Welcome to the MacNN Forums.

besson3c · 08:29 PM

Does having Filevault on degrade performance at all? Have any of you crazy benchmarkers put it though its paces yet?

What happens when you copy a file from a Filevault protected home directory to a non-FV protected system? Will it decrypt the file as it is transferred? What happens when you move from one FV protected system to another? Does it decrypt and then re-encrypt?

Clearly, my knowledge of this technology is lacking. Anybody care to enlighten me?

Developer · Oct 4, 2003, 08:43 PM

Obviously the performance will be slower with FileVault (maybe not noticeable, I don't know). But since FileVault only encrypts the home folder, not the System folder or the Applications folder, it probably doesn't matter. Saving a Word document every 15 minutes doesn't make much a difference if it takes slightly longer. The same with preference files which are very small and not that often accessed.

melman101 · Oct 4, 2003, 09:49 PM

it said i needed 10 gigs free to do it, only got 6.

flyhigher · Oct 4, 2003, 10:03 PM

Your browser cache and many other large temp files also go in your home folder. So there may be a performance hit.

Does file vault work by decrypting the entire folder when you log in, then encrypt when you log out? This is the impression I got from what Steve said at the keynote. But wouldn't it be much better to make the home folder an encrypted volume like Disk Tools does.

ddma · Oct 5, 2003, 12:24 AM

I didn't notice any speed different after turning FileVault on on my iBook 800 30GB stocked HD, 640MB. Actually FileVault is a disc image of your home folder which only created on the first time your enable it. Then it will encrypt the files on the fly when ever you have access to your home folder. It acts like normal home folder.

bracken · 10:49 AM

Mithras · Oct 5, 2003, 08:10 AM

So does FileVault only decypt the image when you log in at the machine, or can you still SSH in?

dharknes · Oct 5, 2003, 09:28 AM

Originally posted by bracken:
I made a directory called /Users/Shared/.caches then made a link from ~/Library/Caches to /Users/Shared/.caches. That will keep it out of the FileVault. I'm also thinking about doing the same with ~/Library/Logs, etc. It may not be necessary at all with my system, just testing...

From a security standpoint this is a VERY bad idea. If someone has access to your cache and logs then they can see what websites you've visited, the commands you've run, depending on the applications you use different amounts of information will be logged. This is why very secure OSes like OpenBSD encrypt EVERY thing. They encrypt you data files, the system memory, and the system swap file. All to prevent someone from getting "leaked" information.

bracken · 10:50 AM

bracken · 10:50 AM

justinkim · Oct 6, 2003, 02:25 AM

It's be awfully nice if you could set Filevault to encrypt only select directories in ~/.

danengel · Oct 6, 2003, 05:05 AM

1. So, when accessing a HD in FireWire Target Disk Mode, all I'll see is an encrypted image of the user's home directory? Can it be backed up and decrypted on another machine?

2. When ssh'ing to such a machine, there should be a way of authenticating so that the files are accessible. They can't just kill SSH!

3. Files are encrypted on-the-fly, not after logout, right? Otherwise a lost, sleeping PowerBook would be as vulnerable as with FileVault turned off.

Spheric Harlot · Oct 6, 2003, 05:34 AM

Originally posted by bracken:
You're 110% right. (And OpenBSD is very cool.) This isn't a production machine or anything so I'm willing to risk it.

...in which case, why the hell bother with FileVault at all?

If you're deliberately opening it up because security isn't important, why run it in the first place?

-s*

bracken · 10:51 AM

tsheley · Oct 6, 2003, 09:46 AM

I have found that FileVault won't create the first time if you have Autoprotect on in Norton AntiVirus. If you turn AutoProtect off then turn on FileVault it will work fine. It seems that after FileVault is turned on you can then turn Autoprotect back on.

Spheric Harlot · Oct 6, 2003, 09:54 AM

Originally posted by bracken:
You're joking right?

[...]

There's lots of reasons to use it. Important documents, letters, and emails for example.

No, actually, I wasn't joking. No need to get all condescending on me, really.

I was going by this:

"If someone has access to your cache and logs then they can see [...] the commands you've run, depending on the applications you use different amounts of information will be logged."

If you care enough to secure all your "important" documents, you're gonna let MS Word dribble a bunch of info into an unsecured cache file for the sake of a few milliseconds of speed gain?

I realize it's all about *levels* of security, so of course it's your prerogative to do this. It just seemed somewhat illogical to me.

No offense intended.

-s*

Gee4orce · Oct 6, 2003, 10:10 AM

Well, I turned on FileVault - ssh works fine (at least, when that user it logged in at the machine, and I ssh in from another machine)...

...but, mounting my directory from Windows shows nothing, and I get 403 Forbidden if I try an open my user's web page. Not good. Worse, I can't seem to get back into the Secutiry preference pane to turn it off again

besson3c · Oct 6, 2003, 10:17 AM

Originally posted by tsheley:
I have found that FileVault won't create the first time if you have Autoprotect on in Norton AntiVirus. If you turn AutoProtect off then turn on FileVault it will work fine. It seems that after FileVault is turned on you can then turn Autoprotect back on.

The question is: which offers more security - Filevault or NAV?

Or maybe, which provides some security and which just hangs around and does nothing?

kman42 · Oct 6, 2003, 10:42 AM

I haven't tried FV yet, but I'm concerned about not being able to share web pages or SSH into my account. Anyone do any more extensive explorations of these issues?

kman

bracken · Oct 6, 2003, 10:53 AM

Spheric Harlot · Oct 6, 2003, 11:13 AM

Originally posted by bracken:

Aimed at me?

clarify.

Simon X · Oct 6, 2003, 11:49 AM

I asked this before in another thread but no one replied...

Whilst I'm really looking forward to FileVault I nevertheless have one major concern, video capture. Sure, I'll be using my external drive most of the time, but every no and then I may have to use the internal. And there's one thing you don't want when capturing or playing back video and that is any realtime encryption overhead impacting on this time-critical process.

I suppose they only way round this is to capture to the root of the hard drive which remains outside of the Home folder? Not exactly the most elegant solution. But will your average user be aware of this? After all, OS X wants us by default to save video to the Movies folder in the Home folder. And the Desktop is out too since this is also inside the Home.

As someone else has said, it would have been really nice to specify a folder not to be encrypted with FileVault. 10.4 perhaps?

Zimphire · Oct 6, 2003, 12:03 PM

I was hoping for just a app that lets you drag files to protect them. Not everything in my home folder do I want "protected"

You need 10 gigs free? That is silly.

absmiths · Oct 6, 2003, 12:16 PM

Originally posted by bracken:

It's kind of childish to engage in a public forum then go back and delete your messages because you don't like the outcome.

absmiths · Oct 6, 2003, 12:21 PM

Originally posted by kman42:
I haven't tried FV yet, but I'm concerned about not being able to share web pages or SSH into my account. Anyone do any more extensive explorations of these issues?

kman

Relax, everybody. When Apple says login they are referring to the console as well as a login shell. Once Apple gets this working correctly the following should be true:

1 - Logging into the console or via ssh gives access to home directory files.
2 - Other users always have access to the Public/Drop Box files.
3 - public web sites are shared properly.
4 - All encryption/decryption is done on demand, on the fly.
5 - Home directories accessed via the network with the proper credentials will give clear access.

It sounds like Apple may have a while to go before all these are achieved, but I can't imagine Apple releasing it before they get to this point.

Mike S. · Oct 6, 2003, 01:17 PM

Originally posted by absmiths:
It sounds like Apple may have a while to go before all these are achieved, but I can't imagine Apple releasing it before they get to this point.

Oh ye of blind faith.

Apple screws things up and releases half functional features just like everybody else, I just happen to like their half functional products better than that other company's

absmiths · Oct 6, 2003, 01:35 PM

Originally posted by Mike S.:
Oh ye of blind faith.

Apple screws things up and releases half functional features just like everybody else, I just happen to like their half functional products better than that other company's

Granted, but if any of the above were not implemented it would not be a half-implementation, but rather a nearly worthless one. I don't suspect that is the case, however, since Apple made such a big deal about it (Can't back out now) and GM is out so we will see.

Gee4orce · Oct 7, 2003, 03:26 AM

Points 3 and 5 do not work currently, sorry ! Well, at least network access from Windows doesn't.

I finally managed to turn off FileVault somehow, but it wasn't easy. I copied all my files back out of the disk image it created (turning if off is supposed to do this automatically, but it didn't).

I suppose filevault works for those people it's intended for - laptop users who want to secure their documents. I just happen to use my laptop as a mobile web development system, so I need the web site to work, and to be able to access it via SMB.

- - e r i k - - · Oct 7, 2003, 06:48 AM

To all the people who want to encrypt certain files: It is not at all hard to create an encrypted disk image. Just put it in your documents folder and mount it whenever you need it. Then unmount it whenever you don't. If FileVault is anything like working with encrypted disk images, I can't imagine much of a speed impact at all. Seeing as all my encryption needs are served by such an image, I have not bothered to turn on FileVault.

RealMac · Oct 8, 2003, 01:04 AM

I'm wondering how filevault will work with disk repair utilities. Really about the overall implementation of the system.

What level of encryption are they using for it?

Will an encrypted file still have the same traits as a non-encrypted one and what not?

Will some shoddy repair programs think the files are corrupted?

ratlater · Oct 8, 2003, 02:22 AM

I just did some quick tests with File Vault on 7B85. With it on and myself logged out of the computer I couldn't connect to the personal web site. I could SSH into the machine, but my homedir only contained an encrypted disc image. Performance also seemed to suffer when I tried to copy a large file in my homedir.

-matt

step · Oct 8, 2003, 11:30 AM

Originally posted by Simon X:
I asked this before in another thread but no one replied...

Whilst I'm really looking forward to FileVault I nevertheless have one major concern, video capture.

create an account with an unencrypted home folder and fast switch to it when you need it

or
capture to the shared folder

or
capture to a different hd, better for speed anyway

step · Oct 8, 2003, 11:35 AM

oops

zigzag · Oct 11, 2003, 11:48 AM

Originally posted by Zimphire:
I was hoping for just a app that lets you drag files to protect them. Not everything in my home folder do I want "protected"

You already have one - open up Disk Copy and create a disk image of whatever size you need. Enable the encryption feature and you'll be prompted to create a password. This creates a secured volume that you can mount/open as you please (after entering the password) and drag your files into. Just don't keep the password on your keychain and it should be secure, at least that's my understanding.