Apple Event: May 7th at 7 am PT
hi all :)
can anyone please explain:
how exactly does enabling FileVault provide any more security than simply having my mac set to require my user password upon waking (Automatic login off)?
I mean, either way anyone can access my files as long as they have that one password, right?
So why bother with the FileVault? Am i missing something?
MacBook Air 13″, OS X 10.11
One older Apple Computers, without the About Startup Security Utility T2 Chip, it is possible to boot the computer from an external Bootable Drive. Thusly, bypassing the need for the computer password. Once booted this way - it might be possible the the person to see files the files including Sensitive and Personal files.
The FileVault, if enabled, Encrypts ALL the files on the internal drive. Therefore, even if the external boot is performed and successful into your Internal Drive - there is nothing they could do to change, copy or worse, steal your information. All the files will be totally unreadable by them.
One older Apple Computers, without the About Startup Security Utility T2 Chip, it is possible to boot the computer from an external Bootable Drive. Thusly, bypassing the need for the computer password. Once booted this way - it might be possible the the person to see files the files including Sensitive and Personal files.
The FileVault, if enabled, Encrypts ALL the files on the internal drive. Therefore, even if the external boot is performed and successful into your Internal Drive - there is nothing they could do to change, copy or worse, steal your information. All the files will be totally unreadable by them.
FileVault is protection against lost, or stolen, or governments taking your Mac. And it is trivial to boot older Macs and read the internal storage, unless it is FileVault encrypted.
The better your macOS user password, the stronger your FileVault encryption will be against breaking in using your password.
As for the option of keeping it off, you would be surprised at the number of users that A) forget their macOS user password, B) in corporate situations where they mandate password expiration, the number of times users get locked out, and need to have their FileVault encryption key (which will look like: ABCD-EFGH-IJKL-MNOP-QRST-UVWX-YZ01 ) to get back into their Mac. Having it on by default is just a fast way to get customer's upset at Apple and for customer's to loose their data is they forget their macOS password, and have not recorded their FileVault Encryption key, and have not registered their FileVault encryption key with Apple protected by their Apple ID username and password. The company I work for mandates password expirations, and the IT group gets a steady stream of "I locked out of my computer" request each and every day, 7 days a week. I can see them on the company's IT Slack channel.
The newer Macs use the T2 security chip, the data is always FileVault encrypted, so that if the drive is removed from the Mac, it is useless without the T2 chip in the Mac. With the drive still in the Mac, the T2 chip allows access as long as you can login or gain access say over the network. Explicitly enabling FileVault on these Mac requires you unlock the T2 chip before allowing the Mac to even boot.
coatli Said:
"how does FileVault provide any more security than just my password?"
-------
FileVault Uses Encryption:
With encryption, if someone wants to access your data, they must use a password. So, it is for Security & Privacy. Encryption makes things look like letters and numbers and symbols, making it impossible to create on another device without decrypting it.
sorry, but this is not what i am asking.
Let me rephrase my question:
how is enabling file vault any better than simply using my mac user password?
(in other words, how exactly does enabling FileVault provide any more security than simply having my mac set to require my user password upon waking?
I mean, either way anyone can access my files as long as they have that one password, right?
Why bother with the FileVault at all?)
hi P. :)
thank you so much for your help!
Well, I have no experience with "booting" a computer from an external Bootable Drive--is that something just anyone off the street with computer-savvy could do to someone else's computer?
Or, would they need to gain access to a Bootable Drive that i created specifically to "boot" my own computer?
When you say "boot", do you mean not only turn on, but also log in to a computer?
I always keep a good password on my macbook, and i have it set so that whenever i shut the lid it enters sleep (therefore it is still powered on), and then if you open the lid it requires you to enter my password before it will let you proceed.
So if some dishonest computer-savvy person were to, say, steal my laptop out of my luggage when i was traveling, would they be able to use their own Bootable Drive to "boot" my laptop, and automatically be signed in as me too, and thereby have access to my files and information?
I guess something i don't yet understand is the nature of the booting process. I had thought that perhaps "booting a computer from an external Bootable Drive" meant taking a computer that has failed to start up on its own and feeding it the necessary info from an external device to get it to start up...
Or else, to get the computer to start up a whole different operating system than the one normally used...
and that there's like a partition separating each operating system on a computer...
if so, would such partitions be vulnerable to penetration? (I guess somehow i thought they'd be like firewalls)...
Is this all correct? If not, would you please explain how it really goes? (to an un-savvy user)
Also, if turning on File Vault protects the computer owner's info so much more, why does apple even give the option of keeping it off?
Why not just give the option of not using a password instead?
Under Normal circumstances, is not necessary to boot the computer from a Bootable Drive.
There are times when it can be useful to Install an OS when the internal drive has been replaced with a new internal drive and there is no OS on the drive.
It can also be done to repair a corrupted OS and / or to upGrade the existing functional OS.
There is special software available, and totally legal to use, as a means to Clone the existing internal drive in the even of a Drive Failure and / or to restore the OS to a time before changes were made to the OS on the Internal Drive.
As for booting from an external Drive with a Different Version of macOS can be done , with limits. The limits are very strict and Apple has made it that way. Example - computer came preinstalled with Big Sur ( newest OS ) and the person has a Bootable Clone from an older computer running, High Sierra. That computer could not and would not boot from that external Drive. On the opposite side, the person has upgraded an older computer from High Sierra to Mojave and has a Bootable clone of High Sierra. For whatever reason, does not like Mojave, yes the Bootable Clone would boot and could be used to reverse the computer back to High Sierra
The issue of separate Partitions for running a dual boot of two different versions of macOS can be done.
And then, there is the situation where a computer has been lost or stolen and the person who has found or stolen the device what’s to do things to the computer for various reasons including stealing information form this computer for whatever reason including re-selling it.
User wrote “ When you say "boot", do you mean not only turn on, but also log in to a computer? “ - One can boot the computer from the External Drive but no, not logging into the computer. They would not need to log into the computer in-order to see and do things with the information on the drive. After all, without the entire drive being Encrypted - it would be like sending a postcard in the mail system with sensitive information written on it and not expect anyone in the Postal System not to read what was written. There after, whatever was read could be used for whatever purposes they want.
User wrote “ Also, if turning on File Vault protects the computer owner's info so much more, why does apple even give the option of keeping it off? Why not just give the option of not using a password instead? - That question is best answered by Apple. The choice is the Users Due Diligence to make and informed decision to use or not use FileVault
Wow okay!
Thank you so much BobHarris, this makes sense to me!
I really appreciate your explaining it all in such a simple and straight-forward manner.
I also want to thank everyone else here for their kindness and detailed answers.
Wishing everyone a great season!
right, but i mean all they need to decrypt it is my password, no?
No. They need to decrypt it by using your password. Your password itself is not encrypted.
how does FileVault provide any more security than just my password?
