Set up a New Mac securely
If you’re setting up a Mac from scratch, you can make a number of baseline choices, writes
When you get a new Mac, how can you make sure you’ve set it up to be as secure as possible? If you walk through a completely fresh installation process, Apple tries to guide you into making the most-secure choices among alternatives, but it’s probably the worst time to try to sort out the options available and make those decisions.
A reader asked for advice for the next time they start from scratch, and I can offer that in this column. However, all of my suggestion can work just as well as later additions, whether you’re reinstalling OS X, installing and then migrating from a different Mac, or just continuing to use an existing installation. It’s better to set this up first, but it’s never to late to add layers.
Say yes to FileVault 2
FileVault 2, introduced in OS X 10.7 Lion, is Apple’s name for full-disk encryption (FDE). With FileVault 2 enabled, OS X starts up using the OS X Recovery partition instead of boosting directly from your startup volume, which presents an account login selection screen. OS X uses that to unlock an encryption key, which is in turn used to decrypt your startup volume in real time, and the regular boot proceeds. When powered down, the entire contents of your drive are strongly encrypted.
There’s a secondary advantage with SSDs, which distribute writing new data to avoid excessive wear on specific flash memory cells, as flash eventually degrades. Without FileVault 2 enabled, there’s no absolutely secure way to delete data permanently on an SSD; with it enabled, fragments scattered around an SSD are encrypted, making recovery effectively impossible.
With a new system. Starting with OS X 10.10 Yosemite, Apple enables FileVault 2 during the setup or upgrade process unless you uncheck the Turn On FileVault Encryption box during that stage of the setup. You can choose between using iCloud as a backup method to unlock the disk; if
the iCloud option is unchecked, create a recovery key. If you forget your password, either iCloud or the Recovery Key will be your only way to unlock the disk—the data is otherwise lost forever.
With an existing installation. Follow these steps:
● Open the Security & Privacy system preferences pane.
● Click the FileVault tab.
● Click Turn On FileVault.
● Decide whether you want to use iCloud or a Recovery Key as a backup if you can’t recall your password.
● Select which accounts can start up a Mac from being shut down, and unlock the startup volume.
● Click Restart to begin the process.
The FileVault process can’t be halted once it’s underway, and it can slow down normal system performance. Start it on a Friday afternoon so it can run for hours or days. (You can disable