[ShaneOG]

I use Mac OS X FileVault2, with a firmware password. It's incredibly easy to set up and should be good enough to protect my data from the majority of thieves.

Coupled with encrypted Time Machine backups and Arq[0] I feel relatively ok about losing my machine.

[0] https://www.arqbackup.com

[kogepathic]

Just so you're aware, the firmware password on a Mac can easily be bypassed by anyone with an SPI writer. [1] Using a teensy and a chip clip, someone can clear the password or bypass the password check completely.

So, it will keep the honest out, but for someone who knows what they're doing, it will only prove a mild inconvenience.

This obviously doesn't help them bypass FDE, but in case they want to steal the laptop and not have a brick, the SPI writer works a treat.

[1] https://trmm.net/SPI_flash

[coldtea]

FDE is not supposed to be an anti-stealing mechanism anyway.

Besides any potential thief wont even know whether you're running FDE or not on the laptop they steal, or whether it would be bricked or not. They can always sell it for its parts (screen, etc) anyway.

[nickpsecurity]

It actually is a mechanism to reduce impact of theft. Someone with access to your computing hardware might modify it to subvert the system, read keystrokes, decrypt drive, leak it, and so on. This can be as simple as Customs installing something as you leave the country during an "inspection" then reading keys right off when you come back. Not saying it happens so much as a concern we had during a brainstorm. Or someone plugging in an attack tool into your Firewire port while you take a piss at Starbucks. Or you plug in USB drive they dropped with a radio and attack kit in its connector.

Whereas, if someone straight-up steals it, they have no chance of recovering data if the encryption is strong and key isn't in memory (eg cold boot). You can also transmit media through untrusted channels that way. Even NSA's Inline Media Encryptor, which my inspired my designs, has that use case.

[coldtea]

>It actually is a mechanism to reduce impact of theft.

Sure, but that's different from anti-stealing (and I mean stealing the machine of course, not the data).

[ShaneOG]

I did not know that, but at least they can't get my data. The machine is costly, but my work is much more so!

[atmosx]

I use FileVault too on the laptop and it's fine. On the desktop it bogles the Blutooth (el capitan) and related devices (keyboard/mouse) which is VERY annoying.

[codegeek]

Thx. I am a relatively new Mac user and didn't realize this existed. Will try this. Any weird issues or edge cases to consider before turning this on ?

[robgibbons]

Yes. FileVault is awesome, but if your encrypted filesystem ever gets corrupted (which can and does happen), your encrypted data is useless and your volume is toast until it's wiped and re-imaged. Surprisingly I have never had this happen, but more than one friend has reported losing their data due to FS corruption with FileVault enabled. I suppose it can be mitigated with a solid Time Machine/backup routine.

[jasonpeacock]

Yep, happened to me and I've never used FileVault again.

I had a TimeMachine backup too but hadn't synced recently and ended up doing a bunch of hackery to recover the un-synced data :(

I much prefer 2FA & revocable certificates on remote accounts so I'm not worried about unauthorized access, and anything else important is encrypted independently.

[eeeeeeeeeeeee]

I have used FileVault since it was released many many years ago. In the beginning there was a fairly severe performance penalty, but it's solid now. I highly recommend using it. On an SSD, at least, but spinning disks + FileVault is border line unusable IMO.

[eeeeeeeeeeeee]

+1 for Arq

[andreicon]

"I feel relatively ok about losing my machine." Does that mean you'd feel enthusiastic about donating it? :)