data security vs risk of data loss without recovery.

What would happen should the HD crashes? Would any of the data recovery services able to recover an encrypted vault? A more balanced move may be to specifically encrypt those sensitive files and leave the majority of data.

One other question is how are data backup made with FV? Are the backed up data also encrypted?
-- Good
     
Boondoggle
Grizzled Veteran
Join Date: May 1999
Location: Seattle
Status: Offline
Reply With Quote
Oct 11, 2003, 07:31 AM
 
Maybe I'm wrong about how FV works but how is it more secure?

If you reset your admin password from an OS X CD does the keychain password also reset? If so, and Keychain is your access to your encrypted home folder then your data is theirs.
If you reset your admin PW from a CD then your admin login is compromised. Your keychain is not automatically changed to the new PW, but the Admin home directory is available. If the burglar tries to reset the PW of users on the system from the Admin account the same thing applies. So your filevault would remain closed.

If they hack your log-in password (does Panther still ignore anything longer than 8 characters?) and your keychain auto-unlocks on log-in (default behavior) then you've got no more security then you had before.
If you use a childish PW like "password" or the name of your sister's best friend with the big boobs, then you've got all kinds of security problems anyway.

Assuming the keychain password is not reset with an admin password then it's OK to deter a casual thief but it seems to me that FileFault's security is only as good as your Keychain's password so it should be different then your log-in password, Keychain should not be set to auto-unlock upon log-in and the password should be very strong.
Keychain will only autounlock if it is the same as the loging PW. If that has been changed via Boot CD then the keychain does not autounlock. If you have sensitive data in your filevault, then it will be a good idea to keep your keychain PW different from the login PW and strong.

Then, and only then, do you have some level of security but a determined attacker is going to be able to crack that password and gain access.
physical access = total access given enought time. It all depend on how sensitive the data is. If it really counts, use PGP and keep the keys on a separate device like a mini-usb drive. I've had PGP disk images of PGP encrypted files that I've segmented into several parts, re-encrypted and then stored on separate devices including the keys. Almost impossible to crack unless all the parts are found (unlikely) and even then extremely time intensive.

Then again, maybe I'm just missing something...

Mainly just the firewire disk mode thing
( Last edited by Boondoggle; Oct 11, 2003 at 07:40 AM. )
1.25GHz PowerBook


i vostri seni sono spettacolari
     
sandsl
Senior User
Join Date: Aug 2002
Location: Oxford, England
Status: Offline
Reply With Quote
Oct 11, 2003, 07:38 AM
 
A FileVault protected home directory is basically an encrypted disk image. When you are logged in, the disk image is mounted and appears as your home folder.

Coping files from your home directory to, say a network or CD copies an unencrypted copy of the file.

Other users on your system, or network users only see your encrypted disk image of your home directory and thus can not access your home directory.

Therefore you could choose to backup the entire encrypted disk image or individual unencrypted files/folders.

There is no noticable performance hit as long as you don't work with massive files (like in video editing). Video editors can still take advantage of FileVault by using a directory outside their encrypted FV home directory.
Luke
     
Simon X
Grizzled Veteran
Join Date: Oct 2001
Location: Over there
Status: Offline
Reply With Quote
Oct 11, 2003, 07:55 AM
 
Originally posted by Cipher13:


Tell me - what happens when doing something drive intensive like video editing? Does it unencrypt a 10GB scratch file on the fly? Does it unencrypt it and THEN use it? That'd mean a massive performance impact on some machines.

I really only want my Pictures, Documents, Library, and so forth encrypted.
Indeed. I've asked the same question a couple of times without any reply. (Last FileVault Question) And there's enough people using Panther here who could answer.

I suppose we'll find out in in 13 days.
     
SoGood
Fresh-Faced Recruit
Join Date: Dec 2001
Status: Offline
Reply With Quote
Oct 11, 2003, 08:18 AM
 
Thanks Sandsl for the info.

Sounds like that FileVault is similar to that PGP Disk thing which I kind of like. It would be nice if Panther.x could also provide something similar where one can designate file based encryption folder or mountable disk.
-- Good
     
suthercd
Senior User
Join Date: Oct 2000
Location: Midwest
Status: Offline
Reply With Quote
Oct 11, 2003, 09:05 AM
 
SoGood-

Backups are not encrypted if you back up un-encrypted files to outside your Home directory. This is just the same as copying a file. If you copy the encrypted image and you have a copied encrypted image with the protection intact.

Craig
     
Agent69
Mac Elite
Join Date: Jun 2000
Status: Offline
Reply With Quote
Oct 11, 2003, 10:16 AM
 
Personally, I would rather use a encrypted disk image for the few things I would want to protect (bank info, etc). I can't see worrying about my collection of MP3 files.

However, it should be pointed out the FileVault is not a perfect solution. After all, when you open a file, temp files are often created in possibly non-encrypted areas, not to mention possible writes to the swap file. All of these can be recovered with standard file utilities.

The only thing FileVault will really deter is the casual snooper (wife), which can be a problem.
Agent69
     
Robert Hicks
Fresh-Faced Recruit
Join Date: Aug 2001
Location: Colorado
Status: Offline
Reply With Quote
Oct 11, 2003, 10:21 AM
 
Guys, I have been slapped by FV three times and thats enough for me.

The first time was in 7B70(or near that build). I had FV working for a few days and loving it. One night, the machine locked up hard(Ti 800/1gb/60gb) so I did a power off and power on. When I logged in, I was horrified to see the default dock and background. My old home directory was GONE. I was pissed but hey, it is a beta so I just stopped using the FV feature.

The second and third time was with 7B85. This is supposed to be the GM build. There have been plenty argue that it is not. In any case, I thought it was close enough to GM. FV was turned back on. In testing, I did various hard resets to see if my home would be trashed again. It wasn't in any of the tests. This was great! This feature alone(being a PB owner) is enough to warrant the $129 pricetag.
Usually when you logout of the system, FV wants to "reclaim" space in your home directory. The first couple of times I told it no. I wasn't sure how long this would take and needed to take the Tibook and go. One night, I decided just to logout and let it reclaim space to see how long it would take. It ran fine. I logged back in and continued to work. Two days later, I got slapped. I logged out and let it run. I then shut the machine down for the night. I normally just let it run or put it to sleep. I'm not sure why I did a shutdown this time. After watching tv for an hour or so, I decided to go back and do more work. I turned the machine on and logged in. The changes to the dock were gone! The default backdrop was back, my safari bookmarks were gone, and mail.app was asking me to configure my mail accounts! Something is just not right here. All of my files on the desktop(pictures, .sit, dmgs) were fine. They launched or decompressed without problems. I decided to turn off FV and wait until my boxed copy arrives and watch the boards for others to complain. After decryption and relogin, most of my desktop files that I had just checked were trashed. Stuffit Expander complained about the files being corrupted. A very few of the files *were* readable and appeared to be fine. I'm guessing that the "bad" files were still encrypted somehow.

I am finding it hard to believe that my most recent 7B85 experience will not be limited just to one user. I hope nobody else has to go through this with their live and important data. Just be careful when using this option!

RH
     
ablaze
Dedicated MacNNer
Join Date: Apr 2001
Location: Saarbruecken
Status: Offline
Reply With Quote
Oct 11, 2003, 10:57 AM
 
Originally posted by Cipher13:
AES-128? Pfft. No thanks.
Don't you like AES? I like it better than the other synchronous encryption algorythms. And a key length of 128bit should be safe enough for everyone. Go ahead and try to brake a AES-128 encyption. Good luck.
     
Mike S.
Senior User
Join Date: Jun 2002
Status: Offline
Reply With Quote
Oct 11, 2003, 11:16 AM
 
Thanks for the info BoonDoggle.

Even a strong password can be compromised, I've been told that X (Jaguar anyways) doesn't protect the hashed password file, basically any user can open a terminal and get a copy of the file.

With that in hand it's just a matter of running it through a good password cracker but it seems the Keychain is what someone would really want (in an encrypted scenario anyways) and that password may very well be more secured.

Neat idea about the use of those little pocket storage devices.
     
zigzag
Addicted to MacNN
Join Date: Aug 2000
Status: Offline
Reply With Quote
Oct 11, 2003, 11:27 AM
 
What sandsl said. It sounds to me like FileVault is just a scripted/automated (if that's the right word) version of the encrypted disk image feature in Disk Copy.

I figure 128-bit encryption is more than adequate unless the FBI is after you for selling nuclear secrets or something. The weak link is your password. Disk Copy lets you select a separate password (I think up to 13 characters or something), and you can keep the disk image on a separate, non-bootable drive. The inconvenience is that, since you don't want that password on your keychain, you have to enter it separately every time you open the disk image. Since most people don't want to have to do that to use their home folder, I don't know if File Vault offers the same level of security. But I might be misunderstanding it.

I saw a remark somewhere that said Panther no longer incorporates the Disk Copy utility? Surely this isn't true?
     
Person Man
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status: Offline
Reply With Quote
Oct 11, 2003, 12:34 PM
 
Originally posted by Robert Hicks:
Guys, I have been slapped by FV three times and thats enough for me.

The first time was in 7B70(or near that build). I had FV working for a few days and loving it. One night, the machine locked up hard(Ti 800/1gb/60gb) so I did a power off and power on. When I logged in, I was horrified to see the default dock and background. My old home directory was GONE. I was pissed but hey, it is a beta so I just stopped using the FV feature.

The second and third time was with 7B85. This is supposed to be the GM build. There have been plenty argue that it is not. In any case, I thought it was close enough to GM.
The first one does not count because you were using a prerelease beta quality build. 7B85 is the GM. Proof will come in the form of the boxed version.
     
Art Vandelay
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status: Offline
Reply With Quote
Oct 11, 2003, 01:38 PM
 
Originally posted by HiRez:
1. What kind of a performance hit is there? (FYI, I am on an 800 MHz DVI PowerBook G4, soon to have a 7200rpm internal drive though.)
Since it is just an encrypted disk image, there will be little performance degradation. At the Power of X demo in 2002, Apple demonstrated the performance of encrypted disk images. The demo was a side-by-side playing of a HD quality movie in QuickTime Player from an encrypted disk image and another copy playing from outside of the encrypted image. There was no lag in the copy from the disk image. It was on the exact same frame as the other copy the entire time.
Vandelay Industries
     
cynikal
Fresh-Faced Recruit
Join Date: Aug 2003
Status: Offline
Reply With Quote
Oct 11, 2003, 01:52 PM
 
Originally posted by zigzag:
I saw a remark somewhere that said Panther no longer incorporates the Disk Copy utility? Surely this isn't true?
Disc copy is no more.. all its functionality (except for being able to automatically skip checksum verification) has been merged into Disc Utility.
     
Cipher13
Clinically Insane
Join Date: Apr 2000
Status: Offline
Reply With Quote
Oct 11, 2003, 01:59 PM
 
Originally posted by Art Vandelay:
Since it is just an encrypted disk image, there will be little performance degradation. At the Power of X demo in 2002, Apple demonstrated the performance of encrypted disk images. The demo was a side-by-side playing of a HD quality movie in QuickTime Player from an encrypted disk image and another copy playing from outside of the encrypted image. There was no lag in the copy from the disk image. It was on the exact same frame as the other copy the entire time.
You DO remember how "fast" the Public Beta of OS X was on Apple's machines, right?

Their "demonstrations" are NO indication of how things really are.

Originally posted by SoGood:
One should consider carefully what is the value of data security vs risk of data loss without recovery.

What would happen should the HD crashes? Would any of the data recovery services able to recover an encrypted vault? A more balanced move may be to specifically encrypt those sensitive files and leave the majority of data.

One other question is how are data backup made with FV? Are the backed up data also encrypted?
Indeed - if your hard drive was damaged, even if you couldn't recover SOME files, you could recover others. When your Home directory is one huge file, if any part of it is corrupted... you're screwed. Majorly.

Originally posted by ablaze:
Don't you like AES? I like it better than the other synchronous encryption algorythms. And a key length of 128bit should be safe enough for everyone. Go ahead and try to brake a AES-128 encyption. Good luck.
I really dislike AES. 128 bit should be enough, I guess... but it's still not great. *I* wouldn't be able to break AES-128, but I'm not worried about me.

AES is like an open door to some people/groups... *cough* No Such Agency *cough*
     
zigzag
Addicted to MacNN
Join Date: Aug 2000
Status: Offline
Reply With Quote
Oct 11, 2003, 02:10 PM
 
Originally posted by cynikal:
Disc copy is no more.. all its functionality (except for being able to automatically skip checksum verification) has been merged into Disc Utility.
That's good to hear - I always wondered why it was treated as a separate utility called "Disk Copy" anyway, since it can do more than that.
     
Cipher13
Clinically Insane
Join Date: Apr 2000
Status: Offline
Reply With Quote
Oct 11, 2003, 02:24 PM
 
Another query...

Say you have a 10GB file in your Home dir, that is now encrypted.

When you want to use it... what happens?

Is it decrypted/re-encrypted on the fly? (Bad for performance).

Is it decrpyted, and the encrypted "copy" removed? (Bad when you've finished with the file, as it would need to be re-encrypted).

Is a "copy" decrypted, with the encrypted copy remaining? Meaning... you need 10GB of free space, minimum, to watch a 10GB movie?
     
Art Vandelay
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status: Offline
Reply With Quote
Oct 11, 2003, 03:33 PM
 
Originally posted by Cipher13:
You DO remember how "fast" the Public Beta of OS X was on Apple's machines, right?

Their "demonstrations" are NO indication of how things really are.
True, but I've used encrypted disk images for many things and have never noticed a performance penalty.
Vandelay Industries
     
Art Vandelay
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status: Offline
Reply With Quote
Oct 11, 2003, 03:35 PM
 
Originally posted by Cipher13:
Another query...

Say you have a 10GB file in your Home dir, that is now encrypted.

When you want to use it... what happens?

Is it decrypted/re-encrypted on the fly? (Bad for performance).

Is it decrpyted, and the encrypted "copy" removed? (Bad when you've finished with the file, as it would need to be re-encrypted).

Is a "copy" decrypted, with the encrypted copy remaining? Meaning... you need 10GB of free space, minimum, to watch a 10GB movie?
It is decrypted/encrypted on the fly. Again, I've noticed no performance degradation even on a 500MHz iBook.
Vandelay Industries
     
sorkinesque
Fresh-Faced Recruit
Join Date: Sep 2003
Status: Offline
Reply With Quote
Oct 11, 2003, 04:14 PM
 
Originally posted by Cipher13:
AES is like an open door to some people/groups... *cough* No Such Agency *cough*
You think the NSA wants what you have, and you spend your time posting to macnn?

really, if you're doing anything to piss off a government and relying on apple for your security...
     
sandsl
Senior User
Join Date: Aug 2002
Location: Oxford, England
Status: Offline
Reply With Quote
Oct 11, 2003, 04:50 PM
 
FILEVAULT FILE COPY COMPARISON
Powerbook G4 800Mhz, 256MB
Mac OS X Panther 10.3 (7B80)
File Used: 211.4MB MPEG Movie

FileVault setup on a newly created account. (This is encrypting the basic, default home directory of the newly created user)
24.1 Seconds

FileVault OFF, Coping Unencrypted 211.4MB file to Unencrypted desktop.
33.2 Seconds

FileVault ON, Coping Unencrypted 211.4MB file (from outside of FV home directory) to Encrypted desktop (within FV home directory).
1.50 Minutes

As you can see from my rather unscientific tests that the copy process is markedly slower with FileVault enabled. However, I could determine no performance drop when playing/opening the movie file from within the FV directory.

I must stress that these results are from my personal tests with a beta version of Panther (7B80). I would excourage all of you to try FileVault and make up your own minds with the final boxed version of Panther before discounting it as a viable encryption & security solution.
Luke
     
danengel
Mac Enthusiast
Join Date: Oct 2000
Status: Offline
Reply With Quote
Oct 11, 2003, 05:06 PM
 
I'm not going to turn this thing on before November 24th. The 10.2.8 update made me suspicious.
     
Zimphire
Baninated
Join Date: Jul 2002
Location: The Moon
Status: Offline
Reply With Quote
Oct 11, 2003, 05:46 PM
 
Filevault would have been a lot cooler if you could choose what gets encrypted and what doesn't.
     
billybob
Mac Enthusiast
Join Date: Apr 1999
Location: Portland, Oregon
Status: Offline
Reply With Quote
Oct 11, 2003, 05:51 PM
 
FileVault's a cool idea and very user friendly for Joe Shmoe... but I just use encrypted disc images for sensitive data. This is such a cool feature, I wish apple would have pushed it more. You only open the disc image when you need access to your data. If you're like me, this isn't too often (once a week max). You mount the image, do your work, unmount the image. I back it up to my imac also, and backing up an image is way faster than a folder as it's just one file. I flippin love it. :)

If most of the stuff you work with is sensitive data, I can see how filevault could be pretty convenient. However, after Robert Hick's horror story, with the GM build... I thikn I'll pass. Even though I have a laptop -- if it got stolen, the only things I wouldn't want prying eyes to see are encrypted, and backed up to my desktop mac anyways. I love the setup. :)

I also agree with zimphire here -- you should be able to choose what's encrypted and what's not, as cypher said, who needs 30 gigs of mp3's encrypted?
everything you know is wrong (and stupid)
     
billybob
Mac Enthusiast
Join Date: Apr 1999
Location: Portland, Oregon
Status: Offline
Reply With Quote
Oct 11, 2003, 05:59 PM
 
My last post got me thinking -- the scary part here, based on Mr Hick's story, is that it doesn't back up the data. If it gets corrupted, all your stuff is gone. Ouch. Another reason why'd I'd much prefer an image that I can just copy to my other computer. Or if you only have one computer, make a backup of that image on the same computer. Much safer.
everything you know is wrong (and stupid)
     
osxisfun
Registered User
Join Date: Apr 2003
Location: The Internets
Status: Offline
Reply With Quote
Oct 11, 2003, 06:20 PM
 
but if you use a program like folder syncronizer(sp) like i do it wouldn't?!

i have an external FW drive that i sync my home folder to once a week....copying the data would not result in encryption to the fw drive (i assume)
     
legacyb4
Mac Elite
Join Date: May 2001
Location: Vancouver
Status: Offline
Reply With Quote
Oct 11, 2003, 06:29 PM
 
What I have been doing up to now has been to back up the encrypted disc image in 700MB image sizes to a CD-RW which gives you reasonable peace of mind (off-drive storage) without the worries about a stray copy of the backup getting lost or misplaced.

Now that I have a SuperDrive in my laptop, I guess that means I can upgrade to a DVD-RW...

Cheers.

Originally posted by billybob:
Another reason why'd I'd much prefer an image that I can just copy to my other computer. Or if you only have one computer, make a backup of that image on the same computer. Much safer.
     
Warrenpeace
Fresh-Faced Recruit
Join Date: Oct 2001
Location: Toronto
Status: Offline
Reply With Quote
Oct 11, 2003, 06:49 PM
 
I had it turned on and it screwed up a lot of my home folder. Luckily I hadn't moved a lot of files back after the install, but it erased a lot of preferences and I had to set up the prefs, import mail and sync to get all my bookmarks and addresses again. A lot of hours of hassle.

I'm using a Powerbook G3 Pismo 500MHz and didn't notice any performance hit while it encrypted new files and 10.3 is faster than 10.2.8 overall.

One hassle I got was, upon restarting, FileVault often told me that it was using too much disk space and wanted to rebuilt and optimize itself. It would churn away for 10-20mins before restarting or logging me out. I only have an 18gig drive, so perhaps this wouldn't happen with a larger drive with room to spare.
     
HiRez
Fresh-Faced Recruit
Join Date: Oct 2003
Location: San Francisco, CA
Status: Offline
Reply With Quote
Oct 11, 2003, 07:09 PM
 
Originally posted by sandsl:
I must stress that these results are from my personal tests with a beta version of Panther (7B80). I would excourage all of you to try FileVault and make up your own minds with the final boxed version of Panther before discounting it as a viable encryption & security solution. [/B]
Thanks for doing the test, Luke. I think I'll be waiting for a few revisions before I feel comfortable trying it out.

"I don't want to achieve immortality through my work. I want to achieve it through not dying." --Woody Allen
     
dialo
Senior User
Join Date: May 2002
Status: Offline
Reply With Quote
Oct 11, 2003, 09:06 PM
 
Originally posted by Cipher13:
Their "demonstrations" are NO indication of how things really are.

Well, you could just find out right now by making a quick encrypted disk image and playing some video off of that.

When I do it I see no problems.
     
Rand
Forum Regular
Join Date: Jun 2000
Location: Indianapolis, Indiana
Status: Offline
Reply With Quote
Oct 11, 2003, 09:14 PM
 
Certain situations make FV very handy:

I have a AlBook with my home dir (900mb or so (mp3s and big stuff is all elswhere)).

My Home folder is backed up nightly to my FW disk using LaCie's SilverKeeper (free on VT). On the FW HD, the home folder is unencrypted, and free for all to see.

But as soon as I leave the room with my PB, the FW disk is unplugged, and data is safe on the Laptop, albiet under the precarious protection of FV.

In my situation, this is a great little addition that just adds a decent layer of protection to what would otherwise have little.

**There were a lot of 2 letter acronyms there**
For Fun:
FV= File Vault
Al=Aluminum
VT=VersionTracker.com
FW=FireWire
HD=Hard Drive
PB=Power BOok

I'm glad I've taken 18 years of technologese to read this.
     
antisonne
Junior Member
Join Date: Aug 2003
Status: Offline
Reply With Quote
Oct 11, 2003, 09:51 PM
 
I didnt have time to read all of the posts, but if no one else said how its more secure let me give you an example.. Currently, anything you save in X (2.6/2.8) can be accessed if you boot to 9 or another OS. With FV your data is encrypted and they cant open it. Get it?
     
asdasd
Forum Regular
Join Date: Apr 2003
Location: Santa Clara
Status: Offline
Reply With Quote
Oct 11, 2003, 10:27 PM
 
I don't think that Mr Hicks problem had anything to do with FileVault - if the disk was un-mountable then he would have recovered no data. ( I believe the b70 bug was known and beta testers luck). I have seen that happen on normal logins - I think it is a race condition ( the Dock preferences are read before the disk is fully mounted, and revert to default). No biggie.

People who wish for the data to be re-coverable are missing the point - it wouldn't be secure to keep a non-encrypted version around - would it?

Yes, there is the potential problem that an ecrypted disk image is just a file a corruption of the hard drive away from destroying that whole file( and thus the home directory), rather than just a couple of files in your home directory. User beware.

As for the other problems with people wanting to only encrypt some of their files, and not others - you will find that that is a problem with the applications. Apple really has to get it's iApps, and evangelicise developers, to write most of the un-important stuff to /Users/Shared/...

So your music ( and anything else that is not personal) should go to /Users/Shared/<foo> if you mark them as un-secure.

2 advantages here:

1) your home dir will be smaller and easier to encrypt
2) You can share stuff with your wife. The best way to do that now is via rendezvous - Apple has a better sharing story across 2 machines than on the same machine with fast user switching.

Keep the porn secure though, or the wife will be mad.

I thnink in that scenario encrypting the important stuff on the home directory makes a lot of sense.

Lastly Apple is now using a shadow hash for Panther, and it has better encryption ( details escape me - I am not the expert) but I noticed when I played with it that the password is no longer in the netinfo record but on the disk somewhere, accessible only by root, and no nore ni dumps. It can also be greater than 8 characters - but it gets salted anyways.

And, as said already, you have to set the master password before turing on FileVault - it is this master password that unlocks the FileVault if you forget the original. Changing the login password from the CD will not do it - you will login but the filevault will not mount.

Knowing the master password allows you to change passwords at loginwindow time, so that CD thingie is now depracated and not the way to change passwords no more - certainly not for filevault users.

Of course, what you want to do then is etch the master password on the back of the iBook, just in case you forget it.
( Last edited by asdasd; Oct 11, 2003 at 10:45 PM. )
     
zigzag
Addicted to MacNN
Join Date: Aug 2000
Status: Offline
Reply With Quote
Oct 11, 2003, 11:39 PM
 
Originally posted by asdasd:
. . . Lastly Apple is now using a shadow hash for Panther, and it has better encryption ( details escape me - I am not the expert) but I noticed when I played with it that the password is no longer in the netinfo record but on the disk somewhere, accessible only by root, and no nore ni dumps. It can also be greater than 8 characters - but it gets salted anyways.

And, as said already, you have to set the master password before turing on FileVault - it is this master password that unlocks the FileVault if you forget the original. Changing the login password from the CD will not do it - you will login but the filevault will not mount.

Knowing the master password allows you to change passwords at loginwindow time, so that CD thingie is now depracated and not the way to change passwords no more - certainly not for filevault users.
asdasd, thanks for the write-up, but some of the lingo is over my feeble head. What is the meaning/significance of "accessible only by root" and "salted"? I really just want to know if the master password in FV can be discovered or by-passed in any way.

Also, is FV any more or less secure than a regular encrypted disc image?

Thanks for the insights.
     
 
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 02:53 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,