Speed Up Filevault Decryption

Posted on by admin

  1. Speed Up Filevault Decryption Download
  2. Speed Up Filevault Decryption Tools
  3. Speed Up Filevault Decryption Download

Click the Turn On FileVault button. If you want to reset your password or unlock your disk, Apple connects your FileVault with your iCloud account. Another option FileVault gives you is the recovery key which you have to keep safe in case, anything goes wrong with the password. Choose an option then click the Continue button. FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk.

Apple’s first pass at built-in encryption was, frankly, terrible. The original FileVault, introduced with 10.3 Panther in 2003, only encrypted a user’s home directory, and had a number of functional and implementation problems. FileVault 2 appeared in 2011 with 10.7 Lion, and had almost nothing to do with the original except the name.

FileVault 2 offers full-disk encryption (FDE). When enabled, the entire contents of the startup drive are encrypted. When your computer is powered off, the drive’s data is fully unrecoverable without a password. It also lets you use Find My Mac to wipe your drive in a matter of seconds remotely if you’re concerned about into whose hands your computer has fallen. You can enable FileVault 2 with an existing Mac, but starting with 10.10 Yosemite, OS X now encourages turning on FileVault 2 during setup of a laptop.

This has made some law-enforcement officials unhappy, who seemingly don’t want your data to be protected this strongly, so they can get access in the unlikely event that they need it. Relatively few people engage in criminal activities, and of them, even fewer ever have their computers seized and examined. It’s a good sign as to how well FileVault 2 works that officials are so morose about it.

FileVault 2 takes advantage of the ever-improving processor speed and features in Macs to perform on-the-fly encryption and decryption. Every chunk of data read from and written to disk, whether of the spinning variety or SSD, has to go through this process. Macs introduced starting in 2010 and 2011, and every model since, can use encryption circuitry in the processor, boosting performance.

FileVault 2 works hand in hand with OS X Recovery, a special disk partition that lets you run Disk Utility from the same drive you may be having trouble with, restore or install OS X via the Internet, restore a Time Machine backup, or browse Safari. With FileVault 2 enabled, your computer boots into the Recovery volume, prompting you to login with any account that’s been allowed to start up the computer.

How to use FileVault 2

On a system without FileVault 2 already in place, you need to turn it on, which converts your startup drive from its unencrypted state to fully encrypted. This comes with a few big flashing red warnings and pieces of advice before you proceed. (You can encrypt secondary and external drives by Control-clicking a drive’s icon and select Encrypt “Drive Name,” but it doesn’t tie in with login: you set a password for the drive, and have to enter it to mount it.)

Warning 1! During the setup, OS X creates a Recovery Key for your drive. As with Apple’s two-step verification for Apple ID accounts, this Recovery Key is critical to retain. Without it, if you lose or forget the account password to all FileVault 2–enabled accounts, your drive is permanently inaccessible. Keep a copy of the Recovery Key, probably printed out, for emergencies.

Warning 2! Once you start the conversion, there’s no stopping it. It has to complete, and it consumes CPU resources like mad, slowing down your machine and likely firing up the fan to high speed. Your computer also has to remain plugged in. The operation takes many hours. A friend’s niece accidentally accepted the option to enable FileVault 2 when upgrading to Yosemite a few evenings ago, and had her machine—needed for a computer-science class the next morning—slow to a crawl.

Apple provides step-by-step details in a Knowledge Base note, so I won’t repeat all of that, but will highlight the critical parts.

  • Only accounts enabled with FileVault 2 can unlock the volume at boot time after a cold start (when shut down) or restart. For accounts you don’t opt to enable, restarting or starting up will require an account with permission logs in, then logs out. If you’re helping set up FileVault 2 for a novice user who trusts you, you may ask them to create an account for you that would let you log in if they can’t.

  • Accounts that use an iCloud password for login do provide a way out if you forget or lose an account password, but also offers a security risk if someone obtains your iCloud account information. (During a Yosemite upgrade, you can choose this explicitly when enabled FileVault 2 by checking a box that reads “Allow my iCloud account to unlock my disk.” Oddly, Apple has no information about this option on its support site.)

  • The option to store your Recovery Key on Apple’s servers is secure, in that Apple apparently can only unlock the key given information you provide, exactly as it’s typed, including capitalization. It doesn’t retain enough information to unlock it independently. However, it does put the key in the hands of a party other than yourself, making it possible under the right circumstances for a government agency or ne’er-do-wells to legally or socially engineer access to your recovery key.

Once the conversion is complete, the startup drive is fully protected within the limits of exposure I note above.

What’s even niftier is that with Find My Mac enabled on the computer, you have a sort of secret weapon. Find My Mac works when the computer is booted and connected to a network. You can play a sound, lock the computer, locate it (if Wi-Fi networks or other cues to location are nearby), and erase it. Because FileVault 2 relies on a stored encryption key, erasing the drive wipes that key, rendering the drive unrecoverable, even by you.

But the extra-secret secret weapon is Guest mode. When a user logs in as a guest and connects to a network, or the Mac automatically connects to a known network, Find My Mac continues to work. Thus, if someone finds your computer, any message you send with the Lock option can appear, even if it was online before they log in as a guest. But so too can an Erase request make its way through silently.

FileVault 2 can make nations quake, apparently, but it’s just a bit of good information hygiene, letting you make choices about the degree of vulnerability you want to tolerate for your locally stored data and any software or stored passwords for services in your accounts. With it off, you’re not risking everything, but with it on, you have a high degree of assurance about who can access what.

Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read ouraffiliate link policyfor more details.

    Related:
Glenn Fleishman is the author of dozens of books. His most recent include Take Control of Your M-Series Mac, Take Control of Securing Your Mac, Take Control of Zoom, and Six Centuries of Type and Printing. In his spare time, he makes Tiny Type Museums. He’s a senior contributor to Macworld, where he writes Mac 911.
Redirection Notice
This page should redirect to FileVault.

On this page:

Overview

Speed Up Filevault Decryption

FileVault enables encryption of your files that are in your home folder. Your home folder stores your documents, files on your desktop, personal settings, downloads and some application-related files like temporary files. The first time you use FileVault, all of these files will be encrypted. If your computer is lost or stolen, the files in your home folder remain protected as long as your login password remains known only to you.

Some things to remember before you begin:

  • You must have a known good backup of your home folder. If you use TSM, run an incremental backup. If you use Time Machine, run a Back Up Now.
  • The amount of time it takes to encrypt your home folder is dependent on its size. On average, you can plan on it taking between 2-4 hours to work its magic.
  • You'll need some free disk space - a little over 2x the size of your current home folder.
  • You need to ensure that any files that must be protected or that you intend to protect stay in your home folder, or in folders beneath your home folder like Documents or on your desktop, to remain encrypted (and aren't in /Applications or /tmp or somewhere else on your hard drive). This will always apply while using FileVault, so keep this in mind.
  • You'll need to be an administrator on your computer.
    Caution
    You enable both a screen saver password and wake-from-sleep password for FileVault to be effective. Without having a password protecting the computer upon wake-from-sleep or wake-from-screen saver, anyone who finds/takes your computer while it's running will have access to everything on it.
    Open System Preferences | Security | General
    'Require password... after sleep or screen saver begins'.


To speed up the encryption process, you might want to move large folders like Music, Pictures and Movies out of your home folder first (unless you have sensitive music), and move them back in after the process completes. If you need assistance moving files out of your home folder, contact your local support or the helpdesk.

Now may be a good time to clean house and delete files you don't need (e.g. in your Downloads folder). Check that your trash is emptied.

If you use TSM for backups, scroll down to TSM & FileVault.

If you use Time Machine for backups, scroll down to Time Machine & FileVault.


Verify, once again, that you have a known good backup of your home folder.

Ready?

  1. Open your System Preferences panel and click Security.
  2. On the General tab, check 'Require password immediately after sleep or screen saver begins', 'Disable automatic login' and 'Secure virtual memory'
  3. Click the FileVault tab.
  4. Click Set Master Password.... This password can be used to unlock all FileVault accounts on your computer. If you utilize IS&T Field Support, they will set this password for you while setting up FileVault. It's a feature that's intended to provide recovery for accounts. Set this password to something you won't forget, but is different from your local account password. Do not lose or forget this password; if you forget both your password and this password, your home folder will be lost.
  5. Click Turn On FileVault... Make sure that Use secure virtual memory is selected.
    Use 'Use secure erase' with caution: if you have a large home folder, secure erase - because it makes 3 wipes of each file - can take an extremely long time (tens of hours for a 50GB home folder). Seek your local support or call the helpdesk for guidance if you have sensitive data to protect and have a large home folder.
  6. Enter your login password; you'll be logged out and FileVault will begin encrypting your home folder.

Low disk space...

If you don't have enough disk space available (you need 2x the size of your home folder), you'll receive this message when you try to use FileVault:

I forgot my password...

If you forget your login password you'll need to use the master password to log back in to your account. From there, you can reset your account password. If you don't know your computer's master password, speak to your local support staff if they set FileVault up for you. If they don't know the master password, your home folder will be lost.

To reset your password for a FileVault encrypted home folder:

  • Click Forgot Password at the login prompt.
  • Enter (or have your support staff enter) the master password.
  • You'll be prompted to enter a new password for your account.

Speed Up Filevault Decryption Download

TSM & FileVault

You'll need to make a small change to TSM in order for backups to work properly once FileVault is finished encrypting your home directory. In the TSM application, your home directory will now appear under the Removable section. This is because your home directory has, for all intents and purposes, become mountable and unmountable, just like a .dmg. It now is a sparse bundle - a single file that's encrypted and contains all of your files. When you're logged in, it's mounted and readable by you (and any programs you run, like TSM). When logged out, it appears as a single .sparsebundle file.

  • In the TSM application, under your nodename, expand the Removable section.
  • Place a check on your home directory name or, if you don't want all files and folders in your home directory backed up, expand it and select the folders you'd like backed up individually.

Time Machine & FileVault

Because both Time Machine and FileVault are native OS X applications built by Apple, they need to meet everyone's needs. When Time Machine backs up your home folder on OS X 10.5 and up, it backs up the portions of your encrypted home folder that have changed (into an encrypted image called a sparsebundle). It's important to note that Time Machine runs a backup only when you log out, due to the mechanics Apple uses to maintain consistency. Logging out to back up isn't the most convenient, especially for those not in the habit of logging out, but it's a good practice to adopt - your encrypted home folder is safest when you're logged out.

Speed Up Filevault Decryption Tools

Your Time Machine backups do remain encrypted on the drive you're using to back up. One caveat to using Time Machine with FileVault is that you can't restore only a single file using Time Machine's 'Enter Time Machine'. While using Time Machine's interface, you can only restore an entire home folder from a point in time - the last time you logged out and Time Machine completed its backup. There do exist methods to retrieve a single file however, while not terribly difficult, they are not supported by Apple.

What kind of encryption does it use?

Speed Up Filevault Decryption Download

AES-256 which is very good.