Does ANYONE recommend FileVault?
- Thread starter Durbrow
- Start date
Mikuro
Crotchety UI Nitpicker
I use FileVault. I have no big complaints. The most annoying thing is that I cannot back up my personal files with Time Machine without logging out. There was also a time when that failed for some reason I never quite figured out (perhaps because I was on battery power, as I only had one outlet available).
There are still some questions I have about how it works, actually. Like what happens if I want to change my login password. TIme Machine's copies of the sparseimage used for my Home folder is encrypted with my login password, so I guess it would have to re-encrypt my entire Home folder.
I also wish that it would use a separate password for encryption, since I need to use my login password frequently to install software or do other things. It's too much of a pain to use a truly strong password for that.
The important thing is that if my laptop is lost or stolen, I'm pretty confident that my data will remain private. That's why I use it. Your concerns may be different and may be best addressed in another way.
There are still some questions I have about how it works, actually. Like what happens if I want to change my login password. TIme Machine's copies of the sparseimage used for my Home folder is encrypted with my login password, so I guess it would have to re-encrypt my entire Home folder.
I also wish that it would use a separate password for encryption, since I need to use my login password frequently to install software or do other things. It's too much of a pain to use a truly strong password for that.
The important thing is that if my laptop is lost or stolen, I'm pretty confident that my data will remain private. That's why I use it. Your concerns may be different and may be best addressed in another way.
Satcomer
In Geostationary Orbit
Well I wouldn't use the big club of FileVault, but if you are paranoid then look at Espionage.
Also if you use Airport in public locations, don't use the ODS X GUI firewall because it is for absolute beginners, use the BSD command line BSD firewall called "ipfw". Luckily you don't have to resort to the command line, you can use the free programs NoobProof (for beginners) or WaterRoof (for Advanced users). Ether of these two free programs will be a GUI front end to control the command line ipfw. The ipfw has been refined over in the Unix/BSD arena for over 20 years. So it is the best firewall that one can use, and it is built in the core of OS X (which is based on BSD).
Also if you use Airport in public locations, don't use the ODS X GUI firewall because it is for absolute beginners, use the BSD command line BSD firewall called "ipfw". Luckily you don't have to resort to the command line, you can use the free programs NoobProof (for beginners) or WaterRoof (for Advanced users). Ether of these two free programs will be a GUI front end to control the command line ipfw. The ipfw has been refined over in the Unix/BSD arena for over 20 years. So it is the best firewall that one can use, and it is built in the core of OS X (which is based on BSD).
If it's absolutely necessary, I'd go with a firmware password and FileVault. However: Over 90% of people don't belong in the "absolutely necessary" category, and for those I advise the following:
1.) Don't leave your notebook unattended, don't let it get stolen. If you adhere to this point, no encryption is necessary. Keep in mind that while you're logged in, your encrypted File Vault is mounted, so an outside (i.e. network) attacker who gains access to your user credentials and can login to your system has access to your files.
2.) Use an encrypted disk image within your unencrypted user home folder for the stuff that absolutely positively has to be encrypted. Don't forget to unmount the disk image after using it. Mounted disk images can be read (see point one).
Personally, I never encrypt anything, even the most delicate company secret. Why? My notebook is never in anybody else's hands and I pay attention to network security.
1.) Don't leave your notebook unattended, don't let it get stolen. If you adhere to this point, no encryption is necessary. Keep in mind that while you're logged in, your encrypted File Vault is mounted, so an outside (i.e. network) attacker who gains access to your user credentials and can login to your system has access to your files.
2.) Use an encrypted disk image within your unencrypted user home folder for the stuff that absolutely positively has to be encrypted. Don't forget to unmount the disk image after using it. Mounted disk images can be read (see point one).
Personally, I never encrypt anything, even the most delicate company secret. Why? My notebook is never in anybody else's hands and I pay attention to network security.
And security measure 3) if you have to travel in shady places, keep the cheapest laptop or other computer with, with least amount of personal data, still applying the above points and never leaving it unattended...
So if I'll travel somewhere where I don't absolutely and by force need my MacBook Pro, it's time for the Dell Inspiron Mini. (just because if it would get stolen, I would not lose all my personal data with it. Being a $ 300 laptop 2 years ago makes it way less a loss than losing all the current stuff on a way more expensive system. So for the same travel reasons, if I had a MacBook Air 11" that wouldn't travel with me to all the weird places).
So if I'll travel somewhere where I don't absolutely and by force need my MacBook Pro, it's time for the Dell Inspiron Mini. (just because if it would get stolen, I would not lose all my personal data with it. Being a $ 300 laptop 2 years ago makes it way less a loss than losing all the current stuff on a way more expensive system. So for the same travel reasons, if I had a MacBook Air 11" that wouldn't travel with me to all the weird places).
Mikuro
Crotchety UI Nitpicker
I'll add "don't let it get stolen" to my to-do list. 
One of the reasons I use FieVault instead of just using an encrypted disk image for a few sensitive files is that I'm really not in control of where everything is stored. How much private data is strewn about in ~/Library? Do my chat programs keep logs? Does my browser cache/cookies have anything important? Does my word processor keep autosave caches? Does....etc., etc.
The truth is, I'll never be sure what's being leaked where. Encrypting my entire Home folder gives me better peace of mind. I don't need to worry so much about misbehaving programs storing data where they shouldn't, or well-behaving programs doing something I just wasn't aware of. I don't need to spend time and energy investigating what's where (and doing this on a regular basis as my usage changes, software changes, etc.).
Of course there's STILL the possibility that something is stored outside my Home folder. Honestly I'd rather have everything encrypted. The performance cost is not really noticeable for me, but TrueCrypt doesn't support whole-disk encryption on Mac (at least last I checked).
I would want my home folder encrypted separately anyway, because this way I can use another account and leave that all encrypted. If I just want to browse the web in public, that's what I do.
One of the reasons I use FieVault instead of just using an encrypted disk image for a few sensitive files is that I'm really not in control of where everything is stored. How much private data is strewn about in ~/Library? Do my chat programs keep logs? Does my browser cache/cookies have anything important? Does my word processor keep autosave caches? Does....etc., etc.
The truth is, I'll never be sure what's being leaked where. Encrypting my entire Home folder gives me better peace of mind. I don't need to worry so much about misbehaving programs storing data where they shouldn't, or well-behaving programs doing something I just wasn't aware of. I don't need to spend time and energy investigating what's where (and doing this on a regular basis as my usage changes, software changes, etc.).
Of course there's STILL the possibility that something is stored outside my Home folder. Honestly I'd rather have everything encrypted. The performance cost is not really noticeable for me, but TrueCrypt doesn't support whole-disk encryption on Mac (at least last I checked).
I would want my home folder encrypted separately anyway, because this way I can use another account and leave that all encrypted. If I just want to browse the web in public, that's what I do.
Well - all emails are also in the mail server, all chat logs are in the chat providers' servers and so on. So it's not just the caches in your ~/Library... To keep a bit more control of those, you'd have to set up your own mail server and so on.
A few things make always sense (even if you don't go with open firmware passwords or other features): lock your screen when you are not on the computer. Whether it's for a two minute break, or sleeping overnight, others shouldn't have access to the account with your data.
(Even if I trust the others home to have access on my computers, I still lock the screen to control the access. Even if it's mostly a "cats' loc"... so even today when I logged in to my server I could see at least one of my cats had walked on the keyboard trying to log in. I definitely don't like the idea of the kitties setting up any odd services or doing any weird stuff on my server...)
With Filevault, Mikuro nailed most the good points for using it.
But if you use it, you'll still need some backup plans. You'll need regular backups of your system and home folder. You'll need way more empty space in your system any given time you want to disable Filevault (at least as much empty space as your home folder takes space). And the plans for the catastrophes in case something goes terribly wrong with the FV sparseimage and it gets corrupted. (command line acrobatics and mounting it from another user can do it... and if unprotected access for other users to log in to your computer, that could be one weak point in the chain of protection. Don't give access to others, lock down all users, ideally with login asking for username and password etc)
A few things make always sense (even if you don't go with open firmware passwords or other features): lock your screen when you are not on the computer. Whether it's for a two minute break, or sleeping overnight, others shouldn't have access to the account with your data.
(Even if I trust the others home to have access on my computers, I still lock the screen to control the access. Even if it's mostly a "cats' loc"... so even today when I logged in to my server I could see at least one of my cats had walked on the keyboard trying to log in. I definitely don't like the idea of the kitties setting up any odd services or doing any weird stuff on my server...)
With Filevault, Mikuro nailed most the good points for using it.
But if you use it, you'll still need some backup plans. You'll need regular backups of your system and home folder. You'll need way more empty space in your system any given time you want to disable Filevault (at least as much empty space as your home folder takes space). And the plans for the catastrophes in case something goes terribly wrong with the FV sparseimage and it gets corrupted. (command line acrobatics and mounting it from another user can do it... and if unprotected access for other users to log in to your computer, that could be one weak point in the chain of protection. Don't give access to others, lock down all users, ideally with login asking for username and password etc)
g/re/p
I can haz cigar?
Things I would do first before using FileVault. (disclaimer:not based on reality)
1) Slide down a dull 50-foot razor blade into a pool of turpentine
2) Let hungry cannibals baby-sit a close relatives children
3) Slap MR T upside the head and then make derogatory comments about his choice in jewelry
4) Run around in a mosque wearing nothing but a pig mask - while snarling at random worshippers
1) Slide down a dull 50-foot razor blade into a pool of turpentine
2) Let hungry cannibals baby-sit a close relatives children
3) Slap MR T upside the head and then make derogatory comments about his choice in jewelry
4) Run around in a mosque wearing nothing but a pig mask - while snarling at random worshippers
