With storage prices at such low levels, end-users have no excuse to not have at least one backup for their data. This is what I tell everyone with regards to keeping his or her data safe in case of accidental loss. However, not much noise is made regarding keeping data safe from others. By this I'm referring to data encryption. After all, we consider all those office memos, financial files and emails personal, private information, yet nothing is really done to protect the integrity of these files. Anyone can just log in and read (or worse, modify) the data!
Data encryption is not just for high-level, top-secret data anymore. It's for everyone that wishes to protect the contents of their hard drive from prying eyes, malicious sabotage, or old-fashioned espionage. And while encrypting data seems like a long, complex process - the realities are that every version of OS X has a version of File Vault, Apple's encryption app baked right in, ready to use.
Though previous versions (see File Vault) encrypted the individual home folders on a per-user, opt-in basis, modern versions of OS X use File Vault 2 for whole-disk encryption. Once enabled, it "encrypts the entire drive on your Mac, protecting your data with XTS-AES 128 encryption," according to Apple. It uses a 256-bit master key for "on the fly encryption" (OTFE) and decryption, providing minimal impact to performance while making sure "your data is safe and secure - even if it falls into the wrong hands."
Enabling FileVault 2 (OS X 10.7+)
- Go to Settings.app.
- Click on Security & Privacy. (Figure A)
- Next, click the padlock to authenticate and make changes.
- Select the FileVault tab, and then click the Turn On FileVault button. (Figure B)
- A new window will open requesting to set the password for any local users on the computer.* (Figure C)
- Once all user accounts have a password associated with the account, click continue and the window will change, listing the recovery key. This key is used in the event that the master password is lost, one can recover their data. (Figure D)
- After clicking OK, you will be prompted to whether or not to allow Apple to store the recovery for you. If you select Yes, you'll need to create question and answer combinations that will be required to be answered exactly as entered in order to retrieve the key. If selecting no, the following screen will prompt the user to restart the node to complete the initial disk encryption process. (Figure E)
*Note: All local user accounts are required to have a password set in order to proceed with using FileVault. After all, there's not much of a reason to encrypt data if there's no password protecting the account in the first place, right?
The FileVault setup process will vary in completion time once the reboot is initiated. This will depend mainly on the amount of data contained in the drive. A good rule of thumb when rolling this feature out is to make it part of your initial setup processes when deploying laptops or desktops. This way, the entire disk will be encrypted before production users begin to save their data to the drives. The best part is since this occurs on the fly, once the initial encryption scheme is enabled any data written to the drive will be encrypted as well, automatically on the fly.
Lastly, FileVault 2 does not just apply to the local hard disk, but can also extend to external drives and Time Machine backups. When used in conjunction with the latter, a complete backup + encryption solution is established, securing data from end to end.
For more information on implementing FileVault 2, please refer to these thorough knowledge base (KB) articles directly from the source at: http://support.apple.com/kb/ht4790 and http://support.apple.com/kb/HT5077.
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from several vendors, including Apple and CompTIA.