FileVault Poll

[Mikuro]

The big advantage of FileVault is that it encrypts everything in your ~/Library folder. That includes all your application preferences, your bookmarks, your browser history, your cookies (which could contain lots of passwords), probably all your email, your calendars, etc. — quite a lot of personal data. AFAIK, FileVault is the only way to encrypt this data.

[fryke]

Yes. The basic *idea* of FileVault isn't entirely bad in my opinion. But it comes with so much collateral damage (or rather collateral issues), that I wouldn't really trust it personally. When they first introduced it, I wanted to try it. And it simply didn't work for me at that point, because on my notebooks, my home folder is _always_ bigger than the available free space. Well: Not when I buy a new one, of course - and I could have reinstalled everything, turned on FileVault and get the stuff back from the backup, but it just seemed too much hassle back then. And when I thought I'd try again, the first messages popped up on macosx.com and other forums about how it plainly didn't work right! People lost settings, people got strange messages about how something saved some space (freaky if you don't really know what the system means and what it's doing...)...

Sure, security is a good thing. More security is a better thing. But it all comes down when the hassle becomes too much.

If you're worried about those saved passwords: Don't save them. Security, in my opinion, also means that you change your passwords often enough and use separate ones for separate things.

Personally, I rather pay attention and _don't_ let my MacBook get stolen and _don't_ leave it in a Café when I'm going home. I know that sounds obvious, but if no one tampers with my notebook, local security isn't that much of an issue.

Remote security is a bigger problem. But if you're logged in, your FileVault image is decrypted. And if someone manages to hack his way onto your Mac from outside as your username, the filesystem is already decrypted, so FileVault isn't doing much good. Also I've come across tons of people who have FileVault activated but keep logged in and put their notebook to sleep - without any password protection. So a thief would simply wake it up and have access to everything - as long as he doesn't logout or restart. I guess it all depends on what kind of bad things you _expect_ will happen.

[Sunnz]

Hmmm I always logged in on my MacBook and I have been wondering, when I close the lid and it goes to asleep, the files are still decrypted or? I have it to password prompt on wake up, but it can't be encrypting and decrypting every time I close and open the lid, right?

IMHO using FileVault is just a matter of backup your home folder to somewhere safe.

[Natobasso]

Quote:

Originally Posted by fryke

? ... But if it can simply be _undone_ without the password, what good would the encryption be? Nah, I don't buy that. If I want security, I don't want a backdoor. You also don't buy a safe where you have to decide on a combination, but "0, 5, 10" will always work, right?

I disagree. I think a safe that is yours should have some way of getting back into it if you lose the password. Just like buildings have master keys, so should my encrypted data. Let's face it, though, just about anything is crackable if enough time/resources are spent on it so it's almost a moot point.

[Damrod]

Well, my girlfriend had FileVault active on her iBook. Until through not so clear circumstances the encrypted home image got coruppted somehow. I worked 1 1/2 weeks to recover pictures, music and so on with a great variety of tools.

So, I think it's not really executed well enough to be a good thing. I was kinda skeptical from the beginning, but that really killed FileVault for me.

[Sunnz]

Quote:

Originally Posted by Natobasso

I disagree. I think a safe that is yours should have some way of getting back into it if you lose the password. Just like buildings have master keys, so should my encrypted data. Let's face it, though, just about anything is crackable if enough time/resources are spent on it so it's almost a moot point.

AFAIK most nix system lets you boot into Single user mode with have root access to everything and from there you can reset password of any users.

But that's a system admin thing - the files and system structures are not necessarily encrypted. IMHO encrypting data is a different beast, it is not only denial of access but also encryption of every bit of data.

To my knowledge, FileVault is implemented by using AES encryption, an algorithm that is designed to be secure and actually used for really high secure data like those used in Defence departments, the importance of the data is such that it is better to be destroyed rather than leaking secrets to the outside world.

Yes these encryption data are crack-able given enough CPU power and time, but this AES encryption isn't something your average hacker/script kiddie would crack open. It may take months or even years for FBI to crack it, so unless you are really up to something bad-ass, e.g. terrorism, it is more than an overkill for your average use.

[fryke]

By this you want to say that FileVault users probably are terrorists. Hm.

[Sunnz]

If they use a Mac, that is.