Using FileVault | Apple Training Series: Mac OS X System Administration Reference, Volume 1

The Mac OS X FileVault feature converts a user's home folder to a disk image encrypted with that user's login password. FileVault images are encrypted with the Advanced Encryption Standard using a 128-bit key (AES-128). When a user logs in, the home folder is automatically mounted and the login password is used to decrypt and encrypt home folder contents as they are used, so files can be accessed normally. When the user is not logged in, the contents of the folder are inaccessible, even through mechanisms (such as root mode) that can normally bypass file protections. Because of this, FileVault is the preferred method to secure a user's files when Mac OS X integrity cannot be guaranteed (especially when proper physical security is not possible, as with laptops).

When the user is not logged in, the disk image of the home folder is stored in /Users/username/username.sparseimage. When the user logs in, the /Users/username folder is renamed to /Users/.username (which makes it invisible), a new folder named /Users/username is created, and the disk image is mounted over the /Users/username folder. When the user logs out, the mount folder is deleted and the folder that contains the disk image is renamed.

If the computer should happen to crash, this leads to a scary-looking situation where the user's disk image appears to have vanished into thin air. Don't panic. The disk image is still there, it's just hidden in the invisible /Users/.username folder. The next time the user logs in, everything should be restored automatically.

Note

Encrypted disk images can also be created and mounted manually. These can be used in addition to or instead of FileVault to provide additional control over the security level of files. Using a manually created disk image with a different password (not the user's login password) would be appropriate for storing extremely sensitive files because they would be available only when the disk image is specifically mounted, not whenever the user is logged in. Using a manual disk image instead of FileVault would be appropriate if only certain files need to be stored securely, and those files can be stored in a user-defined location (not preference files or other files that are automatically stored in the user's Library folder).

FileVault has several limitations that you should consider before enabling it for any user account:

The contents of an encrypted disk image are vulnerable to corruption. Normally, file corruption is only likely to render individual files unusable. Since the user's entire home folder is stored by FileVault as a single disk image, corruption of that image may render the entire contents of the home folder inaccessible. This makes backups particularly important to protect FileVault users against data loss.
Forgetting the password to a FileVault-protected account is a more serious problem than with a normal account. The master password (discussed in the next section) can be used to reset FileVault-protected account's passwords, but if both the normal account password and the master password are lost or forgotten, you won't be able to recover the contents of the FileVault account.
FileVault-protected home folders can be difficult to integrate into a backup strategy. When the user is not logged in, only the disk image will be accessible, not the files in the home folder. Since this file will be modified at least slightly every time the user logs in, an incremental or differential backup strategy that backs up only files that have changed since the previous backup will need to back up the entire image every time. On the other hand, if the user is logged in, the disk image may be inaccessible (hidden behind the mounted home folder).
Because FileVault protects all of the contents of the home foldereven folders that are intended to be publicly availableFileVault users cannot publish files using their Public folder (Personal File Sharing) or Sites folder (Personal Web Sharing).
Because Windows Sharing requires storing low-security hashed user passwords, FileVault accounts should not be enabled for Windows sharing. (See "Configuring a Client Network," earlier in this lesson.)
Passwordsincluding those used to protect FileVault accountssometimes get paged out to the virtual memory swap files. To avoid leaking the password by this path, you should enable encrypted virtual memory on all computers on which FileVault will be used.
Access to FileVault-protected files will be slower than normal, due to the need to encrypt and decrypt then as they are used.

Setting a Master Password for FileVault

Before you can enable FileVault for any user accounts, you must set a master password for FileVault. This password provides an emergency safety net for FileVault-protected accounts; without it, losing the user's login password would result in the loss of all data in the user's home directory. The master password is used to encrypt a Keychain, which secures an encryption backdoor that can be used to reset access to FileVault accounts if their passwords are lost.

The password assistant gives you suggestions for different types of passwords:

Memorable
The Memorable passwords are still secure, since they include a word from the local dictionary, followed by a number 1 to 3 digits long, followed by a punctuation mark, followed by another word from the local dictionary.
Letters & Numbers
Numbers Only
Random
FIPS-181 compliant

To set a master password for FileVault:

1.	Open System Preferences and choose the Security pane.
2.	Click the Set Master Password button.
3.	Authenticate as an administrator by entering an administrator user name and password.
4.	Enter the master password you have chosen in the Master Password and Verify fields, or click the ? button to open the Password Assistant. Note Since the master password provides backdoor access to all FileVault-protected accounts, choosing a strong password is very important. The recommended procedure is to use the Password Assistant to generate a long random-type password, write it on a slip of paper, seal the paper in an envelope (so you can tell if it has been opened and used), label the envelope clearly (remember to include information to identify which computer this master password applies to), and store the envelope in a secure location.
5.	Leave the Hint field blank.
6.	Click the OK button.

Using the Master Password to Reset a Lost Account Password

If the password for a FileVault-protected account is lost, the only way to properly reset it is with the master password. Normal password reset options (using the System Preferences Account pane) do not work. Some reset methods, such as running the Password Reset utility from the Install DVD, may appear to work, but at most they will reset the user's login password, not the FileVault encryption password. If these passwords do not match, the user still will not be able to log in.

To reset a FileVault account's password, use the login window to attempt to log in to the account three times, entering a wrong password each time. After the third unsuccessful attempt, LoginWindow will ask for the master password. If it is provided successfully, you can provide a new password for the account. Both the account's login password and the disk image's encryption password will be switched.

One password that will not be switched is the encryption password for the account's login Keychain. This password will remain set to the old (lost) password. During the reset process, LoginWindow claims that it will create a new (blank) Keychain and move the old one aside, but it may not actually do this.

To create a new (blank) login Keychain with a password that matches the login and disk image passwords, navigate to ~/Library/Keychains and rename or delete the login.keychain file. Then log out of and back into the account; a new Keychain will be created automatically. Since the FileVault recovery mechanism does not handle the Keychain's encryption, there will be no way to recover the contents of the old Keychain unless its password can be found or recovered. Instead, the user will have to reenter her various service passwords into the new Keychain.

Enabling FileVault

The FileVault conversion process is started within the account to be converted. The conversion should be the only thing happening on the computer. No other users may be logged in, and no other programs may be running. Since the conversion process can take time, plan the conversion for a time when the computer can sit effectively idle until it is done. Last-minute conversions (just before the user leaves with his PowerBook to catch a flight) are a recipe for trouble.

To enable FileVault:

1.	If Fast User Switching is enabled, log out all active user sessions.
2.	Log in to the account to be converted to FileVault protection.
3.	Open System Preferences and choose the Security pane.
4.	Click the Turn On FileVault button.
5.	If necessary, authenticate as an administrator by entering an administrator user name and password.
6.	Enter the current account's password.
7.	If there is currently any important information stored in the account's home directory, select the "Use secure erase" checkbox. If the account has just been created and has not been used yet, it's acceptable to leave this box deselected.
8.	Click the "Turn on FileVault" button. You will be automatically logged out, and the FileVault conversion process will proceed automatically. If there is much data in the user's home folder, encrypting it and securely erasing it may take a while; do not attempt to use the computer while this process takes place.