Apple Pro Training Series: OS X Support Essentials 10.10: Supporting and Troubleshooting OS X Yosemite: FileVault Technology
Reference 10.1 FileVault Technology
In OS X Lion and later, FileVault 2 protects the entire system volume by converting it to Mac OS Extended (Journaled, Encrypted) format, which uses XTS-AES 128 encryption. This adoption of a full-system volume encryption scheme resolves all the limitations of Legacy FileVault by performing the encryption at the file system driver level of the operating system. In other words, most processes and applications don’t even know the system volume is encrypted, so they simply behave as usual.
This was not the case with Legacy FileVault, as the system and applications were unable to access an encrypted user’s home folder contents when the user was logged out of the system. Obviously, by encrypting the entire system volume, FileVault 2 in OS X Lion and later provides better protection than Legacy FileVault did. Further, because the current version is fully supported by Apple, changes to Apple hardware and software should no longer cause compatibility issues.
The current FileVault solution is more than just a new volume format; it’s a system of new technologies that enables your Mac to transition from a standard system volume to a protected system volume. Full details of all the changes required to engineer FileVault are beyond the scope of this guide, but the primary new technologies instrumental in the current version include seamless volume format conversion, user account password synchronization, secure key storage on Apple servers for lost password recovery, OS X Recovery for initial system startup, and a new firmware login window.
You can see many of these new pieces at work during startup to an encrypted system volume. What was traditionally a straightforward task—starting up the system—takes on a new level of complexity when you can’t read the system volume to start with. Thus, Apple had to devise a method to authenticate and access the protected system volume during startup.
When starting up from an encrypted system, the Mac actually starts from the hidden OS X Recovery HD volume first, to present users with a login window. Users enter their account password, which is then used to access the decryption key that ultimately unlocks the protected system volume. Once the Mac has access to the system volume, startup continues normally, with one exception: Users, having already authenticated to unlock encryption, are automatically logged in to their accounts.