One of the most valuable changes in Mac OS X 10.7 “Lion” is a complete overhaul of FileVault, Apple’s disk encryption system for protecting private data such as stored pictures, emails, documents and home movies.
In Mac OS X 10.4 and 10.5, FileVault could only be used to encrypt the “home folder” for each user, and it was widely criticized for a number of implementation flaws and security issues.
With 10.7 “Lion”, Apple intends to solve some of these flaws and significantly enhance security and privacy by turning FileVault into a disk level encryption system, not only for the main filesystem, but also for any external drive a user wants to protect with encryption.
While Apple is not the first to implement full system encryption, anyone running 10.7 will be able to use it, compared to Windows where an Ultimate or Enterprise edition of the operating system is needed to enable Microsoft’s system encryption feature called BitLocker (Truecrypt is a free alternative).
Linux has also had full disk encryption for a long time, however enabling it requires the operating system to be installed in a specific way, and encrypting the system afterward is difficult if not impossible using common and easy to use tools.
Apple’s implementation, like Truecrypt and BitLocker before it, allows the user to turn system encryption on and off at any time, only a quick reboot is required to start the encryption or decryption process, which happens in the background while your machine is being used.
Setting it up is very simple, all you need is a working installation of Mac OS X 10.7 “Lion” and a few minutes to click through the assistant.
The old FileVault preference area in System Preferences > Security has been replaced by a new Disk Encryption screen, offering just one button which allows you to turn on or off system encryption.
Apple’s system encryption implementation uses your existing user password to unlock the system during boot, which means you don’t have to set and remember a 2nd system password. However, forgetting your user password could prevent you from gaining access to your files, so Apple built in a “recovery key” that can be used to unlock the system.
Clicking the arrow next to “Show Recovery Key” will allow you to write the key down or copy it somewhere, but if you’re afraid you’ll lose that too, Apple has you covered.
While the idea of giving Apple a key to unlock your system could make some users uneasy, for the average user it’s a great feature to have. If you ever lose access to your encrypted Mac, you should be able to contact Apple and have them send you the recovery key after answering a few security questions.
That’s basically all there is to it, just a few simple screens and a restart button.
The next restart of the system presents you with a login screen. It looks a lot like the standard login screen, however until you enter a password, the OS itself hasn’t actually booted yet, and your disk is still locked (which is why I had to take that picture with my iPhone; screenshots at that stage of the boot process aren’t possible).
One nice detail that Apple got right is that once you enter your password at the boot unlock screen, you don’t have to enter it again to login.
After the system boots, it starts encrypting the disk in the background. This does cause things to be a bit slow (ok a lot slow) for a while, but once it finishes, the system will speed up a bit. Right now in the developer preview, performance isn’t perfect (especially disk writes), but expect that to improve by the time Lion is ready for release.
Encrypted external drives are even easier to setup, however you can’t encrypt a drive that already has files on it right now.
To create a new encrypted HFS disk, just open Disk Utility and you’ll see a new option when you visit the Erase screen for a hard drive.
You’re asked to enter a password, which unlike the system encryption password, is not tied to your user account, so you can take this drive and use it on another Mac so long as you remember the password.
The next time you connect the drive, this is what you’ll see: a simple password dialog box, entering the correct password allows the external drive to mount. Simple eh?
Hopefully Apple refines this new FileVault system even more, especially in the performance area, but I can say for myself I’m quite pleased with it so far.
Let us know what you think in the comments or on Twitter!
This article first appeared on XercesTech