One of my goals for this year was to start encrypting more of my data. This has become a higher priority now that I’ve switched to a MacBook Air from my 15″ MacBook Pro. I’m honestly worried that I’ll leave that little thing somewhere. It’s so light I don’t even notice if it’s not in my bag…so I thought moving to full-disk encryption was a good idea.
Being a OSX user I am using File Vault 2 which arrived with Lion. Unlike File Vault, FV2 does full disk encryption where as the original File Vault just encrypted your home directory. While everything of value on my MBA is in my home dir I do like the idea of full encryption. Like almost everything Apple does the implementation of full disk encryption is very elegant so I thought I’d do a quick writeup on it as well as perform some before and after benchmarks.
The first question most people ask when looking at full-disk encryption…or any encryption really…is how they can recover their data should their be a problem. Apple does a very good job with this. When you enable File Vault 2 you are given a recovery key. You should take care to have that key somewhere OFF OF YOUR ENCRYPTED SYSTEM and safe should you need it later. It does no good to have that key in a text file…which is encrypted on your system.
The first step is to just enable File Vault 2. Now, if you upgraded to Lion from Snow Leopard and used the original File Vault you can’t use them both together. When you enable FV2 it should ask you if you want to stop using FV and start using FV2. My vote is yes…yes you do. To enable FV2 just go to System Preferences and then Security & Privacy. Click the FileVault tab and then click the lock at the bottom left to enable changes. Enter your password. Next it’s as simple as just clicking Turn On FileVault…
NOTE: If you have multiple user accounts on your computer (and I don’t) you will need to tell FileVault which users are allowed to unlock the disk. If you do not let a user unlock a disk but still want them to log in then a permitted user must first log in to the system, then log out, and then let the user that cannot unlock the disk log in so it’s a multi-step process. You will be prompted to authorize users when you enable FileVault.
After clicking the button to enable FV2 you will be given the recovery key as mentioned before. Keep this somewhere besides the system you are encrypting!
And no..that’s not my recovery key! 😉
As a second layer of protection you are given the option to have your key stored on Apple’s system. It is encrypted on their side and you need to answer three security questions to recover the key. Make sure that you answer these specifically as you will need to give them back EXACTLY as you typed them in.
Fill out three of your favorite questions and Continue. You will be prompted to reboot your system so make sure and save anything you need and tell it to go ahead. You may notice something different…your login screen is different. You no longer have your pretty background and it appears faster. That’s because you no longer log in to OSX. Instead, you log in to the EFI (BIOS for the system) and then your login credentials are passed through to OSX. This is how the disk is “unlocked” for use and OSX allowed to boot.
Your system is now encrypting your disk in the background. To check the status just go back to Security & Privacy and you will see the status and an ETA. On my 256GB 1.8GHz i7 MacBook Air it took like 45 minutes or so. You can continue to use the system while it’s encrypting..and honestly I didn’t even notice that it was doing it.
Now for the next question…what kind of performance hit will I take? Here is a table that I created by doing three tests with Xbench before and after:
|Decrypted (Numbers in MB/sec)|
|Uncached Write (4K)||275.38||274.54||264.97||271.63|
|Uncached Write (256K)||165.26||165.21||190.06||173.51|
|Uncached Read (4K)||27.81||27.64||27.91||27.79|
|Uncached Read (256K)||213.79||232.44||212.31||219.51|
|Uncached Write (4K)||84.46||84.74||84.02||84.41|
|Uncached Write (256K)||197.93||223.34||199.17||206.81|
|Uncached Read (4K)||12.11||14.27||12.03||12.80|
|Uncached Read (256K)||161.96||184.78||161.34||169.36|
|Encrypted (Numbers in MB/sec)|
|Uncached Write (4K)||266.76||267.28||267.51||267.18|
|Uncached Write (256K)||172.23||170.72||148.7||163.88|
|Uncached Read (4K)||22.39||22.55||22.82||22.59|
|Uncached Read (256K)||190.1||189.46||189.83||189.80|
|Uncached Write (4K)||84.72||84.11||84.39||84.41|
|Uncached Write (256K)||178.24||180.38||176.94||178.52|
|Uncached Read (4K)||11.23||11.24||11.2||11.22|
|Uncached Read (256K)||122.75||122.12||123.22||122.70|
As you can see there is a performance hit, but it’s not terrible. It ranges from 0% to a little over 25% for large uncached reads. Most things are in the 10% to 15% range. Also keep in mind that this is against throughput…the encryption should not have a large impact on IOPS, which is what I care about with a notebook drive and why I use SSDs. Also note that this is the internal SSD in my MacBook Air.
I’ve had my drive encrypted for several days now and honestly I can’t tell any difference at all. But…if you find you don’t like the encryption for any reason it’s very easy to undo it. Just go back to Security & Privacy and click the button to decrypt your drive. It will ask you to reboot again and then start the decryption process in the background…almost exactly what you did but in reverse. Very easy. Very elegant.