File Vault Information

What is File Vault?

File Vault is a built-in encryption system for Mac OS X 10.3 and higher, which protects the users home directory on Macintosh OS X systems.  File Vault operates by using a variation on the “Portable Home Folder” system that the Macintosh OS offers.  The principal is that the a new home folder is placed on a AES encrypted disk image, and then old home folder is moved onto this encrypted disk image.

When a user that has a File Vault is logged in the OS mounts the encrypted disk image, and make a hard/soft link to this disk image.  This makes the user’s home directory point directly to the encrypted disk image, thus making the process virtually transparent to the user.  When the user logs off, the disk image is potentially compressed to free unused disk space, and unmounted to prevent unauthorized access.  In Mac OS X v10.4 (Tiger), FileVault stores the encrypted file system as a Sparse Disk Image, which is basically a single large file. In Mac OS X v10.5 (Leopard), FileVault stores the encrypted file system as a new image called a Sparse bundle. Sparse bundles break images into smaller 8MB files called bands, allowing them to be backed up using Leopard’s Time Machine feature in 8 MB increments. Please note: Leopard and Snow Leopard does not automatically convert a Sparse Disk Image into Sparse Bundles.  To do the upgrade, the user must turn off File Vault & then re-enable it.

When using FileVault, it is not possible to select which parts of the disk to encrypt, only the users home directory is encrypted. So File Vault is not a form of whole disk encryption, such as PGP Whole Disk Encryption, or CheckPoint’s Pointsec.  Similarly, specific files or folders cannot be encrypted using FileVault, although the same encrypted disk image technology can be used for this purpose through the Disk Utility Application.

Known Issues

Here is the list of known issues with File Vault, that I am aware of, please feel free to submit more (either through comments, or email):

  • Adobe Updater has issues with File Vault – This means that in an organization, you will need to have an user or IT Professional download the update from the Adobe Web Site, and manually run the installer.
  • The IT department will not be able to run some updates remotely.  For example, Microsoft Office Updates are run on a per user basis.  I currently use Apple Remote Desktop to access Idle Machines, and push the updates out to the systems.  Since File Vault users home directory is accessable through ARD we may not be able to do this.
  • Unlike Pointsec, the Macintosh User has the ability to turn off FileVault.  There is no way to prevent the user from turning off the File Vault Encryption.  So if it is a requirement from IT, the user can abort the encryption, or turn it off once done encrypting.
  • Since this is not a whole disk encryption, this does not protect any additional drives, and any content that is placed outside of your home directory is totally unencrypted.
  • File Vault’s Content is automatically encrypted and decrypted on the fly. Although early versions were slow and caused system to temporarily hang when used with disk-intensive applications, such as sound and video editing, the performance of FileVault has been improved in more recent versions of Mac OS X.
    • There is a perceived slow down in the boot up & login sequence with File Vault turned on.
  • File Vault requires the user to logged out to Enable or Disable File Vault.  This could be hours of down time to Enable or Disable File Vault.  The File Vault Sparse Disk Image does not get compacted, until the user logs out…  But this is a voluntary option, File Vault will ask the user if they wish to compact the image.  So if the user never authorizes the compaction, the unused space on the image may never get reclaimed.
  • If the user attempts to turn off File Vault, and is unable to (eg, the OS reports that there is not enough disk space), try to free more disk space.  File Vault needs significant amounts of disk space, to move the data out of the encrypted disk image.  This disk space requirement could be 2-3 times the size of the current user folder, or higher.
  • Sophos Antivirus may freeze on Login with File Vaulted systems.
    • This behaviour is also described in the current Sophos 4.9.19 (Feb 2009) Readme:   “(DEF 19925) On OS X 10.5.x with FileVault enabled, the on-access scanner can cause deadlocks.” http://downloads.sophos.com/readmes/readmacx.html (Translation – Login freezes & locks up when logging in with FileVault & On-Access scanning turned on.)
    • First detected in July 2008, as per Apple Forums (http://discussions.apple.com/thread.jspa?threadID=1629343&tstart=57 )
    • Confirmed with March 2009 Update (Sophos Version 4.9.20, Threat Engine 2.84.1, and Threat Data 4.39, March 2009)
    • “The below command can help to alleviate the issue.We have made it possible for the user to change the number of threads that we use for scanning with, this helps to alleviate the issue by having more SAVI threads available when the machine is opening the FileVault bundle.By default we use 4 threads. This can be increased by running this command: CMD: defaults write /Library/Preferences/com.sophos.sav WorkerThreads -int 15
      • The number at the end of the command, in this example, 15, is the number of threads to be spawned at startup.
      • Please note that each additional thread will take up approx 8Mb of memory.
      • Customers should be advised to test this before implementing it across their network.
      • This is not a fix, but a work-around. The tech said he didn’t know if Snow Leopard (OSX 10.6) or the next full version of Sophos would address the issue further.
    • This issue is not listed in the Readme for Sophos Antivirus 4.9.26 w/Threat Detection engine 2.90.1, as of September 2009.  It is unclear if the above workaround has been added to the application, or if a fix has been incorporated.  This maybe fixed in Sophos v7.xx, I have not been able to confirm this.
    • If running Leopard or Snow Leopard, Sophos Version 7.05 or higher is required.  If upgrading to Snow Leopard, uninstall any previous version of Sophos, upgrade, and then install 7.05 or higher.  (http://www.sophos.com/support/knowledgebase/article/62329.html)
  • Backup software, at this time, can not incrementally backup the File Vault, and can not reliably backup a sparse image file.  So most Backup software require the user to be logged in, before any chance of a backup of the File Vault could occur.  This can prevent the backup of the machine, and risks loss of data.
    • System can NOT be set to auto-log out, since Backup software may require the user to be logged in to backup the File Vault.
    • For Retrospect, The SpareImage Files must be set to ignored (in preferences) or a filter setup to ignore SpareImage files.
    • If handled improperly, or the File Vault was created under 10.4x, the File Vault would not be incrementally backed up, and would require a new copy of the file vault for each backup.  This would quickly fill up the available space on the backup device.
    • Retrospect 8 has the same limitations with File Vault ( http://forums.dantz.com/showtopic.php?tid/28927/)
  • Time Machine, can incrementally backup a File Vault (created under 10.5x), but it requires the user to be logged out (at the login window).
    • Time Machine users need to exclude their user folder, when using File Vault.  If they do not, they will be backing up their user folder twice.  Once from the virtual home directory, and once from the Sparse Bundle image file, when logged out.  This is normally added when you switch to File Vault, but if you clear your exclusions or run a script that repopulates it, you may need to re-add it.
    • File Vault users do not get a “transparent” time machine backup every hour of the day.  The only time the Time Machine backup occurs when the user is logged out & the Time Machine drive attached.  Most users do not leave there systems logged out for any significant length of time.  This requires the user to be accept downtime, while the system backups up.
    • File Vault users have to manually restore file through the file system. The “Galaxy” user interface is not available.
    • Requires the purchase of a additional hard drive (~$100-150 for a 750Gb or 1 Tb drive) or a Leopard (or Snow Leopard) based network share (eg. Drive Shared from a Snow Leopard / Leopard based computer, Time Capsule, or Airport Extreme Shared drive(s))
    • The System should be set to auto-logout when idle, to assist in getting regular backups of the File Vault.
    • the proper to backup a File Vault with Time Machine is
      • Attach the Time Machine backup drive.
      • After the Time Machine backup drive shows up in Finder, then log out of your FileVault account and make sure the logout window specifically says that it’s backing up the FileVault.
      • Time Machine does not backup the Entourage database, if Entourage is running.  Entourage somehow prevents Time Machine from backing up the database, if Entourage is running.
        • To force a backup of Entourage
          • Quit Entourage, My Day, and any other MS product.
          • Go to Time Machine, and choose Backup now.
      • Time Machine, can be sensitive to drive issues, and silently fail or become stuck.
        • If the Free Space Allocation table is damaged, Time Machine can become “stuck” at the Preparing phase and never finish preparing.  Eventually the system will eventually lock up (system is still responsive, but drive related function may not occur in a timely manner, eg can’t log out, reboot, restart, or start an application).

Disaster Recovery:

  • This assumes that the hard drive is physically intact. Put the drive into a 2.5″ enclosure and hook it up to another Mac.
    • First attempt to open the Disk Image, by going to the new drive’s USERS folder, and double clicking on the File Vault users disk image (it should be named the same as the users SHORTNAME).  This should then cause the system to prompt for the password.  Once the password is entered, it should mount as a disk image.
    • If that doesn’t work, try this use an Admin account (call it user2) to mount user1′s FileVault using the following command in Terminal :sudo hdiutil attach /Volumes/UpInFlames/Users/user1/user1.sparsebundlewhere UpInFlames is the volume name of your MacBook drive. You’ll need the password of the user2 as well as the password on the sparsebundle.

Recommendations:

  • Move your iTunes and iPhoto libraries into /Users/Shared. FileVault takes your entire home folder and encrypts it into one big file; by moving iPhoto, iTunes, and movie files out, you can keep the size of this file down and improve reliability. In iTunes, go into Prefereces:Advanced, and select where to keep your iTunes Library. Make sure you check the box that says “Keep iTunes Music Library Organized” (this screenshot should help). Then go into Advanced:Consolidate Library and iTunes will move all your files for you. For iPhoto, just move your iPhoto Library. The next time you launch iPhoto it will ask you to point it towards your library. Then again, if you have, shall we say photographs of a “private” nature, you might want to leave them where they are so the will be encrypted.
  • System Preferences –> Security  –> Turn on Log Out after XX minutes of Inactivity     — Set to 30 minutes
    • Set only if using Time Machine.  Do not set if using Retrospect.
  • System Preferences –> Security  –> Turn on Use Secure Virtual Memory
  • System Preferences –> Security  –> File Vault –>  Master Password
    • This allows you to establish a master password so that you can retrieve the File Vault information, if the user forgets their password.