How to disable disk encryption on a MacBook. What is FileVault encryption and is it worth using it?
Majority Mac users To protect your data and files from unauthorized access, use a password to log into the system. However, is it as safe as is commonly believed? As it turned out, not quite. There are many methods that allow you to reset your password, giving you the ability to access all the information that is stored on your Mac. However, there is a solution to this problem - FileVault. We'll talk about it today.
What is FileVault
FileVault is a data encryption system that uses the XTS-AES-128 algorithm with a 256-bit key length, which provides an extremely high level of security. The encryption key itself is generated based on the user's password using the PBKDF2 algorithm. All information will be stored in future in 8 MB fragments.
Oddly enough, the function works quite simply - all data is copied to an encrypted disk image and then deleted from the unprotected space. After the initial data processing is completed, then new files will be encrypted “on the fly” in background. There is support for Instant Wipe, which allows you to safely wipe all information on the disk without the possibility of recovery. Moreover, this tool provides encryption option backup copies Time Machine.
How FileVault works
During the first setup, a recovery key is created to protect against password loss, which must be remembered, since if the code is lost, the data will not be restored. Alternatively, you can set up a password reset using your iCloud account.
Once we have activated FileVault, the computer's boot process changes to ensure security. If previously you had to enter a password after loading account, then now this happens before, which eliminates even the potential possibility of resetting the user’s password using any of the known methods (Single User Mode, booting from external media and other methods).
Why use FileVault
A user password is clearly not enough to ensure complete security and privacy. If you have physical access to your computer, resetting your password is only a matter of time. In the case of encryption, you can be sure that no one will gain access to the data. In addition, the utility was developed by Apple and is already built into the system, which indicates full integration with the system.
Another plus is that the volume of data before and after encryption does not change.
What are the disadvantages
- Encryption with FileVault has a significant impact on Mac performance.
- You cannot recover data if you have forgotten your password and recovery key.
- If the drive fails, the data will also be lost forever.
- Encrypted copies of Time Machine does not allow you to restore a specific file, but only the entire copy.
How to set up FileVault
- Launch "System Settings".
- Go to the “Protection and Security” menu item, then to the “FileVault” tab.
- Remove the lock by pressing the lock in the lower left corner.
- Select "Enable FileVault".
- Here we must select the password reset option that suits us.
- If we have chosen a recovery key, we will be provided with a code that must be remembered and kept in a safe place.
All that remains is to reboot our Mac. Immediately after this, background encryption will occur, and the computer can be used without restrictions.
It's possible that your Mac stores a lot of valuable and confidential information that you wouldn't want to share with anyone else. And it is quite natural that you will have a desire to protect this information from all outsiders. Of course, you won’t be able to get away with just a password to log into your account. To solve such a problem, it is necessary to use information encryption. We will devote a short series of articles to encryption on Macs, in which we will consider various paid and free solutions for this purpose. We'll start with the most standard encryption mechanism - the FileVault technology built into Mac OS.
Let’s say right away that the scope of application of FileVault is narrow - you can encrypt only home folder user. Used for encryption 128-bit AES algorithm key, which provides a very high level of reliability.
Everything is very simple: FileVault creates a special container ( encrypted disk image), copies your entire user folder there, and then deletes the original. All information contained in the encrypted disk image becomes accessible only when the user logs into your account. The rest of the time she is completely protected from prying eyes.
This leads to the first and most important (for all encryption) conclusion - Never forget the encryption password , otherwise all its advantages will turn against you. To protect against amnesia, Mac OS X provides master password, Knowing which, you can reset the password for any account, incl. and from the encrypted FileVault. This will save you from losing information if you suddenly cannot remember the password for your account. But if you forget both your password and the master password, then you can safely say goodbye once and for all.
Before enabling FileVault, be sure to consider a few important features:
1) Primary encryption is in progress for a long time- it can last for several hours. Its duration directly depends on the number and size of files in the user's folder. Therefore, before encrypting, try move from user folder all music, all movies, all photos and all other non-confidential information to any other location on the disk.
2) Are you used to the productive, fast Mac? Get out of the habit. FileVault is noticeable will ruin performance even the most powerful Macintosh. Encryption creates an additional constant load on the processor and hard drive.
3) Many beginners are surprised why disk space is not freed up when deleting files. Then they discover that they need to empty the Trash. If FileVault is enabled, you will be surprised to find that after emptying the Trash free space does not appear on the disk. As already mentioned, the entire user folder turns into one image. And its size automatically changes only when you log out of your account, so to return free space you will have to every time end the session.
4) Danger of complete or partial loss of information grows exponentially. At first, this seems absurd - after all, encryption is designed to protect confidential information. It really protects them - from hacking, but not from disk failure. Think for yourself - when one of the disk sectors deteriorates, the file, a part of which was written on this sector, deteriorates. Your entire user folder with FileVault enabled is one file. Imagine what would happen if the disk space it occupies was damaged.
5) Got used to using it Time Machine? After enabling FileVault, its capabilities will be greatly reduced. For example, you will no longer be able to restore through the Time Machine interface separate file . And if you try to restore the entire system, then prepare for unpleasant surprises. Apple forums are inundated with complaints from users who cannot log into their account after this procedure.
6) It’s easy to turn FileVault on, but turn it back off it doesn't always work out. The system often displays an error when trying to disable encryption. And often this error leads to the inability to log into your account in the future.
Of course, these six points are not intended to dissuade you from enabling encryption. But, according to Murphy's law, if something bad has a chance to happen, it will happen at the most inopportune moment.
FileVault is not best option for encryption. Its only advantage is that it is completely integrated into the system.
So, if you have weighed the pros and cons, here are the instructions for enabling FileVault.
1) B System settings choose the remote control Safety. Go to the tab FileFault and press the button Enable FileVault.
2) You will be asked for the administrator password. After this you will be prompted to create master password(if you haven't done this before). We remind you once again - If you lose both your master password and your account password, it will be impossible to decrypt the information.
3) Then you will be forced to enter the administrator password again, after which the last warning window will appear:
Please note the available settings: Use secure erase will additionally increase the encryption time, and Use protected virtual memory will force FileVault to encrypt not only yours, but also temporary system files, temporarily dumped onto disk. It makes no sense to explain how this will affect the performance of the computer.
4) If after all these questions and warnings you have not changed your mind, click Enable FileVault. The system will end the session and encryption will begin, during which it is better not to disturb the computer (and especially not to turn it off!). When everything is over, you will find that your user folder icon has changed from the usual house to a steel safe. You won’t notice any more noticeable changes (well, except for terrible system brakes for any reason;).
Disabling FileVault occurs in much the same way, through the FileVault tab of the Security panel.
P.S. Let's repeat - we would not recommend enabling FileVault right away. First, read the rest of the articles in our series, the next of which will be devoted to free program TrueCrypt.
"Only the paranoid survive"
- Andrew Grove, ex-CEO of Intel
For those users who store on their computer important files, in Mac OS X there is a FileVault function that allows you to encrypt the entire contents of your home directory (Macintosh HD -> Users -> Your_Name) with a strong AES 128 algorithm (Advanced Encryption Standard with a key length of 128 bits, it is a government standard in the USA).
Do not forget that the usual setting of a password for logging into the system does not encrypt the data; if desired, accessing it is quite simple. Therefore, to truly protect the files themselves, use FileVault, or other cryptographic solutions.
To activate FileVault, in the System Preferences panel, select Security (as shown in the screenshot), set the necessary parameters and create a Master Password (if it has not already been created), with which you can access the data if you forget your account password (very will come in handy system administrators- it will be possible to access files at any time, even if the employee no longer works for the company and refuses to provide the password). After activation, the system will reboot and all contents of the home directory will be encrypted (the process may take quite a while for a long time- depending on the amount of information).
After this, the icon of your home directory will be changed, and all its contents will be stored in encrypted form - when accessing any file, it will be decrypted while working with it and automatically encrypted when finished. Apple did all this with its characteristic simplicity and convenience. The user experience with FileVault enabled does not complicate the use of the system in any way.
However, you may encounter the following features:
- Additional load on the processor. Constantly encrypting and decrypting files on the fly creates additional load on the processor. In most cases, it is practically unnoticeable; you will notice it only when working with large files that require active work with the hard drive (for example, when working with video). Therefore, it is better to store especially large and non-confidential files (for example, movies) not in your home directory, but in a regular folder on your hard drive (the next point will only confirm this recommendation).
- The need to restore free disk space. Deleting a file from your home directory and emptying the Recycle Bin will not free up disk space. The fact is that the encrypted image of your directory is big file, which, for cryptographic reasons, cannot be quickly reduced in size. When you log out of your account (or when you completely reboot the system), the system will prompt you to Disk Space Recovery, that is, you can actually free up free disk space by using previously deleted files. This operation can take dozens of minutes, so if you are using a laptop that is not connected to power, the system will not offer you Disk Space Recovery. Think Different.
- Vulnerability in case of disk errors. Be sure to do backup data, because the encrypted directory is one large file, access to which may be impossible if there is a damaged cluster. If you don't use encryption, you risk one or more files, and when FileVault is activated, the entire directory at once.
- Impossibility of data recovery. Don't forget your password. You can recover data either with the password of the corresponding account or using the Master Password. If you don't remember either one, then the data is lost forever.
- Mac OS X 10.4 Tiger arrives new opportunity encryption of virtual memory (swap file). When you work with documents, some of them are stored in this file, and by accessing your hard drive, it is possible to recover some documents that you recently worked with. Of course, enabling this feature will further increase the CPU load.
Have a nice day!
Today I will tell you, dear Habrapeople, about how to store your data in the cloud and not worry about it. More precisely, I will talk about an interesting opportunity to make an encrypted disk image in Mac OS X using the system itself.
For experienced users (whom I ask you not to judge too harshly), this topic is of no use, so don’t be distracted. But I’m sure many people will find the information useful.
So, now we will create an encrypted image using Disk Utility and save it to Yandex.Disk (fortunately, it now allows you to store encrypted data).
First, let's open Disk Utility. To do this, open the “Utilities” folder in the launcher and find there the desired program. Now click “New Image”. 
Now we are setting up our new image. Let it, for starters, be 500 meters in size. Few? Well, we’ll make it growing so we can put as much data there as we want. In addition (we want to encrypt, right?), we select the encryption method. Fast or reliable. And finally, select the disk storage location (that is, the Yandex.Disk folder), the name for the file and the name for the disk itself, which will be displayed in Finder. 
Click the “Create” button and enter your date of birth and a good and reliable password. Optionally, we can disable remembering this password to improve security. 
All! The disk image is ready, it is in the Yandex cloud and is encrypted! If you unchecked the “Save password” checkbox (or opened your Ya.Disk on another Mac), then when you try to open the mydata.sparseimage file, the following password entry dialog will appear: 
If the password is correct, the drive will connect and open in Finder.
Well, now you can open this disk from any Mac, work with its contents and not worry about data security. The only thing that requires testing is simultaneous work with images from different systems. But, if you consider that Ya.Disk stores the file only in the cloud, there shouldn’t be any big problems. Or would it be with dropbox, hehe.
I remind you once again: The article is intended for inexperienced or incurious growers and does not pretend to be innovative. Dedicated to Cloudy Friday on Habré.
PS: U this method there is an obvious big disadvantage: you can work with such a disk only on Mac OS X, period. No Windows/Linux/Android/iOS. If you know any good cross-platform encrypted drives, please let me know.
Today we present the first in a series of articles dedicated to preparing “ poppy"for hacking. We will assume that you have completed clean install systems Mac OS(previously called OS X), because otherwise your steps may be slightly different. However, in this situation there should not be any special difficulties.
The first step to creating a working environment for hacking is full disk encryption ( FDE). This procedure ensures reliable protection of your information from prying eyes, and is standard practice - for hackers and not only. Since securely encrypting a disk is not a problem today, there is no reason not to do it.
We will use FileVault – FDE, built in operating system Mac, and performs full disk encryption using 128-bit encryption key XTS-AES. This encryption scheme complies with the standards FIPS and recommended by the National Institute of Standards and Technology ( NIST) for use in regulated industries such as government and healthcare. Overall, this is a good and strong encryption scheme.
Step 1: Find FileVault
Go to "System Preferences" and find the "Protection and Security" section in the first row. Alternatively, you can use the command below for the same purpose. Just copy it and paste it into Terminal, and then press Enter. Parameter -b(package identifier) will indicate that you need to open the Security & Protection section in System Preferences.
Open -b com.apple.systempreferences /System/Library/PreferencePanes/Security.prefPane
Next, in the “Protection and Security” section, select the tab FileVault. To make changes, click the lock icon in the lower left corner of the window and enter your administrator name and password in the pop-up window.
Step 2: Enable FileVault
Before clicking on the " Enable FileVault", be sure to read the warning that appears on the screen.
WARNING. To access your data, you must provide an administrator password or recovery key. A recovery key is created automatically during the setup process. If you forget both the administrator password and the recovery key, your data will be lost.
Now read that again. This is very important - because forgetting both the password and the recovery key is the same as simply erasing all your data. This is exactly what you will have to do to be able to use your Mac again.
When you're ready, click on the " Enable FileVault».
If you have activated cloud service iCloud(from the Mac version Yosemite and above), you will see a dialog box asking what you would like to use if you forget your administrator password and have to create a new one - with your account in iCloud or recovery key. (If your cloud is not activated, you will be able to immediately see the recovery key). Since the cloud is, in essence, someone’s computer, we recommend using a recovery key and storing information about it on paper.
Having decided what to do with the recovery key, click on the button “ Continue».
To keep your recovery key safe and accessible, copy it to text editor, print the document and keep it in a safe place. Do not store key information on your computer's hard drive. If you forget your password, you will not be able to log in to the system and, accordingly, you will not have access to the key either.
After making sure that everything is in order with the key, click " Continue».
If you are not the only user on your computer, a dialog box will open prompting you to enter the passwords of all users, thereby " Allow"They have access to decrypt the disk. If you, of course, allow access to your administrator account, then this is not necessary for others - it all depends on whether you want other users to be able to decrypt the disk. Once you have completed this step, click " Continue».
Step 3: Restart your computer
Next, you will be asked to restart your computer. Save and close all applications you were working with and click " Reboot».
After reboot FileVault will begin encrypting the disk in the background, which can significantly slow down your computer until the process is completed. The amount of time required for encryption depends on the size of the drive. You can track your progress in the section FileVault in "System Settings".
Note. If you have modern computer With SSD disk, then the encryption and decryption process will be much faster than in the case of a rotating HDD. So if it's important to you quick start systems, keep this in mind. And the information will have to be encrypted in any case - the hacker needs to be more careful.
Step 4. Verify the authenticity of the key!
The last step is to verify the authenticity of the key. You need to make sure that with its help you can actually decrypt your Mac, when required (for version Mavericks and above). For this we will use the application Terminal– it is located in the “Utilities” section in the Programs folder.”
In the application window Terminal enter the following command:
Sudo fdesetup validaterecovery
Click " Enter" Next, you will need to enter the administrator password. The password will not be displayed as you enter it – don’t let that bother you. When finished, click " Continue" You will then be asked to enter your recovery code in the format xxxx-xxxx-xxxx-xxxx-xxxx-xxxx. As with the administrator password, the key will not be displayed as you enter it, so be careful and take your time. Alternatively, you can enter the password into text document, and then copy and paste into Terminal and press " Enter" If the key is genuine, the shell will confirm this.
If the key is not genuine, it means you entered it incorrectly, or copied it incorrectly from the document, or it was somehow damaged. If you are sure that you did everything correctly and new try enter the key led to the same result, you will have to return to the section FileVault in System Preferences, disable FileVault, and then repeat all steps starting from the second.
Your drive is ready for hacking
Once you complete all the previous steps, you will receive an encrypted disk. But don't forget that full disk encryption ( FDE) protects only the stored data.
Ross William Ulbricht, famous owner of the anonymous trading platform Silk Road, used FDE for the security of your data, but the rules OPSEC I didn’t really follow it. The FBI waited for Ulbricht to log in and arrested him while the drive was not yet encrypted. He didn't even have time to close the laptop lid.
As a result, Ulbricht received a life sentence. Don't repeat his mistake!
Don't miss new articles
So, your disk is completely encrypted, and the first step in preparing your Mac for hacking is complete. In the following articles we will talk about encrypting a disk image, using KeepPass, Terminal and much more.
