FileVault on 10.7 (Lion)

 

Mac OS X Lion – FileVault (Whole Disk)

The official Apple support article can be found at: http://support.apple.com/kb/HT4790

PGP Warning!

When Lion is first installed, the hard drive is separated into a utility partition and an OS partition. Because of the way that PGP works, it is expected to break when partitions are manipulated and therefore users are discouraged from upgrading to Lion if PGP is installed or if the disk is encrypted with any other software.

Using FileVault

In the Lion operating system Apple’s FileVault has been upgraded to a full disk encryption solution, as opposed to the protected Home directory that was used in previous versions of the operating system. To enable FileVault, open the System Preferences application and click on the Security & Privacy menu.

If you decide to turn on FileVault, you will first receive a recovery token that can unlock the drive in the event that your password doesn’t work. The recovery key should either be stored in a safe place, or sent to Apple for safe keeping.

 Recovery Key

If you choose to send the whole disk recovery key to Apple, you must create three security questions that are used by Apple to encrypt your recovery key. The answers are case sensitive so be sure to type them just as you would remember them.

Recovery Key Storage

Immediately after the recovery token options are set, the system will reboot and a valid passphrase will be required in order to unlock the drive and start the operating system. When you sign back in to Mac OS, you will receive a dialog like the one below that attempts to estimate the time remaining on the drive encryption.

Drive Encryption Time

Retrieving your recovery key from Apple

If you forget your login password for an OS X Lion FileVault-encrypted drive, and you had chosen to store your recovery key with Apple, you may contact AppleCare and request retrieval of your recovery key. Typing in the wrong login password three times will produce a note under the password field which states, "If you forgot your password, you can… …reset it using your recovery key."

Click the triangle-button next to that message to reveal the Recovery Key text field (which replaces the password text field) and AppleCare contact information, along with your computer's Serial Number and a Record Number. You will need to provide these two pieces of information in order for AppleCare to retrieve your recovery key.

Upon successful retrieval and entry of your recovery key, you will be prompted to change your login password. After changing your login password, it is also recommended that you change your FileVault recovery key and upload the new one to Apple.

Changing your recovery key

In the Security & Privacy system preference, under the FileVault tab, click "Turn Off FileVault…" to disable FileVault. After FileVault is off, FileVault will begin to decrypt your drive. Once decryption is complete, you'll be able to click the "Turn On FileVault…" button. Doing so will allow you to enable unlock-capable users, will show you a new recovery key and will give you the option of sending this new key to Apple. The old key sent to Apple will not be able to unlock your newly-encrypted disk. If you need to retrieve your recovery key from Apple, only the new one will be retrieved based on the Serial Number and Record Number displayed to you in the login window.

Migrating a FileVault-protected Home from an earlier version of Mac OS X

If you are using FileVault in Mac OS X v10.6 Snow Leopard, you can install OS X Lion and continue to use your FileVault-encrypted home directory in the same way you did in Snow Leopard. OS X Lion considers your earlier version of FileVault encryption to be "Legacy FileVault". With a Legacy FileVault encrypted home directory, opening the Security & Privacy preference pane will cause the following dialog to appear, alerting you that "You're using an old version of FileVault":

 Legacy File Vault

You may continue to use OS X Lion with Legacy FileVault, but you cannot enable Legacy FileVault for other user accounts in OS X Lion. If you turn off Legacy FileVault, the Legacy FileVault tab will disappear and you can then choose to enable OS X Lion's FileVault 2 (disk encryption).

Encrypting Time Machine

Time Machine works properly on Lion, but more importantly it allows you to encrypt the backup. Once a drive has been prepared and encrypted in Lion, it can’t be mounted on any operating system that’s older than Lion because of the encryption.

Encrypting Time Machine

 

Encrypting Time Machine

Last modified on September 28, 2012