Matthew Ahrenstein bio photo

Matthew Ahrenstein

DevSecOps Engineer for an amazing company, hiker, amateur radio operator, target shooter, developer, and cryptocurrency enthusiast.

LinkedIn Github GPG Key Bitcoin Ethereum Dogecoin

This article is about why you should turn on OS X’s Filevault 2 full disk encryption. Although the alternate title could easily be “How to break into a Mac that isn’t encrypted”.

Why you should use Filevault 2

Starting with OS X 10.7 Lion, Filevault has been upgraded. Instead of encrypting just your home folder, it now encrypts the entire hard disk in your Mac. This is a fantastic security feature that any technically savvy thief would hate. No one really keeps all of their data just in their home folder. Applications also tend to store preferences in various locations on disk, and some applications aren’t smart enough to protect credentials to your accounts on their services in those files. You may still think that encryption is unnecessary but consider this: Your Mac is stolen. Now two days later you get locked out of your Google account, your iCloud account, iTunes purchases start appearing on your credit card, your Dropbox files have all been deleted, and the password to Dropbox has been changed too. Your bank account starts transferring money out to external accounts. What’s happening!?!?! Someone broke into your Mac’s user account and took advantage of what you were signed in to.

You can prevent this very easily. Devices get stolen, but an encrypted Mac can only be wiped clean and used without your data. Sure the thief would still have a new Mac at your expense, but they won’t have access to your files or accounts.

Breaking into a Mac you don’t have access to is easy

You might say “It’s hard to reset a password on a Mac unless you have an administrator account.” That’s not true! Here are the simple steps to gain access to any Mac running OS X 10.7 Lion to even the latest 10.10 Yosemite without Filevault 2 turned on:

  1. Turn off the Mac.
  2. Press and hold Command + S and turn it on. Keep holding Command S until you see white text on a black background.
  3. After all of the text scrolls by and you see a prompt to type, then that means you are in Single User Mode.
  4. Type: mount -uw / and press enter.
  5. Type rm -f /var/db/.applesetupdone and press enter.
  6. Type reboot and press enter.
  7. When OS X boots, it will now think it needs to be setup as a new Mac, and will go through the process of creating the “initial” user with admin privileges. The other users and their files will still be there, but now you have an account that can reset their passwords via System Preferences.

The total time it takes to do this is about 2 minutes. See how easy that was? You now have full access to someone else’s Mac.

How does Filevault 2 stop this?

Filevault 2 encrypts the entire disk with a pre-boot password. You will need to enter your user account password before you can access anything on the Mac other than the recovery partition. Even in the recovery partition, all you can do without that password is reinstall OS X and wipe out the existing data. Your files are always secure. Single User Mode cannot be accessed anymore either. (Unless you already have the password.) The disk can’t even be accessed if inserted into another computer that they have admin access to. Of course if you forget your password any data you didn’t backup is now lost.

So how do I enable it?

Filevault 2 is pretty easy to enable. Just follow these steps:

  1. Open System Preferences
  2. Select Security & Privacy
  3. Click the Filevault tab
  4. Click the Turn On Filevault button and follow the instructions.

That’s it! Filevault 2 will encrypt your machine in the background. It can take anywhere from an hour to a day depending on your disk size and if you have a regular hard disk or an SSD. Your Mac is now protected against clever thieves as well as anyone else who may want to access the data on the disk.