Encryption uses a key to transform plain text information so that it is unreadable to anyone without the decryption key. Encryption can protect both information on disk and information in transit over a network.
Mac OS X Server includes FileVault, which can encrypt your home folder and all the files contained within it. You should enable FileVault on mobile computers and on any other machines whose physical security cannot be guaranteed. Enabling FileVault copies all data from your home folder into an encrypted home folder a sparse-bundle disk image that uses AES-128 encryption.
After copying, FileVault erases the unencrypted data. The home folder’s sparse format allows the image to maintain a size proportional to its contents, which can save disk space. When files are removed from a FileVault-protected home folder, the space is reclaimed on logout. If you insecurely delete files before using FileVault, those files are still recoverable after activating it. By default, FileVault insecurely erases the unencrypted data.
You should enable the secure erase option when enabling FileVault on a home directory, so that your unencrypted data is securely erased. When initially enabling FileVault, you also can securely erase free space using Disk Utility or the diskutil shell tool. The following command will securely erase free space on the boot drive with one pass of random data:
# diskutil secureErase freespace 1 /
FileVault does not encrypt or protect files transferred over the network or saved to removable media. However, you can create an encrypted disk image separate from FileVault that can protect files outside the home directory. If you mount these encrypted images over a network link, all data transmitted over the network will be encrypted with AES-128 encryption.
See “Encrypting Disk Images” later in this post for more information. To set up FileVault, you should create a master password. If you forget your login password, you can use the master password to recover encrypted data. If you forget both your login password and your master password, you cannot recover your data. Consider sealing your master password in an envelope and storing it in a secure location. You can also use Password Assistant to help create a complex master password that cannot be easily compromised.