Inside Mac OS X 10.7 Lion: File Vault full disk encryption and cloud key storage
Full disk encryption
FileVault previously helped to secure a user's files by encrypting the data within their Home folder, which includes documents, settings, Keychains, and most but not all sensitive data (excluding anything the user might save outside the Home folder).
In Lion, Apple has upgraded FileVault to the status of full disk encryption, a feature that secures the entire disk.
To access a FileVault encrypted disk, each user on the machine can be assigned the right to unlock the disk by adding a generated encryption key to the users' Keychains, a step that requires that they only need to remember their login password.
Decrypting the disk can be performed by those users at login, or with the key itself. Apple warns users in Lion that turning on Disk Encryption and subsequently forgetting both their login password and their recovery key will render the drive inaccessible, and data will be irrecoverably lost.
Disk encryption key storage
To help prevent users from losing their data, it appears Lion will offer an option to store the encryption key with Apple, apparently as part of its MobileMe cloud service (noting "fees may apply"). The feature is not currently active, as depicted in the screen shot below.
46 Comments
How can you boot of an encrypted disk and enter your login password only at, eh, login? If the whole disk is encrypted how can the computer boot without been given the password?
So how does Time Machine integrate with this? Is the backup not encrypted or does the entire disk get backed up every time a one-character update is made to one file or is it just that every file on the disk is encrypted separately or what?
How can you boot of an encrypted disk and enter your login password only at, eh, login? If the whole disk is encrypted how can the computer boot without been given the password?
The boot volume could be separate and unencrypted.
The boot volume could be separate and unencrypted.
Yes, but that would require two volumes, one for the OS and one for the user account(s). If that would be necessary, shouldn't the System Preferences for full disk encryption at least refer to that?
(And I would not call it 'Full Disk Encryption' if it only encrypted the user account(s). And didn't Appleinsider say that in contrast to FileVault, the whole disk gets encrypted, if it now would only be the user accounts, that would not make sense.)
So how does Time Machine integrate with this? Is the backup not encrypted or does the entire disk get backed up every time a one-character update is made to one file or is it just that every file on the disk is encrypted separately or what?
TM would see, as the user, the unencrypted files. To ensure that the TM backup is also encrypted, you would need to backup to an encrypted sparse bundle disk image.