Mac OS X 10.7 Lion FileVault Whole Disk Encryption Benchmark Comparison

One of the exciting features unique to Mac OS X 10.7 Lion is the new and improved FileVault.  Greatly enhanced over the implementation found in Snow Leopard (OS X 10.6), the new version allows users to fully encrypt the system’s boot drive as well as entirely encrypt additional data drives such as USB or FireWire externals, or even USB thumb drives.  This is welcome news to mobile users.  Now MacBook users can travel with additional safety and security.

Once FileVault is activated, the system must reboot.  The OS will begin encrypting the boot drive in the background allowing the user to keep productive as the encryption procedure can take some time.  Once the boot drive has encryption activated, it is no longer possible to boot the computer without first entering login information.  Let me go over that again so I can clarify.  Normally the system boots up and then prompts the user to enter login credentials prior to gaining access to their data.  But once FileVault has been activated, a username and password must be entered before the machine will even begin the boot process.

This makes for some really slick security.  And since the login process is moved to the point prior to the system booting, it’s no longer necessary to enter a login at the end of the boot process… the user is brought right into the associated user account and is ready to go.

It’s also possible to encrypt secondary hard drives, internal or external.  Unfortunately, this is not nearly as intuitive or nondestructive as encrypting the boot volume.  In order to encrypt secondary drives the user must open Disk Utility and repartition the desired drive by selecting the encryption option from the Format menu.  As one might expect, running this operation will wipe out any and all data on the drive.  As of this writing, there is no nondestructive method for encrypting secondary hard drives.  The scorched Earth approach appears to be the only way.  So be sure to backup any data on the drive you wish to encrypt or make sure you encrypt your new drive before you move data onto it.

Now that we’ve covered the little points of contention, lets take a look at what sort of performance is sacrificed in the name of security.  Since encryption deals with the encoding of data into a secure format as it is written to the drive, the process has potential costs in both processor overhead as well as disk access speed.  In 10.7’s promotional documentation, Apple simply lists both potential down sides as either insignificant or inconsequential.  So I took the opportunity to run some benchmarks in order to see what sort of performance hit is really involved.

First of all, there does not appear to be a noticeable performance hit in relation to the processor, at least on my test machine: A MacBook Pro 15” 2.2GHz Intel i7.  I ran some tests on a low end MacBook with a Core 2 Duo and didn’t notice much processor overhead in that situation either.

When it comes to disk access, things become much easier to quantify.  I used SpeedTools Utilities 3.7, QuickBench version 4.04 for testing.  My MacBook Pro boots from an OWC Mercury Extreme Pro 240GB SSD.  I have replaced my optical drive with the MacBook’s stock 750GB HDD which is mounted in the empty optical bay.

I ran a benchmark on the system’s boot SSD drive prior to encrypting the drive, then again the next day after I was sure that the background encryption process had completed securing volume.  Since the boot drive’s initial encryption is done in the background, it was essential to make sure the process was complete before running the second benchmark.  The before and after results are shown in the follow in graph.

Next I ran a benchmark on the 750GB conventional hard drive.  Once this was complete, I reformatted the drive using the Disk Utility and selected the encrypted partition type.  Since this process is not done in the background, there was no worry about waiting for a background process to complete.

My secondary drive was not tested as a boot drive, but it was running on the MacBook Pro’s internal bus.  Its scores should reflect performance relative to a MacBook Pro booting from a stock HDD.  The before and after results are as follow.

As proven by the benchmarks, there is a clear performance impact resulting from the use of whole disk encryption.  That said, it is not unreasonable.  I have been working on this system for several weeks and have never once felt that the disk I/O was performing with any degradation.  I routinely move both small and large files between my SSD boot drive and the HDD that I use for the bulk of my data and media.  I also move many large files across both my home and work networks without noticeable lag.

While the numbers speak for themselves, the user experience is more difficult to quantify.  But from my personal experience, the performance lost to encryption is more than made up for in the fact that my data is safe and secure and will not be accessible even if I lose my laptop or it is stolen.

Another interesting feature promised in Mac OS X 10.7 was the ability to remotely wipe a laptops hard drive.  The idea being that if the laptop was lost or stolen, the data on the machine could be remotely purged for an additional level of security.  So far, I haven’t found any mention of the method for doing this or located the software facilities needed to make this work.  It is my guess that this feature won’t become available until iCloud ships as part of OS X 10.7.2 later this fall.

The remote wipe feature combined with whole disk encryption makes for one very powerful security combo.  Lets just hope the right people are using this.  No more banks losing credit records or government offices losing sensitive constituent info.  With this sort of security built into the operating system, there really is no excuse for data falling to the wrong hands.


Steve

7 Responses to Mac OS X 10.7 Lion FileVault Whole Disk Encryption Benchmark Comparison
  1. Thomas Reply

    Actually, while you are correct that there is no intuitive way to non-destructively encrypt a secondary non-boot drive, you can actually use the diskutil command line tool to do this.

    > diskutil cs convert [disk name] -passphrase [mypasscode]

    This will non-destructively convert a volume into a Core Storage volume which may optionally be encrypted.

  2. smanke Reply

    @Thomas

    Thanks! Great tip! I didn’t see that anywhere in the docs. It seemed like it should be possible. Well done!

  3. jim Reply

    This is interesting, but I’m confused by the charts. What is the metric on the x-axis. Seconds, I/O per second, something else? Looking at the charts as they are presented, I would expect an encrypted disk to actually perform _better_ than an unencrypted disk.

  4. Paul Reply

    Jim sounds crazy… he should probably move out of his Mom’s house. Kidding. In all essence, the process of encrypting and decrypting will always be slower, because it takes more resources to process the data.

  5. smanke Reply

    I was a little disappointed by the graphing software, in this case MS Excel. It didn’t let me label the axises the way I would have like.

    But it seems logical to me that there is a performance hit as the data has to be cyphered before it is written and after it is read from the hard drive. I was just glad the system did not bog down from the overhead.

    I had tried FileVault under an earlier version of the OS and it killed my ability to capture video. Too much overhead was causing dropped frames. So I turned the feature off and never went back. I won’t even get into the ham-handed way the earlier version of the OS stored everything as a copy of the home folder in an encrypted disk image. That just seemed like a goofy workaround. 10.7’s FileVault finally uses whole disk encryption and is much more elegant.

  6. Thomas Reply

    Every test that has come out since Lion went final has shown that there is a performance hit. Now there has been disagreement over how much of a performance hit — some have show a small 5-10 percent hit, others have shown up to 25 percent — it probably varies quite a bit by model, controller, and workflow. Most agree thought that the performance hit on an SSD will be unnoticeable to most people. I have had FileVault enabled on the SSD in my MBP for a week and the performance hit has not been evident in my use (heavy browning, compiling, email, gaming, and some VMWare.)

    The new FileVault is a fantastic solution that everyone with a laptop should have enabled. If it is a “work” laptop it would seem to be a no-brainer if you have confidential or proprietary information. But even for a home/personal user of a computer, you probably have lots of information (essentially, your life or identify) which you wouldn’t want out in the wild should your laptop be stolen or lost. This is essential stuff!

  7. Nkosinomusa Reply

    Would love to use Sophos SafeGuard as the Symantec PGP product dies with every udapte, so can choose between staying udapted or staying encrypted. But I am a home user :(, hopefully, maybe the encryption can be added to the Sophos for Mac that I run now.

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.