The FileVault FAQ - Take Control of FileVault (1.1) (2015)

Take Control of FileVault (1.1) (2015)

The FileVault FAQ

My research shows that people have lots of questions about FileVault, so I’ve decided to jump right in and answer some of the most common ones here at the beginning, in the form of a mini FAQ. There are plenty more answers throughout the book, of course, but these topics should give you a good idea of what FileVault is all about—how it does (and doesn’t) work and what you can expect when you use it.

FAQ Topics

What Does FileVault Do?

Who Needs FileVault?

Why is FileVault Better Than Using a Good Login Password?

Does FileVault Substitute for Using a Firmware Password (or Vice-versa)?

How Is FileVault 2 Different from Legacy FileVault?

What Type of Encryption Does FileVault Use?

How Do I Choose a FileVault Password?

Will FileVault Affect My Mac’s Performance?

What Restrictions Does FileVault Impose?

When Is My Data Protected?

In What Ways Is My Data Still Vulnerable with FileVault 2?

What Else Can I Do to Increase Security?

What Is Core Storage and Why Should I Care?

What Does FileVault Do?

FileVault encrypts the entire contents of your Mac’s startup volume. Encrypting data scrambles it in such a way that people who don’t have your password won’t be able to read any of it—they won’t even know how many files you have or what their names are.

There are lots of ways to encrypt individual files and folders (and I talk about some of these later, in Encrypt Files and Folders). But FileVault operates at a lower level—it encrypts every single block of data on the volume. This approach, which is known in the industry as Full-Disk Encryption (FDE) or Whole-Disk Encryption (WDE), is simpler for you, the user, because a single password locks and unlocks everything, and most of the time you can interact with your disk exactly as you did when it wasn’t encrypted. It’s also safer because there’s no chance you’ll forget to encrypt a particular file, or that you’ll leave behind an unencrypted copy afterward.

Let’s expand on a few of these concepts:

· Volume: I deliberately said that FileVault encrypts a volume, not a disk. A physical disk (a hard disk or SSD) might contain a single volume, or it might be divided into multiple volumes called partitions, each of which appears in the Finder to be a separate disk, with its own icon. If you partitioned your Mac’s internal disk into two volumes and then installed Mac OS X onto one of them and turned on FileVault, it would encrypt only that one volume, not the other volumes that make up the physical disk.

· Startup volume: To be more specific, FileVault encrypts volumes you can boot (start up your Mac) from. If you have additional volumes or disks—whether internal or external—that don’t contain bootable copies of Mac OS X, you can encrypt those too, but it’s a separate, manual process (see Encrypt a Non-startup Volume) and technically not a feature of FileVault.

· Every block: If you have a 1 TB volume with only 100 GB of data on it and you enable FileVault, it will encrypt all 1 TB of the volume, not just the parts that currently contain data. That’s what it means for FileVault to be full-disk encryption—it’s essentially blind to the contents of your disk and encrypts every block (where a block is a tiny unit of data storage) regardless of what, if anything, it contains.

· On the volume: With FileVault enabled, your data is encrypted only when it’s stored on the volume. When you open a file, Mac OS X decrypts it as it reads the file into RAM; when you save the file, Mac OS X encrypts it again. When you copy a file from your FileVault volume to another disk or server, or send it by email, once again, Mac OS X decrypts it in the process. So, if a file is not on your disk, you can be certain that FileVault no longer encrypts it!

Who Needs FileVault?

In some occupations, it’s obvious that every precaution should be taken to protect sensitive data from outsiders. If you’re a spy (hello, NSA friends!), an Apple product designer, a politician, a banker, a journalist covering organized crime, or a political dissident in an unstable country, it probably goes without saying that FileVault could save your bacon, or your job, or even your life.

I don’t fall into any of these categories, but I use FileVault, on all my Macs, for the same reason I keep backups, use sunscreen, and have homeowner’s insurance—you never know when some random event might cause you all kinds of pain. I don’t have heavy-duty secrets on my Macs, but I do have personal information that I’d just as soon keep personal, even if someone were to throw a rock through my office window and make off with all my gadgets before the police showed up. (Which they would in short order, because my home alarm system would alert them—that’s another “you just never know” thing.)

People who use notebook Macs are at greater risk of theft or loss than people who use desktop Macs, and among notebook users, those who move their Macs around a lot are at greater risk than those who use them only at home or at the office. But even desktop Mac users not worried about theft still may appreciate FileVault’s capability to keep data private from snooping coworkers, roommates, and anyone else who has physical access to your Mac.

So, when evaluating whether FileVault is right for you, consider what type of data is on your Mac and how you might feel if got into a stranger’s hands.

Here’s one possible way to frame the question:

If someone stole your Mac and could then see everything on it—including your documents, contacts, email, browsing history, financial data, and so on—would that make you highly uncomfortable? If so, are you willing to endure the inconvenience of typing a long password every time you turn on, restart, or wake your Mac in order to prevent a hypothetical thief from seeing your files?

If your answer to both questions is yes, you may be a good candidate for FileVault—more so if you think your Mac is vulnerable to theft, and less so if you’re confident about its physical security. If you answered no to either part, FileVault may be more trouble than it’s worth to you.

Why is FileVault Better Than Using a Good Login Password?

When you set up a user account on your Mac, you’re asked to choose a login password. (As we’ll see just ahead in How Do I Choose a FileVault Password?, that password is also used for FileVault by default.) You can configure your Mac to require your password whenever you log in (to do so, go to System Preferences > Users & Groups > Login Options and make sure Automatic Login is set to Off). This prevents other users from accessing your Mac without your password, so why go to the extra bother of encrypting your drive?

Your login password is indeed a barrier of sorts—but it’s sort of like a locked gate that’s only 3 feet high. Just as you can jump over a gate, you can get around a login password. For example, someone could use Target Disk Mode to mount your Mac’s hard disk or SSD as an external volume on another Mac, or physically remove the drive and attach it to another Mac. As long as they started the other Mac from a different volume and logged in as an administrator on that volume, every file on your disk would be available without restriction.

So, although I do indeed recommend using a good login password, you shouldn’t count on that password alone to provide any real security—it’s far too easy to get around it. FileVault addresses that vulnerability by securing everything on your drive in such a way that it’s protected even if the drive is removed from your Mac.

Does FileVault Substitute for Using a Firmware Password (or Vice-versa)?

When you start a Mac in Recovery mode or from a bootable OS X installer disk, there’s a command (Utilities > Firmware Password Utility) that lets you set a firmware password. Setting a firmware password prevents anyone from starting your Mac in any way other than a normal boot from the internal startup volume. For example, one could not boot the Mac from an optical disc or external drive, in Target Disk Mode, in Single User Mode, or using Safe Boot, without first entering the firmware password.

A firmware password is useful for a Mac in a public setting, such as a school or library, in which the owner wants to prevent random people from messing with the preinstalled software. But that’s all a firmware password does—it doesn’t encrypt any data, nor would it prevent someone from accessing the data on a drive after the drive is removed from the Mac.

Setting a firmware password is in no way a substitute for using FileVault—and I don’t recommend setting a firmware password on one’s own personal Mac, because doing so will make it more awkward for you to use it normally.

Conversely, FileVault isn’t a substitute for a firmware password. For example, using FileVault on a public Mac would be a bad idea, because no one would be able to restart it without the password—yet without a firmware password, anyone could start the Mac from a different volume.

In short, FileVault is a good idea for personal Macs and a firmware password is a good idea for public Macs, but it would rarely be helpful to use the two together.

For more on firmware passwords, see the Apple support article What is a firmware password and how do I set one up?.

How Is FileVault 2 Different from Legacy FileVault?

The original version of FileVault, introduced in Panther, encrypted only a user’s home folder—not the entire disk. That meant it was more secure in one respect: if a Mac had multiple users, each with FileVault enabled, one user couldn’t see another user’s data. (FileVault 2, by contrast, unlocks the entire disk when the first authorized user logs in, and adds no barriers between users’ data. Only OS X’s permissions prevent one reader from reading another’s files—and that’s no barrier at all for a user with administrative privileges.)

But in almost every other way, Legacy FileVault was a drag. It didn’t encrypt anything outside users’ home folders, so there were many cases in which sensitive files might remain accessible. It was also designed in such a way that disk errors affecting just part of a user’s encrypted home folder could make the entire folder inaccessible. Legacy FileVault had performance problems, too, with frequent delays as it recovered unused space when you logged out. It didn’t play well with Time Machine, either. Time Machine could back up your data only when you were logged out, and could restore only your entire home folder, not specific files.

For these reasons, I always recommended against using FileVault prior to Lion. It was too inconvenient and too risky.

But FileVault 2 is an entirely different beast. The interface in System Preferences looks almost the same as before, and of course the name is the same, but otherwise, it’s a completely new—and vastly improved—technology. It’s fast, transparent, and far safer than Legacy FileVault.

What Type of Encryption Does FileVault Use?

FileVault uses a type of encryption known as XTS-AES-128.

Now take a deep breath, hold it, and quickly skim the following:

The AES part stands for Advanced Encryption Standard, which has numerous modes and implementations. The XTS-AES mode (PDF link) is designed for storage devices; XTS stands for XEX Tweakable Block Cipher with Ciphertext Stealing; XEX, in turn, stands for XOR Encrypt XOR; and XOR refers to the XOR additive cipher, which is based on the XOR (exclusive OR) logical operator.

And… exhale.

If you’re not a cryptographer, you probably didn’t understand any of that, and you probably don’t care, either. But, want to call attention to one detail in this litany of terms that’s especially confusing: the number 128. (If the tech jargon is too much for you, don’t worry, just skip ahead in this topic to the paragraph that begins, “OK, but is it safe?”)

Normally, encryption algorithms are referred to by name and number—for example, AES-128, SHA-512, or RSA-2048—where the number indicates the length of the encryption key (the string of characters needed to encrypt or decrypt the data) in bits. AES-128 uses a 128-bit key, equivalent to 16 alphanumeric characters (since there are eight bits in a byte, and each alphanumeric character occupies one byte).

For any given algorithm, a longer key length is generally more secure because it’s harder to crack—there are more possible combinations. (However, you can’t compare different algorithms based solely on key length, because other factors affect their overall strength.)

The thing is, in some places, Apple says FileVault uses XTS-AES-128 (for example, OS X: About FileVault 2 and the PDF Best Practices for Deploying FileVault 2). In other places (for example, OS X Mavericks: About FileVault disk encryption), Apple says FileVault uses AES-256. So, which is correct?

Weirdly enough, both are sort of correct. A curiosity of the XTS-AES mode is that it relies on two independent keys, each for a different purpose—but those two keys don’t give you double the security. For that reason, XTS-AES-128 actually uses 256-bit keys (which are then split in half to create two 128-bit keys), while XTS-AES-256 uses 512-bit keys (split in half to provide two 256-bit keys). So AES-128 sort of uses a 256-bit key, but it offers only the security of a 128-bit key.

OK, but is it safe? (Welcome back, tech-jargon-avoiders!) In a word, yes. Even with an effective key length of only 128 bits, AES is an excellent encryption algorithm, widely believed to be adequately secure against brute-force attacks for the foreseeable future, given the current state of technology—as long as you have a fantastic password (see the next question).

If FileVault used 256-bit XTS-AES, it would technically be even stronger, but doing so would have a significant performance penalty while providing no real-world benefit, which is likely why Apple has chosen to stick with XTS-AES-128 for the time being. (You can, however, use full AES-256 encryption when creating a disk image on a Mac—see Use Encrypted Disk Images.)

Keys vs. Passwords

I mention encryption keys throughout this book. As the name suggests, keys are what a computer uses to lock and unlock encrypted data. So, how do keys relate to passwords?

Imagine you’re a locksmith, and you need to cut a simple (physical) key based on a certain blank. Let’s say this particular type of key has six notches, each of which can have any of eight depths. I could say, “Make me a 253881 from Blank XYZ,” and you’d know that if you put the right blank in your machine, make the first notch 2 units deep, the second notch 5 units deep, and so on, you’d end up with a key that matches my description. And, if I’ve described it accurately, I should be able to use that key to open my door.

In this analogy, the “key” is the key (obviously!) and “253881” is the password. That is, a password is a set of instructions that tells an algorithm (the “locksmith”) how to make a specific key. In the digital world, passwords are usually easier to remember and work with than keys. But the instructions that turn passwords into keys are usually quite sophisticated; you can’t reverse the process and use the key to figure out what the password was. You can only run a prospective password through the same process again and see if the key it creates matches the one you created earlier.

You’ll never see or directly interact with a FileVault key; all you’ll see is your password. But it’s the key—and not your password itself—that gets stored on disk, and that unlocks your data. The key was derived (after a fashion) from your password; that oversimplification should be all you need to know.

How Do I Choose a FileVault Password?

If FileVault is to be of any value, you need to be sure you have a great password that neither human nor machine can guess. But by default, FileVault doesn’t have its own password. Instead, it uses your account’s login password. So unless you go to extra effort (which I discuss later, in the sidebar Use a Separate Password for FileVault), whichever password you use to log in to your Mac will also unlock FileVault.

Note: If your Mac is currently configured to log you in when you turn it on or restart without requiring a password, that setting will disappear as soon as you activate FileVault. With FileVault, a password is always required when you (re)start, because otherwise anyone who used your Mac would have free access to all your data.

That, in turn, means your login password has to be great, where “great” unfortunately means “longer and harder to type than you’d prefer.”

I want to be crystal clear about this: if you currently have automatic login enabled (so you don’t have to type any password at all to log in) or a short, easy password, that’ll have to change. You’ll have to endure the inconvenience of entering a password (and a good one, at that) more often in exchange for the security of FileVault. If you’re unwilling to use a good password, there’s no point in turning on FileVault in the first place, because an easily guessed password makes it worthless.

Assuming you choose a completely random combination of upper- and lowercase letters, digits, and symbols, your password should be at least 12 characters long. If you were to use a simpler-to-type password consisting of all lowercase letters, for example, or one that contained English words, it would have to be much longer to give you equivalent security. I explain the logic behind this (including the concept of entropy—a measurement of password strength) in my book Take Control of Your Passwords. For now, suffice it to say that long, random passwords give you the best security.

If your current password isn’t up to muster, here’s how you change it:

1. Go to System Preferences > Users & Groups.

2. If the lock icon is locked, click it and enter your login password to unlock it.

3. Select your user account on the left, and then click Password.

4. Click the Change Password button.

5. In the fields provided, type your old password, type and repeat your new password, and include an optional hint (but be careful that your hint won’t help an attacker). Click Change Password.

Tip: For help picking a random password, click the key icon and use Password Assistant; or, if you have 1Password or another third-party password manager, use its random password generator.

6. Important: Write down your new password and keep it in a safe place! Without it, you won’t be able to log in to your Mac or access any of your data.

From now on, whenever you’re prompted to enter your login password, you’ll use the new one.

But wait! If your Mac has multiple user accounts—and you want any of the other users to be able to unlock FileVault with their own passwords—then you or the other users must also change the other login passwords to be equally strong (but different from your login password). The best way to do this is to log out (choose Apple  > Log Out Your Name and click Log Out), log in under a different account, and repeat the steps above.

Warning! If you happen to use your Apple ID password (that is, the same one you use for iCloud) as your Mac’s login password, the same logic applies—make that password extra-strong. (To change it, go to the My Apple ID page and click Reset Your Password.) I recommend making your Apple ID password different from your Mac’s login password for better security.

Will FileVault Affect My Mac’s Performance?

When you first activate FileVault, your CPU usage and disk activity will go up for a few hours or so while your disk is being encrypted. You’ll be able to continue using your Mac during that time, but it will be slower than usual. However, after that initial setup, your Mac should be pretty much as zippy as it was before. FileVault introduces a little overhead, but usually not enough to notice. I’ve performed before-and-after benchmarking on two of my Macs, and in both cases, FileVault reduced overall performance by less than 1 percent.

One reason FileVault manages to keep your Mac’s performance high is that most Intel Core i5, Core i7, and Xeon processors contain special AES hardware and instructions—basically, power that’s dedicated to encrypting and decrypting data using the AES algorithm. (Core Solo, Core Duo, Core 2 Duo, and Core i3 processors don’t have this feature—but even on Macs with those processors, the performance penalty is minor.) And, if your Mac uses an SSD or Fusion drive as opposed to a conventional, spinning hard disk, that will further reduce FileVault’s performance impact.

What Restrictions Does FileVault Impose?

I mentioned already that FileVault’s security comes at the cost of slightly increased inconvenience, mainly in the form of additional password prompts. Let me spell out in more detail the restrictions, limitations, and qualifications of using FileVault:

· Automatic login disabled: If you visit System Preferences > Users & Groups > Login Options after enabling FileVault, you’ll see that Automatic Login is set to Off and dimmed—you can’t enable it. And, in System Preferences > General, the checkbox labeled “Disable automatic login” disappears completely when you turn on FileVault. This means you’ll always have to supply your password when you turn on your Mac, restart, or log in.

· Password required after sleep or screen saver: In System Preferences > Security & Privacy > General on notebook Macs running Mavericks or earlier, the Require Password setting is no longer optional—its checkbox disappears—and the maximum time delay before a password is required may be reduced to as little as one hour. Starting with Yosemite, though, you can disable the Require Password setting on notebook Macs if you like—but you shouldn’t, because that will reduce your security considerably.

Note: With FileVault enabled, if your Mac is configured to sleep automatically after a given interval—and a password is required to wake it up—software that runs on a schedule (such as backup or sync utilities) won’t be able to run unattended. If you’re not present to enter the FileVault password when your Mac wakes up, it’ll go right back to sleep.

· Resetting password with an Apple ID not permitted: Without FileVault enabled, if you go to System Preferences > Users & Groups > Your Username, you’ll see a checkbox labeled “Allow user to reset password using Apple ID.” That option disappears entirely when FileVault is enabled.

· Boot Camp not encrypted: If you use Boot Camp to run Windows from a separate partition on your Mac, be aware that FileVault will not encrypt the Boot Camp volume. (You may be able to find Windows full-disk encryption software that will do the trick.)

· Only passwords used for authentication: If you work at a company that uses biometrics, smart tokens, or other factors (besides or in addition to passwords) to log in to your Mac, be aware that none of those technologies are compatible with FileVault. At present, typing a password is the only way to unlock a FileVault volume.

· FileVault volumes accessible only on Macs: If you attach a FileVault-encrypted drive to another Mac running Lion or later, you can unlock it if you supply the right password. But you can’t use it on a Windows or Linux PC.

· No third-party theft-recovery software: Although Apple’s Find My Mac technology can help you locate (or remotely erase) a FileVault-encrypted Mac, third-party tracking and theft-recovery software (see Other Theft Recovery Software) can’t run until the disk is unlocked, which is impossible without your password.

· Tricky remote reboots: In Appendix A: FileVault on the Command Line, I explain a way to reboot a FileVault-encrypted Mac remotely, from the command line, without it being stuck at the login screen afterward. But if a Mac reboots on its own or isn’t set up for remote access, it won’t be able to finish booting.

· No S.M.A.R.T. monitoring: Apple’s Disk Utility can normally report the S.M.A.R.T. status for internal drives (an indication of the drive’s health), but this feature is disabled for FileVault-encrypted drives.

· Recovery HD volume not shown in Startup Manager: When you (re)boot your Mac with the Option key held down, the Startup Manager screen normally shows all available boot volumes, including Recovery HD. With FileVault enabled, you won’t see Recovery HD on this screen, but you can still boot in Recovery mode by holding down Command-R at startup.

Personally, I find none of these items troubling, but some people may. If you’re one of them, see Go Beyond FileVault for ideas about alternative means of encrypting your data.

When Is My Data Protected?

In the security biz, people say that a disk-encryption technology like FileVault protects “data at rest”—that is, data sitting on your disk but not loaded into memory (“data in use”) and not being transmitted or received (“data in motion”).

To understand what this means in practical terms, think of a bank vault. At night, when the bank is closed, the vault door is sealed tight, and it provides excellent security—it would be very difficult indeed for someone to break in. When the bank is open for business, the vault door probably stands open, because it would be so inconvenient to keep opening and closing it. Perhaps a less-secure gate that opens with a simple key blocks the doorway, and maybe there’s a guard or two on hand. But the heavy-duty security of the big door is a largely unnecessary hindrance, not a help, when bank employees are present to keep an eye on the vault’s entrance. In any case, the contents of the vault (such as safe deposit boxes) have their own locks, so there’s an extra layer of security even if someone were to waltz into the vault while the guard’s back is turned.

Now, think of FileVault as the vault, and (you can see where this is going) your files as the vault’s contents. Unlocking your disk with a password is like opening the vault door. Since you’re using a computer, you’re presumably watching the “door” when it’s open to make sure nobody but you looks at the vault’s contents. Other than your presence, nothing prevents data from going into and out of the vault. It’s just an open door. You can open, save, copy, and delete files just as you normally would. Turn your Mac off, and you lock that heavy door, making it virtually impenetrable when you’re not there.

FileVault gives your data maximum protection when your Mac is turned off, and zero protection when it’s turned on and you’re logged in. But there are some in-between states, too—for example:

· Logged out: If you log out of all accounts (Apple  > Log Out Username) without shutting down or sleeping, you can’t access anything on your disk until someone logs in. That means there’s a nice, sturdy gate across the door, as it were—but technically, it’s not completely secure because your FileVault encryption key is still stored in RAM. In the past, situations have arisen in which FileVault was found to be vulnerable during this phase (see The FireWire DMA Attack, just ahead), and although I don’t know of any current vulnerabilities of this type, I wouldn’t rule out the possibility.

· Sleep: When you put your Mac to sleep (or it goes to sleep automatically) with FileVault enabled, you’ll need to enter a password to wake it up, just as when you’re logged out, but again, the encryption key is in RAM, so someone with physical access to your Mac could theoretically find a way to access it.

· Hibernation: Notebook Macs can enter a state called hibernation after they’ve been asleep for a while—the contents of RAM are copied to your disk or SSD, and power to the RAM is turned off. This is safer than sleep, and with a little command-line hacking, you can make it even more secure by removing the FileVault encryption key from your Mac’s firmware during hibernation—see Use pmset.

In other words, FileVault is nearly bulletproof when your Mac is off (even if someone removes your disk) and—in combination with Mac OS X’s other security features—pretty darn good when you’re logged out or your Mac is asleep or hibernating. When you’re logged in, you (not FileVault) are in charge of securing your Mac.

In What Ways Is My Data Still Vulnerable with FileVault 2?

Here are some of the potential threats to your Mac’s data, even when you have FileVault enabled. Many of these assume a highly motivated and technically competent attacker (which could, of course, include security researchers and law enforcement—not necessarily someone trying to cause you harm). In the vast majority of cases, no one would bother trying to exploit these vulnerabilities unless they considered your data particularly valuable.

Physical or Network Access When Logged In

When you’re logged in to your Mac and it’s awake, FileVault has no effect at all on your security. Anyone who can touch your Mac, see the screen, use the keyboard, or insert a flash drive can get at your data without any password prompts or other barriers. Similarly, if you use file sharing of any sort, anyone who can access your unlocked Mac over a network can read and copy files just as easily as if you didn’t use FileVault.

Other Users with Weaker Passwords

As I explain later in Grant Other Users Access, if your Mac has more than one user account, you can authorize any or all of them to unlock FileVault. The downside of this is that even if your own password is fantastic, another authorized user may have a much weaker password, making your Mac that much more vulnerable to an attacker. (Moral of the story: Insist on good passwords for all your users.)

The FireWire DMA Attack

Shortly after FileVault 2 appeared in 10.7 Lion, a security company called Passware discovered and publicized a weakness. They used an exploit called a DMA (direct memory access) attack, in which a second computer connected to a Mac via FireWire (or Thunderbolt) could access the contents of its RAM, which includes the FileVault key. That key, in turn, could be used to decrypt the drive. Lots of pages on the Web still talk about this attack as though it’s an ongoing risk, and notably, Passware still sells an expensive ($995!) tool called Passware Kit Forensic that claims to be able to swipe a FileVault 2 key from RAM.

In fact, Apple mostly fixed this problem in the 10.7.2 update, and it hasn’t been an issue ever since. I say “mostly” because in 10.7.0 and 10.7.1, the DMA attack worked even if your Mac was asleep, or if no user was logged in. As of 10.7.2 (released in October 2011), the exploit works only when a user is logged in and the screen is unlocked. However, if that’s the case, then an attacker with physical access to your Mac can read all your files anyway and has no need for your FileVault password! So it’s essentially a non-issue.

To put things in perspective, even in the dark, dangerous days of 10.7.0 and 10.7.1, this attack required that a Mac had been left running with FileVault unlocked and that the attacker had physical access to its FireWire or Thunderbolt port. The FireWire DMA Attack was never a serious risk for most users, and it wasn’t a risk at all for anyone whose Mac was shut down.

Other RAM Attacks

If someone is sufficiently motivated, funded, and technically adept, pretty much anything stored in a computer’s RAM is fair game. Apple does a great job of making it difficult to get at this information, but it’s not impossible. For example, there’s a crazy exploit called a cold boot attack in which someone with physical access to a running computer with interesting data in RAM freezes the RAM chips with canned air (to reduce the speed of data degradation after the power is turned off) and then quickly removes them, puts them in another computer, and uses a special program to dump the RAM’s contents to disk so that it can be searched for an encryption key.

As I say, the difficulty level is extremely high—it would be much easier to use a wrench—but technically, it could happen.

Unencrypted Backups

Your Mac’s startup drive is encrypted with FileVault, but if your backups are unencrypted, then anyone who obtains access to your backup media can get at all your data. That’s why I recommend encrypting those drives too—see Back Up to an Encrypted Volume.

What Else Can I Do to Increase Security?

If you and the others with accounts on your Mac have excellent passwords, and you’ve enabled FileVault and encrypted your backups, you’re already in good shape when it comes to protecting the data on your disk. But if you want to be even more secure (or if you have cause to be paranoid), you can take steps to make FileVault more effective:

· Reduce password-required delay: By default, Mac OS X requires a password immediately after your Mac goes to sleep or its screen saver begins. But because those frequent prompts can be annoying, you may have disabled that feature or added a lengthy delay before you need to enter a password to start working again.

But if your Mac goes to sleep or the screen saver comes on, it’s likely that you’re no longer in front your Mac—and since you’re taking the extra precaution to protect your data with FileVault, you may want to reconsider that setting. For example, you probably want a bit of a grace period in case your attention drifts for a moment, but you also don’t want such a long delay that someone could come along a half hour after you walk away from your Mac and immediately access everything.

To change the interval before your password is required, go to System Preferences > Security & Privacy > General and adjust the Require Password ___ After Sleep or Screen Saver Begins pop-up menu to a shorter delay.

· Reduce sleep or screen saver delay: In conjunction with the previous setting, you’ll want to decide how long your Mac should be idle (with no keyboard or mouse/trackpad use) before it goes to sleep or the screen saver activates. You can set the sleep interval in System Preferences > Energy Saver; for notebook Macs there are separate Battery and Power Adapter settings. You can adjust the Computer Sleep slider separately from the Display Sleep slider; note that display sleep is sufficient to trigger a password prompt (after the interval set in the previous bullet point).

If, instead of putting your display to sleep, you prefer to see a screen saver, set the interval before it kicks in by going to System Preferences > Desktop & Screen Saver > Screen Saver and choosing a time period from the Start After pop-up menu.

· Sleep display with hot corners: You can put your display to sleep (or activate a screen saver) immediately by moving your pointer to a corner of your display. That’s handy if you’re about to walk away from your Mac and you don’t want to wait for it to go to sleep on its own. To configure which corners do what, go to System Preferences > Desktop & Screen Saver > Screen Saver. Click Hot Corners and then, for whichever corner(s) you like, choose Start Screen Saver or Put Display to Sleep.

Tip: While choosing a command from one of the Hot Corners pop-up menus, hold down any combination of Command, Option, Control, or Shift to require those keys (along with moving the pointer to that corner) to activate your screen saver or display sleep.

· Lock your Mac manually: You can also lock your screen (giving the same effect as display sleep) with a menu command—but first you must enable the menu. To do so, open Keychain Access (found in /Applications/Utilities), go to Keychain Access > Preferences > General, and check Show Keychain Status in Menu Bar. Then, to lock your screen, chose Lock Screen from the lock menu.

· Use a separate FileVault password: By default, your login password unlocks FileVault, but for extra security you can use a different password—just be aware that you’ll do a lot more typing! I explain how do set up a separate password in the sidebar Use a Separate Password for FileVault.

· Encrypt files, folders, and disk images separately: If you have something on your disk that’s too valuable to be left unlocked even when you’re logged in, you can encrypt an individual file, folder, or disk image, giving it an extra layer of security beyond FileVault. See Go Beyond FileVault for details.

· Force hibernation and remove the FileVault key from EFI: Rather than let your Mac sleep normally and then go into a deeper hibernation mode 1–3 hours later, you can force your Mac to hibernate immediately when it would otherwise sleep—and you can then use a special setting to destroy the FileVault encryption key that’s ordinarily stored in your Mac’s firmware (EFI, or Extensible Firmware Interface) so that no one with physical access to your Mac could possibly retrieve it. This is pretty hard-core geekery, but I explain how to do it in Use pmset.

Tip: For still more things you can do to protect your privacy, read my book Take Control of Your Online Privacy.

What about Firmware Passwords?

You may be aware that if you boot in Recovery mode by restarting with Command-R held down, you can choose Utilities > Firmware Password Utility to set a firmware password for your Mac. The purpose of this password is to prevent someone from bypassing your regular startup volume. When a firmware password is set, most of the keys you press during startup (for example, Option to choose a different startup volume, C to boot from an optical disc, or Shift to perform a safe boot) have no effect. (Command-R, to boot in Recovery mode, still works even with a firmware password.)

The presence or absence of a firmware password has no bearing on FileVault security, because its purpose is to solve a different set of problems. With FileVault enabled, no one can access the contents of your startup volume, whether or not a firmware password is also set. Adding a firmware password makes it more difficult for you to do troubleshooting and maintenance, without increasing the security of your data in a meaningful way.

So although a firmware password can be useful on systems that don’t use FileVault, I think it’s better to leave it turned off when FileVault is enabled.

What Is Core Storage and Why Should I Care?

FileVault is one of several features of Mac OS X based on an underlying technology called Core Storage, which was introduced in Lion. Core Storage also lets you encrypt external drives (see Encrypt a Non-startup Volume), encrypt Time Machine backups (seeEncrypt a Time Machine Backup), and combine solid-state storage and a hard disk into a Fusion Drive, among other things.

Even though FileVault as such is only for startup volumes, other topics I cover in this book behave much like FileVault because they’re made from the same ingredients, as it were. So this book might more accurately be titled “Take Control of FileVault and Related Core Storage Features for Encrypting Data on Your Mac,” but that doesn’t exactly trip off the tongue.