updated 04:30 pm EDT, Fri August 31, 2012
New 'white paper' added to growing list of educational docs
Apple has published a new white paper on FileVault 2, the whole-disk encryption and security tool first introduced in OS X 10.7 Lion. The document describes deployment methods for the technology and provides extensive information about the utility's architecture and implementation in OS X.
Apple details three different models of FileVault implementation. First, the self-service method, where an independent user enables the utility with no or support from IT personnel. Second, an ala carte method, which Apple refers to the "cafe" strategy. The cafe strategy is user driven, but information technology personnel offers a limited selection of options and settings covering initial installation through recovery, if needed. A third method illustrates a centralized setup in which IT determines the entire FileVault strategy, and handles all details including recovery.
FileVault 2 is an improvement over the home folder-only encryption offered in the initial version of the software. The algorithm used for block encryption is XTS-AESW 128-bit encryption, optimized for 512-byte storage blocks. The whole-disk strategy employed for FileVault 2 bypasses its predecessor's problem with backup software -- a whole disk encrypted is transparent to backup software when the operating system is running. The software uses the user's login password as the encryption pass phrase.