Cybersecurity delusions: encrypting your internal disk drive
This article is both a follow-up to my previous article on cybersecurity and a piece of heresy. It is prompted by Apple’s decision to adopt a default setting that the utility FileVault, which encrypts your internal disk drive, should be switched by default for those upgrading to the latest version of MacOS (Tahoe). Mac users upgrading from an earlier version of MacOS will receive a notification that (a) FileVault will encrypt their internal disk drive, and (b) they should look for their FileVault recovery key. Most will either ignore or casually accept the change without further thought. Those who take this path may find themselves in a world of pain at some point in future, if things go wrong.
But, first, what is the point of disk encryption? The intention is that if your laptop or desktop is stolen, the thief or anyone else who has access to your computer will not be able to read the files stored on its internal disk drive. Please forgive me for a degree of laxity in using the conventional term “disk drives”, since most Macs on sale today and for several years past rely upon solid state drives (SSDs) which are just specialised memory chips. The crucial point is that their interface with the computer is identical to that for older mechanical disk drives based on magnetic rotating disks.
A decade or more ago an unencrypted disk drive could be removed from one computer, installed in a suitable device with the correct interface, and all the files read, perhaps using special software. That, of course, is part of what the police and security agencies do when they confiscate computers used by suspects. Disk encryption is intended to prevent easy – and sometimes any – access to files stored on computer disk drives. Surely, this is obviously a good thing, except for investigatory agencies, though they may be able to use specialised software to decrypt disk drives.
There is a major problem with this description. The technology of computers and disk drives has changed radically. Most new laptop and desktop computers sold in the last 5 years include security chips (under different names) which automatically encrypt internal disk drives. Specifically, most Mac Intel and Apple Silicon computers released since 2017 have automatic hardware encryption for their internal disk drives. The picture is more mixed for Windows computers, but my focus here is MacOS and Mac computers.
Disk encryption provides no protection if someone wanting to access your files has both your computer and your password, because then the computer does not know the difference between you and anyone else with the same information.
On modern Mac computers, FileVault adds a second layer of encryption, i.e. it encrypts files before they are encrypted again. Since both layers of encryption rely on the hardware the overhead of double encryption is very low. Double encryption is much harder to break than single encryption, so FileVault on top of hardware encryption is more secure than the automatic hardware encryption alone. Still, FileVault provides no protection against anyone who has your login password
However, that is not the real point of FileVault. This only becomes clear if you forget/lose your login password. If FileVault is not on, you can reset your password either by using your Apple ID – i.e. by accessing data stored by iCloud – or by restarting your Mac in Recovery Mode and using the resetpassword program, which also uses your iCloud account. What FileVault does is to block both options and forces you to use the FileVault Recovery Key which is, in effect, a second password linked to your original password when FileVault was initialised.
Hence, FileVault protects against theft of your data not because of additional encryption but because it blocks attempts to reset your login password by someone with unauthorised access to your computer. However, there is an important consequence of blocking attempts to reset your login password. You too cannot reset the login password, unless you have your FileVault Recovery Key. From the point of view of MacOS with FileVault on, you are no different from any unauthorised person, unless you know either your login password or your Recovery Key.
This brings us back to the inescapable problem of cybersecurity. The primary source of security lapses is people not hardware. The standard advice for FileVault is that you should write down the FileVault Recovery Key and store it in a safe. Really?? Alternatively, the suggestion is to store the Recovery Key in a secure password manager, in which case the key is only as secure as the password manager’s password and cloud database. Many people rely on storing passwords and security keys on a smartphone with biometric security, but what happens when the phone is stolen or lost?
The risk that FileVault may be switched on by default without the user being aware of the implications is not limited to those upgrading to MacOS Tahoe. New Macs – and new installations of MacOS on old Macs – have had FileVault switched on by default for versions of MacOS released in the last 2-3 years. I have not been able to establish when this practice became standard. Again, how many users of such Macs know that and have a backup copy of their FileVault Recovery Key? How many of them will lose access to their data because they did not understand what Apple was doing to try to make them safe? There are many reports of people who have found themselves in that position.
There is a genuine problem that the use of FileVault is trying to address. Computers are frequently stolen or mislaid, especially laptops. Knowledgeable thieves or those who acquire stolen computers can take advantage of data that is stored on stolen machines. If you are a person whose life is stored on a laptop that could go missing while you are travelling, then switching FileVault on is probably a no-brainer. I have been through similar experiences and know the angst caused by losing a laptop.
But, but, … I am not convinced that switching on FileVault is a sensible choice for those who have either Mac computers that they only use at home or in an office. These are most users. Very many of them are users with limited or no tech savvy. The whole point of the Apple is that it is convenient for precisely such users. Many do not have adequate backup arrangements and don’t use password managers. What is the greater risk for such users? Having their desktop stolen and the data on it compromised? Or, losing their password and with it access to all their photographs or tax records? In my view, the latter risk is much greater and the impact much larger for the typical unsophisticated user.
Cybersecurity dogma is primarily written for corporate and government users with reasonable backup procedures and collective arrangements for storing Recovery Keys. In that environment, Apple’s default of switching FileVault on is understandable. However, I am not convinced that is who Apple should be setting the default for. Corporations have their own policies and can easily establish guidelines for their users.
The default MacOS settings should be for those who do not work in such environments. For non-corporate users, the defaults should take more account of human factors by recognising that backup arrangements are patchy at best and the risks of losing passwords are much higher. For such users, the default should be that FileVault is switched off with advice that laptop users who travel frequently should switch it on.
Hence, my heresy is: don’t accept the MacOS default! Turn off FileVault and think hard about what are the risks that are most important to you.
Let me end by emphasising that setting a good but memorable login password is the first critical component of computer security. Ignore the nonsensical passwords that Google will suggest as there is no chance of remembering them. Use a combination of three meaningful but unrelated words with a total length of 16-18 letters. Don’t try to set different passwords for different computers – it never works well. Finally, don’t change your login password if your operating system asks to do that every few weeks or so as Windows does. You will probably forget the new password, and you won’t record it consistently and safely. In some versions of Windows, you can set a user password never to expire.
This is all cybersecurity fluff. It is better to set a good password rather than one which expires at regular intervals. To emphasise that I live by my own advice, I have FileVault set on for my travelling laptop but not for desktop computers. And, I am obsessive about backup in multiple formats and locations, including in the cloud.
Thought-provoking discussion on encryption trade-offs. The balance between security through encryption and practical usability remains a fundamental challenge in cybersecurity implementation.
I haven’t “upgraded” my old iMac yet and in the light of this doubt I will. The issue is, of course, the trade off between security and convenience, which I thought Apple had learned with the iPhone; fewer people will complain and less loudly if, having lost or destroyed their phone or had it stolen, Apple can restore all their photos. People see loosing access to their bank account as their own problem, but loosing the photos of their family because Apple automatically encrypted an iCloud backup? That’s Apple’s fault.
The answer, at least as I see it, is don’t risk total loss of everything by deep encryption that may bite you later. Focus on protecting just the few things that (1) thieves may be interested in; and (2) matter to you. Your savings account? Access from a desktop in your house and nowhere else. Use a strong password and two factor identification, preferably biometric and not your mobile phone. The “old fashioned way” of your bank calling your landline and dictating a four digit time limited one time code is surprisingly robust.
I’m of the view that my life is sufficiently mundane that’s there’s very little anyone could expose that would be worse than transient embarrassment. I think that’s the test on whether to use deep encryption. Only one caveat, if you have a professional obligation to protect client information, cover yourself by doing so.