Macs at Work and Home
Blurred Lines, Part Two: Full Disk Encryption for Your Mac
Last week in “Blurred Lines, Part One: Using Macs at Work and Home,” Tom Lambotte explained the reasons your firm needs a mobile device management policy. In Part Two, the Mac IT pro explains why you need to embrace full disk encryption. Tom will be speaking at the session “Home-Mac; Work-Mac” at ABA TECHSHOW this month.
Just because you use a login password on your laptop does not mean the data is secure. You must also fully encrypt your Mac’s hard drive. Why? A standard password-protected computer leaves the contents of its hard drive accessible to anyone with the patience to remove the drive. Apple’s FileVault program, however, encrypts the entire contents of a device at disk level. That makes it impossible for anyone without the login password to access the data on the computer.
Let me repeat to make sure this point is not lost: Just because you have password login enabled on your laptop, that does not mean your files are completely protected. Anyone could open your computer, remove the drive and plug it into another computer, and have full access to everything there.
With FileVault, however, as soon as your Mac is shut down, its entire drive is encrypted and locked up. Only when an authorized user turns on the Mac and logs in are the drive’s contents unlocked. (Yet another reason why it’s a good idea not to have an obvious password.)
Working with FileVault
Okay, so the action plan is to encrypt all hard drives with firm data on them. Here’s the play-by-play to enable and use FileVault.
If you are setting up a new Mac, Apple has gone as far as to make enabling FileVault the default setting as of Yosemite 10.10. In fact, Apple defied the FBI by making this the new default back in October 2014. By default, these two boxes are checked: “Turn on FileVault disk encryption” and “Allow my iCloud account to unlock my disk.” Unless you actively decline the offer, your hard drives will be encrypted.
If your Mac’s a little older, here’s how to determine whether FileVault is enabled on your current system:
- From the Apple menu, choose System Preferences.
- Click the Security & Privacy icon.
- Click the FileVault tab.
If FileVault is turned off, use these steps to turn it on:
- Make sure you are logged into an account that has admin privileges.
- Click the lock icon and enter an administrator name and password.
- Click the “Turn On FileVault” button.
If you enable FileVault on a Mac with more than one user account, it will prompt you to choose which users can unlock your startup disk. Click “Enable” to let that user log in to your Mac at startup. Another great benefit of enabling FileVault is that it disables your system from automatically logging in upon boot. Keep in mind that any users who are NOT added will not be able to log in to your Mac until one of the allowed users logs in.
After this step, you will be offered a choice of recovery options. The recovery option, aka FileVault key, is a backup for getting into your system. If you forget your main user account password, this recovery option is the only way to get into your system.
- In OS X Yosemite, you store the FileVault key in iCloud. This means you’d use your iCloud login to unlock your drive or reset your password. In OS X Mavericks, you can share your FileVault key with Apple by answering a set of security questions. You can then contact Apple Support if you forget your login password and need to decrypt your startup drive.
- You can also choose to create a recovery key and not use your iCloud account. This consists of a random combination of numbers and letters. You are responsible for recording this key somewhere and keeping it safe.
- If your Mac is being managed by your firm, and they are set up for this, the firm can also set a recovery key to unlock it.
I recommend storing the FileVault key with iCloud because it makes it easier to access —you just use your iCloud ID to recover the key. Make sure you save the answers to your security questions and FileVault key in a secure location, such as 1Password, in an encrypted, secure note. In other words, don’t write the combination to your safe on a sticky note on top of the safe! The added benefit of storing the key in iCloud is that you can recover it from Apple Support.
On the other hand, if you are a 007-type of attorney and you need the absolute highest level of security, you may prefer to store the key yourself. Again, exercise extreme caution and store it in a safe, secure and accessible location. If you forget your computer’s login password and you are unable to access your recovery key, there is nothing at all that can be done to recover your data. At all.
The final step after setup is to restart your Mac. Once you’ve restarted, log in to your account to unlock your startup disk. The first time you log in, encryption of your entire disk will begin. Although FileVault takes a while to initially encrypt your hard drive’s contents, you can continue working (and even turn off your computer if you want) during the process. It will just pick up where it left off at the next opportunity.
An important point if using a laptop: This initial encryption will only happen when your Mac is plugged into AC power. I recommend leaving your laptop plugged in overnight until the initial encryption is complete. You can go to System Preferences > Security & Privacy > FileVault to see the progress of the encryption.
Finally, the common concerns I hear from lawyers about full-disk encryption are that their Mac will slow down, or that they’ll lose access to their files.
First your Mac’s performance: When your system’s hard drive has been entirely encrypted, you shouldn’t notice any difference in behavior or performance (on a newer Mac at least). As far as you’re concerned, the computer acts as normal, and your files are accessible as usual, because FileVault 2 is doing all the crafty work invisibly in the background.
If you are concerned about losing access to your hard drive, you shouldn’t be — if you are backing up properly. (And you should be encrypting your backups as well — but that’s another article!)
You are now secure and will be able to sleep just a bit more soundly at night!
Apple at Law Survey Highlights
Attorney at Work’s report on the 2015 Apple at Law User Survey is available for download, here.
is CEO of GlobalMacIT, a company specializing in providing IT support to Mac-based law firms. Tom is the author of "Hassle Free Mac IT Support for Law Firms" and "Legal Boost: Big Profits Through an IT Transformation." He is a popular speaker at national events such as ABA TECHSHOW and MILOfest, a Mac Lovin’ Lawyers Event. Follow Tom on Twitter @.
Tom Lambotte is CEO of GlobalMacIT, a company specializing in providing IT support to Mac-based law firms. Tom is the author of "Hassle Free Mac IT Support for Law Firms" and "Legal Boost: Big Profits Through an IT Transformation." He is a popular speaker at national events such as ABA TECHSHOW and MILOfest, a Mac Lovin’ Lawyers Event. Follow Tom on Twitter @.