Limitations of FileVault 2 and Bootcamp

Platform: Mac OS X
OS Version: 10.7+
Applications: Bootcamp, FileVault
Keywords: Bootcamp, FileVault, PGP, Encryption

 

Overview

This article describes a major limitation of the FileVault 2 full disk encryption that ships with OS X 10.7 Lion and later and why the use of FileVault 2 is unsuitable for Bootcamp users. Users who run Windows within a Virtual Machine (VM) such as Parallels Desktop, VMWare Fusion or Sun VirtualBox are not affected.

Note: This document applies only if you use Bootcamp on your Mac laptop.

Background

Under the Mass General Brigham Laptop Encryption Policy, all partitions on a laptop must be encrypted. Previously PGP encryption covered people who dual boot with BootCamp. Since the arrival of Mac OSX 10.7 Lion, Mass General Brigham no longer supports new installations of PGP encryption.

Other encryption software such as FileVault 1 (pre OS X Lion) and TrueCrypt offer a "vaulting" solution, where only a portion of a disk is encrypted. Because FileVault 1 and Truecrypt can not encrypt the entire drive, these are unsuitable for laptops used for work-related purposes at Mass General Brigham.

With the advent of OS X Lion, Apple completely rewrote FileVault to offer "full disk encryption". At first glance it would appear that it could be a suitable method for encrypting your Dual Boot laptop. Unfortunately, both internal and outside testing has turned up a major limitation in the way FileVault has been implemented.

With Bootcamp enabled on a Macintosh running OS X Lion or later versions, FileVault 2 will only encrypt the Mac OS Partition. The Windows partition is completely unencrypted and is mountable on any system that can read NTFS.

Ramifications

Because of this flaw and because of the lack of third party solution for encrypting the Windows partition, using Bootcamp on a laptop running OS X Lion or later is in violation of the Mass General Brigham Laptop Encryption policy.

Due to this issue, the following requirements relate to using Bootcamp on Macintosh laptops used for work-related purposes:

  • We encourage you to purchase a VM software package like Parallels or VMWare Fusion, and transition away from Bootcamp.
  • Purchasers of new Macintosh laptops used for work-related purposes can not use Bootcamp until a solution is identified.

Mass General Brigham and Research Computing are actively investigating possible solutions and workarounds.

Potential Workarounds

We will continually update this list as we discover and learn about workarounds to the FileVault / Bootcamp limitation

  • Switch from Bootcamp to a VM environment such as Parallels Desktop or VMWare Fusion, and activate FileVault.

Go to KB0027883 in the IS Service Desk

Related articles