Apple FileVault 2: Full disk encryption software overview

Expert Karen Scarfone examines the features of Apple's bundled full disk encryption software for Mac OS X, FileVault 2.

This is part of a series on the top full disk encryption products and tools in the market. For more, check out our FDE product roundup.

Apple FileVault 2 is a capability built into certain versions of the Mac OS X operating system (OS) that provides full disk encryption (FDE) capabilities for desktop and laptop hard drives. FDE encrypts all data on hard drives so when the device is off, sensitive data cannot be recovered by an attacker.

Product versions and platform support

Apple originally introduced FileVault as a feature of Mac OS X 10.3 (also known as "Panther"). Technically speaking, the original FileVault did not have FDE capabilities; rather, it provided volume encryption to protect a user's home directory, but it did not offer boot-time protection for other data or the OS itself.

In Mac OS X 10.7 ("Lion"), Apple redesigned FileVault and reintroduced as Apple FileVault 2, with full FDE capabilities. Apple FileVault 2 has been supported by every version of Mac OS X since 10.7, including the current release.

Encryption and authentication support

FileVault 2 uses the Advanced Encryption Standard (AES) encryption algorithm, which delivers robust protection for stored data. Until mid-2013, it only supported the use of 128-bit keys, not 256-bit keys. Although 128-bit keys are technically acceptable in many environments, organizations are rapidly moving toward 256-bit keys to thwart emerging threats.

The latest versions of Mac OS X, starting with 10.9, support 256-bit AES keys, so organizations wishing to enable FileVault 2 on legacy systems should be cautious about the 128-bit key strength present in older Mac OS X versions, Lion (10.7) and Mountain Lion (10.8).

FileVault 2 has been validated as being Federal Information Processing Standard (FIPS) 140-2-certified on the latest versions of the Mac OS. FIPS 140-2 certification indicates successful independent testing of a product to confirm that it adheres to certain cryptographic implementation requirements. Simply put, certification indicates that major known cryptographic weaknesses were checked for and not found.

A disadvantage of using FileVault 2 is that it uses the user's Mac OS X password. It is generally recommended to use multifactor authentication -- and certainly not to simply duplicate OS credentials -- when authenticating users before system boot. However, as discussed below, there are a variety of commercial add-on products available that add management and configuration capabilities to FileVault 2 implementations, so it is possible to add multifactor authentication using one of these products.

Similarly, by default FileVault 2 user recovery keys are either written down (or captured in a user screenshot) or are stored on an Apple server and protected through security questions. Again, the use of commercial add-on products can provide additional, more desirable and secure options for key recovery.

Management

FileVault 2 is intended for local management, as Apple does not provide any centralized management capabilities for the FDE product. That being said, there are many commercial products available that can be added onto Mac OS X systems to centrally manage FileVault 2 configurations. These include Dell Data Protection | Encryption, McAfee Complete Data Protection and Sophos SafeGuard. As discussed above, these products can add a variety of options related to multifactor authentication and key recovery -- not to mention the overall centralized management and configuration -- of FileVault 2.

It is also important to note that products that support FileVault 2 typically support Microsoft BitLocker, its Windows equivalent. This means a single console can be used to manage and monitor Apple FileVault 2 and Microsoft BitLocker deployments.

FileVault 2 for individuals, small enterprises

Because FileVault 2 is built into Mac OS X, it can be a viable FDE product for individuals and small enterprises that do not practice centralized security management. The lack of support for multifactor authentication and the reuse of OS authentication is a significant concern, but it must be pointed out that this reuse provides strong usability (albeit at the cost of security).

For enterprises that rely on centralized security management, FileVault 2 may still be a viable option for full disk encryption software when paired with a commercial add-on product that adds centralized management capabilities, multifactor authentication and centralized key recovery.

Next Steps

Get more reviews of other full disk encryption products featured in this series: McAfee Complete Data Protection, Symantec Endpoint Encryption, Sophos SafeGuard, Microsoft BitLocker, Dell Data Protection | Encryption, Check Point Full Disk Encryption, and DiskCryptor.

Dig Deeper on Data security and privacy