FileVault2 questions

[chemist]

Two questions about FV2:

I. This is my understanding of FV2 on Yosemite; please tell me if it's correct:

1) If someone gets hold of your computer and removes your FV-encoded drive, they can use various programs to try to crack it. These can test a vast number of combinations in a relatively short period of time, so an 8-character pwd isn't good enough. Fortunately, the pwd Apple creates is far longer than this, effectively defeating attempts from such programs.

2) By contrast, your login password could be only eight characters without compromising security because, while this only gives 36^8 = 3 x 10^12 combinations (assuming numbers and lower case letters only), this cannot be cracked in a automated fashion. Rather, cracking this password requires going through the login screen, which allows only 1 attempt every few seconds, and will deny entry after too many failed attempts.

I.e., the bottom line is that your login password only has to be long enough to defeat manual guessing, rather than computer-driven cracking programs.

Is this correct?

II. It's my understanding that if my drive is FV2-encrypted, and I decided to get rid of it, there's no need to do an erase. Is this correct?

 

[TattooedMac]

I.e., the bottom line is that your login password only has to be long enough to defeat manual guessing, rather than computer-driven cracking programs.

Is this correct?

Yes, basically. My Login is 11 characters with my iCloud being a 18 Character Password. There iOS no way they are getting into my Mac

II. It's my understanding that if my drive is FV2-encrypted, and I decided to get rid of it, there's no need to do an erase. Is this correct?

All you need to do, is turn FV 2 off, and it will decrypt the drive. As its in XTS-AES 128 Encyption, it will take a while. There is no need to erase the HD.

 

[chemist]

Yes, basically. My Login is 11 characters with my iCloud being a 18 Character Password. There iOS no way they are getting into my Mac

Thanks!

All you need to do, is turn FV 2 off, and it will decrypt the drive. As its in XTS-AES 128 Encyption, it will take a while. There is no need to erase the HD.

I think you misunderstood me. If I decrypt the drive, and don't erase, then anyone can access my data. Again, suppose I need to get rid of a drive (and of course don't want anyone to be able to get at my data). If the data is already encrypted, does that mean there's no need to erase it? A 3-pass erase takes a while, so it would be nice not to have to bother.

 

[chemist]

One other question:
I understand there's two ways to encrypt a new Time Machine backup:
1) Do the TM backup to an unencrypted drive, selecting the encryption option when you start the backup. This is very slow -- putting 450 GB of data on my USB 3.0 portable looks like it's going to take ~15 hours.
2) First format the drive as "Mac OS Extended (Journaled, Encrypted)." Then proceed as above. I've read that, since the drive is already encrypted, this takes no longer than a non-encrypted TM backup (from http://www.macissues.com/2014/11/07/how-to-encrypt-your-time-machine-backups/):

"An alternative method for encrypting a drive is to set it up from scratch. Use Disk Utility to erase the drive, and when you add it as a backup destination in the Time Machine system preferences, you will be given an option to encrypt the drive. This will wipe all data on the drive, and then prompt you for a password to use for encrypting it. Unlike encrypting a drive that already has data on it, this will start from zero data so the encryption will be complete almost immediately. Now any new data copied to it (ie, your first full backup) will be fully encrypted."

Is the above correct, and is there any downside to do doing it this way? [Note that this is not an option if you are making an encrypted bootable clone; in that case you need to format the drive as unencrypted, make the clone (and a recovery partition), and then encrypt it (took 14 hours); though I suppose you could make a clone of just the system folder, encrypt, and then do a full clone to the encrypted drive, which might be much quicker.]

 

[TattooedMac]

Thanks!
I think you misunderstood me. If I decrypt the drive, and don't erase, then anyone can access my data. Again, suppose I need to get rid of a drive (and of course don't want anyone to be able to get at my data). If the data is already encrypted, does that mean there's no need to erase it? A 3-pass erase takes a while, so it would be nice not to have to bother.

I'm not 100% sure, but honestly, if you are going to the trouble of Encrypting the HD, I wouldn't take the chance of not doing at least a 1 Zero pass on the drive. These can be left overnight.

As to the other question in the next Post, I would be doing the Encryption, via Time Machine, and staying away from the Mac OS Extended (Journaled, Encrypted way of doing it.
FileVault 2 via a Time Machine Backup to a External drive, from what I understand is a more secure way of Encrypting the Data.
Think of it this way, when the Drive is Mac OS Extended (Journaled, Encrypted) you drop all your Data onto it, and it sits within the walls of that Encryption.
When you Encrypt via FV 2, the actual Data is encrypted, every File and Folder, and this is why it takes longer.
Time shouldn't be a consideration, if you are going to the trouble of encrypting. When using FV2, you can sleep your Mac, turn it off and on again, and it will pick up from where it left off.
You can also leave it overnight, too. . . .

Hope that helps some what.

 

[chemist]

Think of it this way, when the Drive is Mac OS Extended (Journaled, Encrypted) you drop all your Data onto it, and it sits within the walls of that Encryption.
When you Encrypt via FV 2, the actual Data is encrypted, every File and Folder, and this is why it takes longer.

I hope you don't my asking, but are you sure this is how it works -- i.e., might you be able to provide a reference? For instance, it's possible the results with the two approaches are identical, and the reason the standard way takes so long is that it needs to restructure the format as it goes, rather than being able to just decrypt the files on the fly (which it can do quite quickly, as evidenced by how little effect encryption has on general performance) into an already-prepared container.

Once you've completed a TM encryption in the standard way, do subsequent TM backups take far longer than they would if TM were not encrypted?

 

[TattooedMac]

I hope you don't my asking, but are you sure this is how it works -- i.e., might you be able to provide a reference? For instance, it's possible the results with the two approaches are identical, and the reason the standard way takes so long is that it needs to restructure the format as it goes, rather than being able to just decrypt the files on the fly (which it can do quite quickly, as evidenced by how little effect encryption has on general performance) into an already-prepared container.

Sorry, my bad, its still morning here and coffee hadn't kicked in.

It's the same whole disk encryption. In both instances you end up with a volume wrapper and key storage to unlock the encrypted file system where the data is safely stored. Disk Utility is a bit of a chore to set up encryption of an external drive, so just wipe the drive and set it for Backups and then tell Time Machine to encrypt the drive. It handles the formatting, generating the crypto keys and lets you choose a passphrase to unlock the keys.

Once you've completed a TM encryption in the standard way, do subsequent TM backups take far longer than they would if TM were not encrypted?

It shouldn't do, as TM is only backing up the files/folders that have been added since the last Backup.

Can I ask, why is TIME such a issue with all this. Your whole post, is about how long this is all going to take. When it comes to Encryption, time should be the last thing to worry about.
As I said above, just let TimeMachine to do all the Backing Up and Encrypting, using FV 2 and you will be OK, with nothing to worry about. Just Checkmark it in System Preferences and let it do what it is meant to do.

 

[chemist]

Can I ask, why is TIME such a issue with all this.

Well obviously, because it's TIME machine .

OK, it's because I'm experimenting with different combinations of Carbon Copy Cloner and Time Machine, each on different partitions, to determine an optimum backup system for my use.* In particular, I have to figure out the best relative sizes for the partitions for each. And I've read you can't change the partition size on an encrypted drive (is that correct?), meaning if I wanted to change the partition scheme I'd have to erase each drive and start from scratch. With each CCC encryption, and each TM encryption, taking about 15 hours, and with three different drives, that makes experimentation quite laborious. [EDIT: I JUST LOOKED AT ONE OF THE DRIVES WITH IPARTITION, AND IT LOOKS LIKE YOU CAN DO THAT -- BUT THERE'S STILL THE ISSUE OF SUPPOSE I TRY TM, DECIDE I'D JUST LIKE TO USE CCC ONLY, AND ERASE THE TM PARTITION, BUT THEN CHANGE MY MIND.] [EDIT2: JUST CHECKED IPARTITION'S WEBSITE, AND MAYBE NOT; I'VE SENT THEM AN EMAIL ASKING FOR CLARIFICATION.] IN ADDITION, I just bought two new external drives, and one of them may need to be replaced because of noise, and the other one is behaving oddly, which means I may have to do this all over, etc. Basically, this is how I do things when I set up a new computer: I spent a lot of time playing with different settings and arrangements, home in on what works for me, and then, once I have it dialed, leave it that way for as long as I can (e.g., the only reason I upgraded from Snow Leopard, which I loved, to Yosemite, which I don't care for, was because I couldn't get the former to boot on my new computer). And it's hard to "play" when each change has a 15-hour waiting period!

Speaking of which, my Windows 7 password (in Bootcamp) just stopped working, so I need erase the Bootcamp partition and start over, but I first need to determine if it's problematic to create a new Bootcamp partition on an encrypted internal drive.

[*I have three backup drives, one of which is always stored in a remote location (bank safe deposit box). Each of the drives is 2 - 4 x larger than my internal drive, allowing me to have both CCC and TM backups in separate partitions on each. Each has its advantages and disadvantages, which is why I'd like each of my backups to have both, rather than one or the other. With CCC, if the internal drive is corrupted, I can boot to the clone and be up and running immediately; and if the internal drive is not recoverable, the most reliable way to restore things is to just copy the clone. But CCC doesn't allow easy access to older versions of files, which is TM's strength. Hence I've decided to experiment with having both. Having both a TM and CCC partition on a single drive confuses a lot of people, who say "this doesn't make sense to have both of your backups on the same drive." What they have trouble wrapping their heads around is that each of my drives represents a single backup system, and I have three of them. But within each of these three drives, i.e.,within each of these three backup systems, I have dual backup functionality. I.e., having both a CCC partition and a TM partition on each of my three drives is no less secure than having CCC only or TM only.]

 

[Dysfunction]

Get self encrypted external drives. There is no difference, at all (not one bit), between the w/r rates on these compared to identical non-encrypted drives. Pricewise, they're almost identical as well. If I/O rate is a priority for you, this is the best solution.

 

[chemist]

Get self encrypted external drives. There is no difference, at all (not one bit), between the w/r rates on these compared to identical non-encrypted drives. Pricewise, they're almost identical as well. If I/O rate is a priority for you, this is the best solution.

Thanks, nice idea. I'll look into it.