About FileVault 2 in OS X 10.7 Lion
Apple has replaced its original FileVault technology with a full-disk encryption option in OS X Lion.
Ever since its introduction in OS X 10.3, Apple has maintained its FileVault encryption technology for securing home folders in an encrypted disk image that mounts when users log into their systems. Apple's only major changes to this technology were in Leopard with the implementation of Time Machine, where sparsebundle disk images were used to facilitate incremental backups. In OS X 10.7 Apple has introduced a full revision of FileVault, that approaches file encryption from a completely different standpoint.
With FileVault 2, Apple has done away with the standalone encrypted disk images in OS X, and replaced it with a full disk encryption option that uses XTS-AES 128-bit encryption on all files on the system. This means that all files on the disk (system files, user files, applications, and anything else) will be encrypted and unlocked at boot, so if your system is stolen then without your password, not even your applications or system configuration files can be accessed and used by a thief or unwanted third party.
How FileVault 2 works
The way FileVault 2 works is that the OS sets up a recovery partition that is used to store the encrypted keys used to unlock the encryption. The recovery partition is created for all Lion installations and is used for maintenance of the system, but will be a requirement to have if you wish to enable full disk encryption on the boot drive.
When the system boots, it accesses the recovery drive and loads the login screen to present to you. When you then supply your password it unlocks the boot drive and continues to load the OS and your user account before dropping you to your desktop. As a result of this, the preboot login screen may show much quicker on systems with FileVault 2 enabled than on those that do not.
If you enable FileVault 2, the system will only allow authorized accounts to unlock and boot the system. Therefore, any existing accounts will need to be specifically authorized to handle disk encryption by going to the Security system preferences and choosing specific users after clicking the Turn on FileVault button. When you do this, the account's credentials will be paired up with the encryption management in the recovery partition, so that user can then log into the system. This setup will not only work with local user accounts, but also with networked user account (Open Directory or Active Directory) as it will cache the user credentials in the same way. If an account is not added to FileVault 2, then you will first need to unlock the system with an authorized account and then log out to allow unauthorized accounts to log in and use the system.
Because the entire disk is encrypted and unlocked when logged in, Time Machine backups will now work as you use the system, instead of requiring you to log out so the sparsebundle could be copied in its unmounted state. This is a major convenience to people who have encrypted their systems.
Managing existing FileVault accounts
If you already use FileVault in Snow Leopard and earlier versions of the Mac OS, after upgrading to Lion it will continue to function as it always has, but will not work in conjunction with FileVault 2 if wish to set it up. Existing FileVault accounts will be functional but new ones will not be made until you disable FileVault on all accounts. Logging in to an old FileVault account will unlock the account's sparsebundle disk image at the login screen as it always has, and load your data and settings. With FileVault disabled for all accounts you will then have the option to enable FileVault 2 for the drive.
While Apple is maintaining support for the original FileVault for people who currently use it, any new accounts on the system will be required to use FileVault 2 for encryption purposes. If you would like to turn off the legacy FileVault and only use FileVault 2 for your accounts, then you will first have to turn it off for all accounts on the system, and when it is gone, the option to use it will disappear and never be available again.
Password management
As with the master password on the original FileVault, Apple has maintained a similar option for FileVault 2. When you enable FileVault 2 you will have the option to create a recovery key that will be stored on the recovery partition and allow you to unlock the disk if you have forgotten your account passwords.
In addition to the local recovery key, Apple provides an option to store your key in an encrypted form with Apple so you can retrieve your key anywhere you have an Internet connection and be able to reset your user account passwords to log into your system.
Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.