Mac OS X Lion introduces the next-generation of FileVault, Apple’s built-in encryption technology. Version 2 expands encryption from the user’s home directory to the entire disk. That’s a huge change.
If you’re managing Lion clients and used FileVault 1, then I suggest you check out the latest issue of MacTech magazine. Rich Trouton, lead Help Desk tech at the Howard Hughes Medical Institute, offers FileVault 2 Decrypted, an excellent overview of the history of the technology on the Mac and the limitations of FileVault 1 in a business environment. It’s the first of two parts. (The article is available only in hardcopy.)
He runs down the usual tasks of recovery key handling as well as command-line locking and unlocking. There are plenty of screen shots. The next installment will have more on key management in a deployment.
The process of recovery is changed with Lion and the full-disk encryption. If you forget the login password and recovery key then the whole disk is toast. And there are new programs such as Lion’s Recovery HD that must be installed on any startup drive that will use FileVault 2.
Oh, and then there are the complications when the machine is used by multiple accounts. It all takes some getting used to.
I was interested by some recent speed tests of File Vault 2 running on the new MacBook Air. On his Practice of Code blog, programmer Jay Discount compares the 2010 and 2011 models, with and without FileVault. There is a hit on performance with FileVault on the 2011 MacBook Air, but it is mitigated by the tremendously greater speed of the new hardware (65 percent in random tests, 40 percent overall). A bigger hit is found on the older model.
The dip in performance from enabling Lion FileVault on the 2011, while not drastic, is also not insignificant (18% overall), so that makes me personally quite happy, as I was able to double my storage capacity, add encryption, and still have an overall performance improvement. However, the big story here is the dip in performance for the 2010 model with FileVault enabled, as the drop is much more sizable at 44%.
Discount offers a number of guesses at the reason for these results such as general performance speedups in the new machine architecture, the built-in acceleration of AES encryption in the Core i7, and perhaps differences in SSD performance. More benchmarking will let us see if this testing is an outlier.
Finally, I suggest everyone check out Apple’s support note on FileVault 2. At the bottom of the page is a note about transitioning from FileVault 1 on Snow Leopard to Lion and the things that can go wrong. FileVault 1 is now called “Legacy FileVault.
When migrating an encrypted drive, you will be kept with the older, “legacy” home directory FireVault encryption.
If you are using FileVault in Mac OS X v10.6 Snow Leopard, you can install OS X Lion and continue to use your FileVault-encrypted home directory in the same way you did in Snow Leopard. OS X Lion considers your earlier version of FileVault encryption to be “Legacy FileVault”.
You may continue to use OS X Lion with Legacy FileVault, but you cannot enable Legacy FileVault for other user accounts in OS X Lion. If you turn off Legacy FileVault, the Legacy FileVault tab will disappear and you can then choose to enable OS X Lion’s FileVault 2 (disk encryption).
