Encrypt the startup volume with Core Storage without FileVault
Two days after I added this answer, Apple published a technical white paper: Best Practices for Deploying FileVault 2 – Deploying OS X Full Disk Encryption Technology (PDF). At a glance, some of what I describe below seems to be described by Apple as:
Preparation
- Backup
- start Recovery OS
- use Disk Utility to erase the startup volume – Mac OS Extended (Journaled, Encrypted)
- restore
- give the passphrase for the volume to AdminGuy.
Hint
At step 4 above, use a method that preserves the Apple_Boot slice (sometimes named Boot OS X, sometimes named Recovery HD) whilst restoring the JHFS+ startup volume.
To validate this answer, I used Disk Utility for that step. (I'm less familiar with restoration capabilities of Time Machine.)
The resulting EfiLoginUI:
As Disk Password has an avatar/icon, it's clear that Apple considers scenarios such as this.
Normal use thereafter
- Alongside named users, EfiLoginUI presents Disk Password
- AdminGuy can select Disk Password
- AdminGuy can enter the passphrase to unlock the CoreStorage-protected startup volume
- when loginwindow appears, select the required user.
Users may change their login passwords. The phrase for Disk Password will remain unchanged.
You need not use the FileVault areas of System Preferences but if you do, most things work as expected.
The machine pictured above is perfectly clean, restored from a Mountain Lion template that I created following installation of the OS (at the Welcome screen I shut down, then used Disk Utility to image all partitions/slices of the disk). I proceeded to create a user, then enabled that user for FileVault:
The resulting EfiLoginUI – one named user alongside the Disk Password option:
Appearance bug
System Preferences in Build 12A269 of OS X 10.8 may state that FileVault is enabled, with a recovery key set, when the key is no longer applicable. (Assume that an erased volume, with a possibly different passphrase, will not accept a recovery key that was set before erasure. A more definite opinion may be drawn from Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption (2012).) I have reported bugs to Apple.
Photographs above are of the USB flash drive that I used to validate this answer.
Photographs below are of the internal drive that I use every day.
EfiLoginUI – two named users enabled for FileVault, the Disk Password option, and the Guest User:
loginwindow – all named users:
Best Answer
If you don't require the password when you wake from sleep, then you are leaving yourself open to someone taking control of your data. That is regardless of FileVault.
If you have password set, then the data is still protected from being viewed in a similar method to it being on a locked file vault volume. You can also set a MDM profile to have the FileVault keys destroyed in RAM when the machine enters sleep, so that's pretty much as good as powering off in my book:
For anything but a highly motivated and skilled adversary (think NSA or FBI) - the extra security you get by powering down the Mac is hard to estimate or differentiate from a locked screen.
That being said, you should turn on FileVault if you have an SSD since there is no other way to ensure destruction of sensitive data other than destroying the key that decrypts data on the drive. You can then decide to sleep or to power off based on how secure you judge your physical environment and the data you have on your Mac from moment to moment.