I’m one of the brave guys who updated it’s MacBook Pro to MacOS X 10.7 (aka Lion).
Main reason (apart from being a fan boy and pain seeker) is the full disc encryption (FDE) that is now build in. It replaces the basically useless FileVault that was in place before Lion.
In principle the FDE works fine once you enabled it. It can be turned on later and run’s in the background without drawing noticeable performance.
But last week, out of curiosity, I started the disk utility to check if my volume is still healthy. DiskUtility stated that my partition needs a repair. As Lion now’s got a recovery partition with a basic operating system and tools I thought this is an easy task. I’m such an optimist…
Booting into the recovery OS is easy. Just press Command + R during boot. Then started the DiskUtility from the there. Of course my main partition is still encrypted at this point, but the DiskUtility has got an “unlock” button.
Just my password for the disc encryption doesn’t seem to work. My initial thought was the special characters in my password. I noticed that the keyboard layout was set to english. One could pick German from the little flag in the upper right corner. But it will instantly snap back to US English. First bug…
So I booted up in the normal OS again to change my FDE password to something more simple. Bootet again into the Recovery OS and tried to unlock the partition. No luck either. I also noticed that the password hint field is empty although I explicitly typed in something initially.
Out of curiosity I tried to change the password from the DiskUtility of the Recovery OS. It accepted the password (the new one) I typed in as well as the new password without complains. Let alone I still couldn’t unlock the FDE partition with any of those passwords.
So I decided to start the main OS in single use mode (press Command + S during boot) to do a manual repair (/sbin/fsck -fy). Guess which password could open the encrypted partition? Right, non of my new password could decrypt the partition. Instead my original password still worked. At least the manual repair did work without any problems.
Conclusion: FDE seems to work (OK I didn’t actually checked the bytes on the disk if they are really encrypted). But the tools to deal with FDE seems fundamentally broken in 10.7.1