FileVault 2 for Mac OS X 10.7 (Lion). Capabilities. OS X 10.7 (Lion): FileVault (2)
encrypts the whole system disk using XTS-AES 128-bit encryption.
University Encryption Standards and Instructions
December 2011
FileVault 2 for Mac OS X 10.7 (Lion) Capabilities OS X 10.7 (Lion): FileVault (2) encrypts the whole system disk using XTS-AES 128-bit encryption.
Configuration Options OS X 10.7 (Lion): General Instructions:1 1. 2. 3. 4. 5. 6. 7.
8.
9.
10. 11. 12.
Navigate to “System Preferences”. Select "Security & Privacy" from the main System Preferences window. Choose the tab labeled FileVault. Click the lock icon in the lower left-hand corner of the Security & Privacy window. When prompted, authenticate with your user account username and password. You will again find yourself at the Security & Privacy window. Click the button labeled Turn on FileVault.... If there are multiple users accounts on this machine you will be prompted to give additional users access. All users that need the ability to use this machine should be given disk access-rights by clicking the button labeled Enable user..., entering that user's password, and clicking the button labeled Continue. The following screen will display the disk's recovery key. Please record this 24-character string and store it securely as per the Recovery Management Guidelines (http://www.vpit.ualberta.ca/encryption/docs/Recovery-Management-Guidelines.pdf). Click the button labeled Continue. Mac OS X 10.7 (Lion) will display a prompt asking if you wish to store your recovery key with Apple. Select the radio button labeled Do not store the recovery key with Apple and click the button labeled Continue. Mac OS X will now prompt you to restart to enable FileVault and begin the whole disk encryption process. Click Restart. The login process now takes place when Mac OS X reboots. This authentication serves two purposes: it unlocks the disk and logs the selected user in. Upon reboot, the Security & Privacy window will open again and display the amount of time remaining until the disk is fully encrypted. The machine can be used during this time period.
Ensure your OS X user account password(s) are strong (see the University’s password guidelines). The OS X user account password unlocks the encrypted data. 1
Enable FileVault (whole disk encryption) on Mac OS X 10.7, Massachusetts Institute of Technology, December 1, 2011, http://kb.mit.edu/confluence/display/istcontrib/Enable+FileVault+%28whole+disk+encryption%29+on+Mac+OS+X+10.7
Office of the Vice-Provost – Information Technology www.vpit.ualberta.ca
[email protected]
Page 1 of 2
University Encryption Standards and Instructions
December 2011
If you already use FileVault in Snow Leopard and earlier versions of the Mac OS, after upgrading your computer to Lion it will continue to function as it always has, but will not work in conjunction with FileVault 2 if wish to set it up. Existing FileVault accounts will be functional but new ones will not be made until you disable FileVault on all accounts. Logging in to an old FileVault account will unlock the account's sparsebundle disk image at the login screen as it always has, and load your data and settings. With FileVault disabled for all accounts you will then have the option to enable FileVault 2 for the drive.
More details are available from Apple: http://support.apple.com/kb/HT4790
Prerequisites OS X 10.7 (Lion): FileVault 2 Requires OS X Lion and Recovery HD installed on the startup drive.
Backup Considerations. OS X 10.7 (Lion): Time Machine integrates with FileVault 2: http://support.apple.com/kb/HT4811 . The Recovery HD must be present on your Mac’s startup volume in order to use FileVault 2, (not an external drive): http://support.apple.com/kb/HT4718 . At the time of this document creation, there was no ability to browse Time Machine backup files and folders, but the backup is intended to restore your system/files/folder: http://support.apple.com/kb/HT4811 .
Data Recovery OS X 10.7 (Lion): During the FileVault 2 activation process, a recovery key is presented that should be recorded and then securely stored as per the Recovery Management Guidelines (http://www.vpit.ualberta.ca/encryption/docs/Recovery-Management-Guidelines-Dec-152011.pdf). While storing keys as per the University guidelines are strongly recommended, it should be noted that recovery keys can also be stored with Apple where AppleCare will disclose them after successfully answering previously enrolled security questions.
Office of the Vice-Provost – Information Technology www.vpit.ualberta.ca
[email protected]
Page 2 of 2