Please Note: There is a known incompatibility with Sophos and FileVault on Mac OS X 10.5.x. If you are using FileVault please do not install Sophos Antivirus at this time.

Prior to enabling FileVault the following considerations should be observed:

  • Backup:
    Although FileVault has a very low failure rate; it is recommended that users create a backup of documents and files prior to enabling FileVault. This backup will provide a means of recovery in the event that anything should happen.
  • Time Machine:
    Under normal operation Time Machine will backup information in the user's Home folder while the user is logged in. Once FileVault is enabled however, Time Machine will back up a user's Home folder only after the user logs out and recovery of individual files becomes difficult. It is for this reason that Time Machine's backup potential is reduced and is not recommended for use with FileVault. If an alternate backup solution is required, iBackup provides a freeware solution that allows on-demand and scheduled backup and recovery of individual files while you are logged in. http://www.apple.com/downloads/macosx/system_disk_utilities/ibackup.html
  • Free Space:
    When FileVault is enabled the user's Home folder is copied (not moved) to a protected space and the original is not deleted until the end of the process. This means that prior to enabling FileVault, the free space on the hard drive should be equal to or greater than the size of the Home folder. This free space requirement is also necessary in the event that FileVault is disabled. If you do not have this amount of free space available, then it may be necessary to offload some of the files in your home directory to an external device before beginning the process and then migrate the files over to the protected Home file once the process is complete.

 

Enabling FileVault

  1. Open your System Preferences panel and click Security (circled in red below).
  2. On the General tab, select the items below to ensure maximum security.
  3. On the Firewall tab, select "Allow only essential services" to prevent unauthorized users from accessing your computer remotely.
  4. On the FileVault tab, click the button labeled "Set Master Password".
  5. On this screen you will set a Master Password that can unlock FileVault protected accounts. This is a feature that is designed to provide recovery for accounts. Set this password as something you won't forget, but ensure that it is different from your user account password. Do not lose or forget this password;  this password cannot be recovered or reset once it is set.
  6. You will now be prompted for the password affiliated with your current user account.
  7. After your password is accepted you will be prompted to confirm that you want to turn on FileVault. On this screen, be sure to check the option to "Use secure erase". Once you click "Turn On FileVault" the computer will not be accessible for 1-2 hours depending on hardware.

 

 

Mac OS X Lion – FileVault (Whole Disk)

The official Apple support article can be found at: http://support.apple.com/kb/HT4790

PGP Warning!

When Lion is first installed, the hard drive is separated into a utility partition and an OS partition. Because of the way that PGP works, it is expected to break when partitions are manipulated and therefore users are discouraged from upgrading to Lion if PGP is installed or if the disk is encrypted with any other software.

Using FileVault

In the Lion operating system Apple’s FileVault has been upgraded to a full disk encryption solution, as opposed to the protected Home directory that was used in previous versions of the operating system. To enable FileVault, open the System Preferences application and click on the Security & Privacy menu.

If you decide to turn on FileVault, you will first receive a recovery token that can unlock the drive in the event that your password doesn’t work. The recovery key should either be stored in a safe place, or sent to Apple for safe keeping.

 Recovery Key

If you choose to send the whole disk recovery key to Apple, you must create three security questions that are used by Apple to encrypt your recovery key. The answers are case sensitive so be sure to type them just as you would remember them.

Recovery Key Storage

Immediately after the recovery token options are set, the system will reboot and a valid passphrase will be required in order to unlock the drive and start the operating system. When you sign back in to Mac OS, you will receive a dialog like the one below that attempts to estimate the time remaining on the drive encryption.

Drive Encryption Time

Retrieving your recovery key from Apple

If you forget your login password for an OS X Lion FileVault-encrypted drive, and you had chosen to store your recovery key with Apple, you may contact AppleCare and request retrieval of your recovery key. Typing in the wrong login password three times will produce a note under the password field which states, "If you forgot your password, you can… …reset it using your recovery key."

Click the triangle-button next to that message to reveal the Recovery Key text field (which replaces the password text field) and AppleCare contact information, along with your computer's Serial Number and a Record Number. You will need to provide these two pieces of information in order for AppleCare to retrieve your recovery key.

Upon successful retrieval and entry of your recovery key, you will be prompted to change your login password. After changing your login password, it is also recommended that you change your FileVault recovery key and upload the new one to Apple.

Changing your recovery key

In the Security & Privacy system preference, under the FileVault tab, click "Turn Off FileVault…" to disable FileVault. After FileVault is off, FileVault will begin to decrypt your drive. Once decryption is complete, you'll be able to click the "Turn On FileVault…" button. Doing so will allow you to enable unlock-capable users, will show you a new recovery key and will give you the option of sending this new key to Apple. The old key sent to Apple will not be able to unlock your newly-encrypted disk. If you need to retrieve your recovery key from Apple, only the new one will be retrieved based on the Serial Number and Record Number displayed to you in the login window.

Migrating a FileVault-protected Home from an earlier version of Mac OS X

If you are using FileVault in Mac OS X v10.6 Snow Leopard, you can install OS X Lion and continue to use your FileVault-encrypted home directory in the same way you did in Snow Leopard. OS X Lion considers your earlier version of FileVault encryption to be "Legacy FileVault". With a Legacy FileVault encrypted home directory, opening the Security & Privacy preference pane will cause the following dialog to appear, alerting you that "You're using an old version of FileVault":

 Legacy File Vault

You may continue to use OS X Lion with Legacy FileVault, but you cannot enable Legacy FileVault for other user accounts in OS X Lion. If you turn off Legacy FileVault, the Legacy FileVault tab will disappear and you can then choose to enable OS X Lion's FileVault 2 (disk encryption).

Encrypting Time Machine

Time Machine works properly on Lion, but more importantly it allows you to encrypt the backup. Once a drive has been prepared and encrypted in Lion, it can’t be mounted on any operating system that’s older than Lion because of the encryption.

Encrypting Time Machine

 

Encrypting Time Machine

Published in FAQ - Infrastructure
January 01, 2012

Encryption

PGP Whole Disk Encryption software (or FileVault for Macs) is designed to provide an additional layer of security for your data. Encryption is required for laptops used for UAB Business, and it is highly recommended for desktops in theft-prone areas. PGP software essentially "locks down" your hard drive, making the data accessible only to you and those you authorize. The disk encryption, in conjunction with logon and screensaver passwords, protects UAB data if the computer is lost or stolen.

Encryption Methods:

 

Additional PGP Documentation:

 

NOTE: Do not encrypt your boot disk if you currently use, or plan to use Bootcamp to run a Windows operating system on your Mac. Also, there is a known incompatibility with Sophos and FileVault on Mac OS X 10.5.x. If you choose to use FileVault please do not install Sophos Antivirus at this time.