Back to the Mac: OS X 10.7 Lion Review
by Andrew Cunningham, Kristian Vättö & Anand Lal Shimpi on July 20, 2011 8:30 AM ESTFileVault isn’t new to OS X, but the thing called FileVault in Lion is pretty drastically different from the FileVault that was first introduced in 10.3. Where the old FileVault would just encrypt a given user’s home folder by encapsulating it in an encrypted DMG disk image, it would leave the rest of the hard drive (all applications, system files, and unencrypted user accounts) unencrypted and potentially vulnerable.
FileVault in Lion makes the switch to volume encryption – the implementation is similar in many ways to the BitLocker drive encryption that ships with the Ultimate and Enterprise editions of Windows 7. Note that FileVault isn’t, strictly speaking, full disk encryption, so any other partitions on your Mac are not encrypted unless you reformat them separately, and non-Lion partitions (a Windows or Snow Leopard partition, for example) cannot be protected by the new FileVault.
A FileVault encryption key
FileVault can still be found in the Security & Privacy System Preference pane. Click Turn on Filevault, and the Mac will generate a 24-digit recovery key that you can use to unlock or decrypt your hard drive in the event that you forget your account password. Losing this key and forgetting your local account’s password can be remedied if you chose to store your recovery key with Apple, who will give it back to you if you can properly answer three security questions they asked you when you setup FileVault. If you lose the key, forget your account password, and either neglect to store your key with Apple or forget the answers to any of your security questions, your data is gone.
This, of course, is how the technology is supposed to work, but it’s important that you know it was designed with no backdoor – you get in with your account’s password or your encryption key, or you don’t get in at all.
When cold booting, a FileVault-encrypted Mac uses the recovery partition we talked about earlier as a bootloader, since the main OS is now on an encrypted volume – you have to use the credentials of an approved user account to login before any OS files load. Once the OS does load, you’ll automatically be logged in as the user who unlocked the computer – you won’t need to login twice.
In the first of our BitLocker comparisons, it’s worth noting that BitLocker uses a small, unencrypted system partition to perform similar checks. If your Mac’s recovery partition is missing (for one reason or another – the most common reasons for this to happen are setting up Lion on a disk with an exotic partitioning scheme, or using a disk imaging program that doesn’t capture the recovery partition), FileVault will simply error out and tell you to reformat your hard drive, where Windows will offer to repartition your drive for you.
If you ever need to connect your hard drive to another Mac (whether through Target Disk Mode or otherwise) to rescue or access data on an encrypted drive, FileVault will allow you to access your data from any Mac running Lion as long as you have either your account password or your encryption key handy – when you plug the disk in, the OS will ask you to unlock it, and once unlocked you can work with the data as you would on an unencrypted drive (you can also unlock the drive manually in Disk Utility). This will only work on Macs running Lion – Macs running Snow Leopard or earlier will tell you that they can’t read the disk.
Also like BitLocker, the new FileVault also offers full volume encryption for any external disks, including Time Machine backup disks – when you plug an external drive into your Mac, the Time Machine dialog box now includes an option to encrypt your drive. Enter a password and a password hint (there is no recovery key for an external drive), and OS X will encrypt the drive for you. You can then use this password to unlock the drive on any Mac running Lion.
Creating an encrypted volume in Disk Utility
Any other volumes you’d like to encrypt can be encrypted using Disk Utility if you reformat the drive using the new Mac OS Extended (Journaled, Encrypted) option – as with Time Machine disks, you’ll be prompted to set a password and password hint, and then you’ll be good to go – the only downside is that there doesn’t appear to be a way to encrypt volumes without also reformatting them.
It should be noted that you don’t have to encrypt your Mac’s internal hard drive in order to encrypt external volumes. Also, remember that any FileVault-encrypted disks will be readable only by Macs running Lion – Snow Leopard, Windows, and all other operating systems won’t be able to interact with them (failing official Apple support for working with FileVault-encrypted volumes in a future Boot Camp update, which I’d say is unlikely to happen).
The new FileVault is a pretty great deal for individuals, and I can comfortably recommend it to any Mac user who travels with sensitive data. It’s a definite improvement over previous implementations, and anyone using FileVault in its current incarnation should appreciate the extra protection. For consumers, it’s a better deal than BitLocker is for Windows users, since BitLocker comes only with the premium Windows versions and works most seamlessly only with TPM hardware that most consumer-level laptops don’t have.
I can also see FileVault being useful for Mac-centric small-to-medium businesses, and businesses who lack the money for more expensive drive encryption software. However, for large businesses, FileVault’s lack of central manageability will probably reduce its potential usefulness. With no central console (which seems like a logical service for OS X Server to provide – get on that one, Apple), there’s no way to easily and automatically track large numbers of encryption keys. Also absent is a way to force encryption, and any administrator account with access to the Security & Privacy pane can decrypt the drive.
Businesses managing their Macs with Open Directory could prevent users from accessing this preference pane, but there’s still no way to prove that each and every Mac is encrypted at all times, which is something that many businesses are required to do.
106 Comments
View All Comments
quiksilvr - Wednesday, July 20, 2011 - link
$29 is indeed a solid improvement. However, given the Mac Store now being out there, their desktop OS should follow the formula of their mobile OS: Free to upgrade. These features are nice but I can't help shake the feeling that these are Service Packs (because they are). And with their "app" store available on the OS and the means of most of their cash inflow, it makes more sense to make this a free upgrade for everyone instead of a $29 upgrade.xype - Wednesday, July 20, 2011 - link
Service packs? Are you serious? Read up on the changes and try to come up with one service pack that changed as much.Some people…
danielkza - Wednesday, July 20, 2011 - link
XP SP3 would be a good candidate, but yes, 10.7 is a bit beyond what one could reasonably call a Service Pack.Taft12 - Wednesday, July 20, 2011 - link
You're thinking of XP SP2, and if you have to go back 7 years to come up with a comparable "service pack", it's certainly fair to say OSX 10.7 is more than a service pack.AfroPhysics - Friday, July 22, 2011 - link
I fail to see how the age of the service pack matters. Xype asked for an example and qualified nothing.ltcommanderdata - Wednesday, July 20, 2011 - link
Are we really going through the tired argument that every 10.x update to OS X is just a service pack and should be free? Then at what point should Apple try to recoup costs for OS development, because even if individual point updates are evolutionary, going from the original 10.0 to 10.7 has got to be a major change in anyones eyes. And the same questions could be raised about Windows NT 6.1 aka Windows 7 where the server version is bluntly labeled Windows 2008 R2 and Windows NT 6.0 aka Vista/2008 or Windows NT 5.1 aka XP and Windows NT 5.0 aka 2000.Besides, even if you discount the user facing changes, Lion has seem some major security infrastructure changes. Both the 32-bit and 64-bit kernel have been rewritten with full NX-bit and ALSR support as in place in Windows Vista/7 addressing the major security complaint Charlie Miller had with OS X. Application sandboxing frameworks are now available and soon to be mandatory for Lion apps in the Mac App Store which I believe is a security feature that even Windows isn't pushing yet. With the dropping of the Core Duo, the Lion has also be rewritten to make more use of SSSE3 instead of just SSE3 as pointed out by the Hackintosh community. Lion isn't just Snow Leopard with a few features added on top, but the entire OS has seem updates at a low level even if the user might not necessary see all the differences.
ltcommanderdata - Wednesday, July 20, 2011 - link
And about the App Store being a major source of income for Apple, Apple has consistently said they aim to run their stores as a break even venture.http://www.macrumors.com/2011/07/19/apple-reports-...
I'm not clear if the iTunes Store in the graphic in the above link includes the App Store, but at the very least as an example of Apple's digital store, the revenue stream really hasn't increased in the last 2 years. Apple's sales growth is clearly from their hardware, iPhone, iPad, and even Mac.
GotThumbs - Wednesday, July 20, 2011 - link
$1,634,000,000 in revenue from Other Music Related Products and Services (3)(3) Includes sales from the iTunes Store, App Store, and iBookstore in addition to sales of iPod services and Apple-branded and third-party iPod accessories
I'd say their goal of a break even venture is not an accurate description of their stores. Hence the creation of the MAC Store. It sounds like a nice thought, but Apple is in business to make money and it seems their VERY good at it. Perhaps their projection analysis was a bit off.
Hey, this is good news for the investors and I understand that they are a business. Lets not be too naive and just don't drink the cool-aid.
ltcommanderdata - Wednesday, July 20, 2011 - link
Perhaps my finance terms are wrong, but I'd hope the Apps Store is taking in revenue. But if Apple should be offering some of their other products like OS X updates for free, shouldn't we be concerned with whether the App Store is making major profits, such that there is money to spare to pay for OS development?solipsism - Wednesday, July 20, 2011 - link
Revenue ≠ ProfitThey've paid billions to both developers, and music and video cotent owners. They've also spent money on the infrastructure to support their stores. I'm sure they're making a profit as all good for-profit companies should, but it's not the cash cow you've attempted to present here.