Mac OS (X)'s guest accounts can't use other apps beside its Safari?

[Ant]

Hello.

I noticed Mac OS (X)'s guest accounts only allow Safari with encrypted
FileVault SSDs. Is there no way to access other apps like Office for
those who need to use it?

Thank you in advance. :)
--
Quote of the Week: "Be thine enemy an ant, see in him(her!) an elephant." --Turkish Proverb
Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
/\___/\ Ant(Dude) @ http://antfarm.home.dhs.org (Personal Web Site)
/ /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
| |o o| |
\ _ / Please nuke ANT if replying by e-mail privately. If credit-
( ) ing, then please kindly use Ant nickname and AQFL URL/link.

[David Empson]

Ant <ANT...@zimage.com> wrote:

> I noticed Mac OS (X)'s guest accounts only allow Safari with encrypted
> FileVault SSDs. Is there no way to access other apps like Office for
> those who need to use it?

If the drive is encrypted with FileVault then the guest account boots
into the recovery partition. There is no access to the main partition
(it is encrypted) and the recovery partition is read only, so there is
no writeable internal storage.

You can't modify the recovery partition to install other applications,
and even if you could, they would not be able to store permissions or
save documents except by using external storage.

Safari is a limited version which is on the recovery partition. It can't
save anything permanently (e.g. bookmarks).

If you want a guest account with more applications then you need to do
something like create a standard account, perhaps with parental controls
to limit what it can do, and unlock the drive as an authorised user
before the "guest" can log in, assuming you don't grant the guest
account permission to unlock the drive. (The drive being unlocked
exposes you to the risk of the guest being able to gain access to
everything else on the computer, if they are so inclined and they manage
to bypass permissions somehow.)

--
David Empson
dem...@actrix.gen.nz

[Lewis]

In message <X5udnYpXR4Y3xdfF...@earthlink.com>

Ant <ANT...@zimage.com> wrote:
> Hello.

> I noticed Mac OS (X)'s guest accounts only allow Safari with encrypted
> FileVault SSDs. Is there no way to access other apps like Office for
> those who need to use it?

No.

--
Beautiful dawn / Lights up the shore for me / There is nothing else in the
world I'd rather see with you.

[Alan Browne]

On 2016-12-09 02:09, Ant wrote:
> Hello.
>
> I noticed Mac OS (X)'s guest accounts only allow Safari with encrypted
> FileVault SSDs. Is there no way to access other apps like Office for
> those who need to use it?

David makes clear the why's and wherefore's.

The whole "Guest" use account on a Mac is a pretty awful way to allow a
guest access to your computer so he can browse or check his e-mail or
some such. The machine reboots for the guest and has to be re-booted
again for the 'owner' to get back in. Tedious, wot.

I have a guest account for such use at home. It's not special in any
way but it has no sharing at all of any kind, no backups, no accounts,
no keychains ... with that a guest could use all the installed apps.

Given such would be used when I am around, I don't consider it to be
much of a risk.

--
"If war is God's way of teaching Americans geography, then
recession is His way of teaching everyone a little economics."
..Raj Patel, The Value of Nothing.

[Happy.Hobo]

On 12-10-2016 09:19, Alan Browne wrote:
> The whole "Guest" use account on a Mac is a pretty awful way to allow a
> guest access to your computer so he can browse or check his e-mail or
> some such. The machine reboots for the guest and has to be re-booted
> again for the 'owner' to get back in. Tedious, wot.
>
> I have a guest account for such use at home. It's not special in any
> way but it has no sharing at all of any kind, no backups, no accounts,
> no keychains ... with that a guest could use all the installed apps.

Without FileVault, my guest account can use any apps that I haven't as
admin blocked it from. So apparently the "tedious" way is only if you
turn on FileVault.

[Alan Browne]

There is no reason to not turn on Filevault.

[nospam]

In article <UpadnU8KMtXQu9HF...@giganews.com>, Alan Browne

<alan....@freelunchvideotron.ca> wrote:

> >> The whole "Guest" use account on a Mac is a pretty awful way to allow a
> >> guest access to your computer so he can browse or check his e-mail or
> >> some such. The machine reboots for the guest and has to be re-booted
> >> again for the 'owner' to get back in. Tedious, wot.
> >>
> >> I have a guest account for such use at home. It's not special in any
> >> way but it has no sharing at all of any kind, no backups, no accounts,
> >> no keychains ... with that a guest could use all the installed apps.
> >
> > Without FileVault, my guest account can use any apps that I haven't as
> > admin blocked it from. So apparently the "tedious" way is only if you
> > turn on FileVault.
>
> There is no reason to not turn on Filevault.

yes there are.

in addition to the guest account issue, two more that come to mind is
that it's a big performance hit on older macs and that a server won't
be able to reboot unattended, such as after a power outage.

[Alan Browne]

Narrow cases.

The guest account issue is easily solved with a low privilege account
and normally under some supervision of the owner.

I had FileVault running on a late 2007 iMac and it was no impediment to
use through the end of 2013. It's still running too.

A Server is a narrow case. First off it should have a UPS - that will
cover many transients and short outages. Further, the operator should
be able to boot it remotely (?) and have some means of knowing it was down.

[nospam]

In article <jeidnVl3Ludt3dHF...@giganews.com>, Alan Browne

<alan....@freelunchvideotron.ca> wrote:

> >>
> >> There is no reason to not turn on Filevault.
> >
> > yes there are.
> >
> > in addition to the guest account issue, two more that come to mind is
> > that it's a big performance hit on older macs and that a server won't
> > be able to reboot unattended, such as after a power outage.
>
> Narrow cases.

it doesn't matter if it's narrow or not.

you said there is 'no reason not to turn on filevault', and there are
several reasons.

you're wrong. simple as that.

> The guest account issue is easily solved with a low privilege account
> and normally under some supervision of the owner.

that's not the same, and more work for the admin anyway.

> I had FileVault running on a late 2007 iMac and it was no impediment to
> use through the end of 2013. It's still running too.

it's running much slower than it otherwise would because a core 2 duo
lacks hardware aes encryption found in core i5/i7 and later.

you might not care, but others do.

> A Server is a narrow case. First off it should have a UPS - that will
> cover many transients and short outages.

a ups won't power it forever.

if the outage is longer than the ups supports, then the server shuts
down (normally intentionally, before the ups is fully dead).

> Further, the operator should
> be able to boot it remotely (?) and have some means of knowing it was down.

the point is that it *can't* be remotely booted because someone has to
type in the filevault password at the console.

[Alan Browne]

On 2016-12-10 13:04, nospam wrote:
> In article <jeidnVl3Ludt3dHF...@giganews.com>, Alan Browne
> <alan....@freelunchvideotron.ca> wrote:
>
>>>>
>>>> There is no reason to not turn on Filevault.
>>>
>>> yes there are.
>>>
>>> in addition to the guest account issue, two more that come to mind is
>>> that it's a big performance hit on older macs and that a server won't
>>> be able to reboot unattended, such as after a power outage.
>>
>> Narrow cases.
>
> it doesn't matter if it's narrow or not.
>
> you said there is 'no reason not to turn on filevault', and there are
> several reasons.
>
> you're wrong. simple as that.

For those cases sure. BFD. Doesn't apply to most people at all by a
very long shot.

[Jolly Roger]

On 2016-12-10, nospam <nos...@nospam.invalid> wrote:
> In article <jeidnVl3Ludt3dHF...@giganews.com>, Alan Browne
><alan....@freelunchvideotron.ca> wrote:
>
>> >> There is no reason to not turn on Filevault.
>> >
>> > yes there are.
>> >
>> > in addition to the guest account issue, two more that come to mind
>> > is that it's a big performance hit on older macs and that a server
>> > won't be able to reboot unattended, such as after a power outage.
>>

>> A Server is a narrow case. First off it should have a UPS - that
>> will cover many transients and short outages.
>
> a ups won't power it forever.
>
> if the outage is longer than the ups supports, then the server shuts
> down (normally intentionally, before the ups is fully dead).

True. And in that case, the only way to get it running again is to
physically supply the FileVault pass code during boot. I keep my
server's startup volume unencrypted for this reason. Even though it can
get around an hour run time on UPS battery, I do want it to be able to
start up once power is restored if I happen to be out of the house.

>> Further, the operator should be able to boot it remotely (?) and have
>> some means of knowing it was down.
>
> the point is that it *can't* be remotely booted because someone has to
> type in the filevault password at the console.

Actually, if the Mac is new enough to support it and you are running
10.8.2 or later, you can use the fdsetup command to restart a
FileVaule-encrypted Mac:

sudo fdesetup authrestart

Obviously this doesn't help if the machine is powered down completely.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

[Lewis]

In message <1N6dna6mOKGbgNHF...@giganews.com>

Alan Browne <alan....@freelunchvideotron.ca> wrote:
> On 2016-12-09 02:09, Ant wrote:
>> Hello.
>>
>> I noticed Mac OS (X)'s guest accounts only allow Safari with encrypted
>> FileVault SSDs. Is there no way to access other apps like Office for
>> those who need to use it?

> David makes clear the why's and wherefore's.

> The whole "Guest" use account on a Mac is a pretty awful way to allow a
> guest access to your computer so he can browse or check his e-mail or
> some such. The machine reboots for the guest and has to be re-booted
> again for the 'owner' to get back in. Tedious, wot.

It only has to be rebooted if you are using File Vault.

> Given such would be used when I am around, I don't consider it to be
> much of a risk.

It is much more of a risk than having a locked down encrypted disk that
a guest cannot access.

--
There is a road, no simple highway, between the dawn and the dark of
night

[Lewis]

In message <101220161240349584%nos...@nospam.invalid>

That is entirely false. In no way at all is it true. At all.

--
But of course there were the rules. Everyone knew there were rules. They
just had to hope like Hell that the gods knew the rules, too.

[nospam]

In article <slrno4otch....@snow.local>, Lewis

<g.k...@gmail.com.dontsendmecopies> wrote:

> >>
> >> There is no reason to not turn on Filevault.
>
> > yes there are.
>
> > in addition to the guest account issue, two more that come to mind is
> > that it's a big performance hit on older macs
>
> That is entirely false. In no way at all is it true. At all.

it's very true, for the reason i gave that you snipped, which is that
intel processors prior to core i5/i7 (i.e., core 2 duo) don't have aes
encryption in hardware.

[Alan Browne]

On 2016-12-10 16:34, Lewis wrote:
> In message <1N6dna6mOKGbgNHF...@giganews.com>
> Alan Browne <alan....@freelunchvideotron.ca> wrote:
>> On 2016-12-09 02:09, Ant wrote:
>>> Hello.
>>>
>>> I noticed Mac OS (X)'s guest accounts only allow Safari with encrypted
>>> FileVault SSDs. Is there no way to access other apps like Office for

[1]

>>> those who need to use it?
>
>> David makes clear the why's and wherefore's.
>
>> The whole "Guest" use account on a Mac is a pretty awful way to allow a
>> guest access to your computer so he can browse or check his e-mail or
>> some such. The machine reboots for the guest and has to be re-booted
>> again for the 'owner' to get back in. Tedious, wot.
>
> It only has to be rebooted if you are using File Vault.

That is the context.[1]

>
>> Given such would be used when I am around, I don't consider it to be
>> much of a risk.
>
> It is much more of a risk than having a locked down encrypted disk that
> a guest cannot access.

My disk is File Vaulted and I don't want to shut it down just so someone
can access the web.

The rare instances that guests use my Mac:

- my SO when her laptop is not available (rare). She uses my account.
She has the password.

- someone needs to check their e-mail or some web page. Log in on my
iMac to my TestMe account (needs a password). There they can use Chrome
and various other apps. This would only happen if I were around.

[Alan Browne]

On 2016-12-10 16:35, Lewis wrote:
> In message <101220161240349584%nos...@nospam.invalid>
> nospam <nos...@nospam.invalid> wrote:
>> In article <UpadnU8KMtXQu9HF...@giganews.com>, Alan Browne
>> <alan....@freelunchvideotron.ca> wrote:
>
>>>>> The whole "Guest" use account on a Mac is a pretty awful way to allow a
>>>>> guest access to your computer so he can browse or check his e-mail or
>>>>> some such. The machine reboots for the guest and has to be re-booted
>>>>> again for the 'owner' to get back in. Tedious, wot.
>>>>>
>>>>> I have a guest account for such use at home. It's not special in any
>>>>> way but it has no sharing at all of any kind, no backups, no accounts,
>>>>> no keychains ... with that a guest could use all the installed apps.
>>>>
>>>> Without FileVault, my guest account can use any apps that I haven't as
>>>> admin blocked it from. So apparently the "tedious" way is only if you
>>>> turn on FileVault.
>>>
>>> There is no reason to not turn on Filevault.
>
>> yes there are.
>
>> in addition to the guest account issue, two more that come to mind is
>> that it's a big performance hit on older macs
>
> That is entirely false. In no way at all is it true. At all.

Encryption/decryption is not a 0 time transformation - it is measurable.
I posted data about it a few years ago.

[Alan Browne]

Even with processor AES it is measurably slower. Not as bad of course.

[Happy.Hobo]

On 12-10-2016 09:59, Alan Browne wrote:
> There is no reason to not turn on Filevault.

If I were to turn on Filevault, I know from experience that it would not
be long before I was unable to get to any of my files—in which there is
NOTHING that would profit anybody.

There is a "wallet" on my computer containing some hundreds of dollars
worth of bitcoin. Somehow the password carefully recorded elsewhere is
not the password and all the similar ones I can think of also don't work.

Good enough reason for me.

--

"To know what you prefer, instead of humbly saying
Amen to what the world tells you you should prefer,
is to have kept your soul alive."
-- Robert Louis Stevenson

[nospam]

In article <o2i911$1q3r$1...@gioia.aioe.org>, Happy.Hobo

<Happy...@Spam.Invalid> wrote:

> If I were to turn on Filevault, I know from experience that it would not

> be long before I was unable to get to any of my files喫n which there is

> NOTHING that would profit anybody.
>
> There is a "wallet" on my computer containing some hundreds of dollars
> worth of bitcoin. Somehow the password carefully recorded elsewhere is
> not the password and all the similar ones I can think of also don't work.
>
> Good enough reason for me.

user error

[Happy.Hobo]

On 12-10-2016 15:34, Lewis wrote:
> It is much more of a risk than having a locked down encrypted disk that
> a guest cannot access.

In the sixteen years I've had Macs, no one capable of trying to bypass
permissions has used a guest account I've set up.

And no one who would have been tempted to try if they had known anything.

And there is nothing on there that could harm me if the above
were not true.

[Lewis]

In message <101220161652206003%nos...@nospam.invalid>

And the amount of processing needed to manage full disk encryption is
still negligible on those system. It is by no means a big performance
hit. It is *maybe* measurable.


--
These budget numbers are not just estimates, these are the actual
results for the fiscal year that ended February the 30th. - GWB

[Lewis]

In message <xZmdnRxK0c4KH9HF...@giganews.com>

Alan Browne <alan....@freelunchvideotron.ca> wrote:
> On 2016-12-10 16:34, Lewis wrote:
>> In message <1N6dna6mOKGbgNHF...@giganews.com>
>> Alan Browne <alan....@freelunchvideotron.ca> wrote:
>>> On 2016-12-09 02:09, Ant wrote:
>>>> Hello.
>>>>
>>>> I noticed Mac OS (X)'s guest accounts only allow Safari with encrypted
>>>> FileVault SSDs. Is there no way to access other apps like Office for
> [1]

>>>> those who need to use it?
>>
>>> David makes clear the why's and wherefore's.
>>
>>> The whole "Guest" use account on a Mac is a pretty awful way to allow a
>>> guest access to your computer so he can browse or check his e-mail or
>>> some such. The machine reboots for the guest and has to be re-booted
>>> again for the 'owner' to get back in. Tedious, wot.
>>
>> It only has to be rebooted if you are using File Vault.

> That is the context.[1]

>>
>>> Given such would be used when I am around, I don't consider it to be
>>> much of a risk.
>>
>> It is much more of a risk than having a locked down encrypted disk that
>> a guest cannot access.

> My disk is File Vaulted and I don't want to shut it down just so someone
> can access the web.

I generally don't let anyone without an account use my laptop. The only
reason I have the guest account enabled is in case the laptop is lost or
stolen.

> The rare instances that guests use my Mac:

> - my SO when her laptop is not available (rare). She uses my account.
> She has the password.

My wife has her own accounts. No reason at all to either make her use
mine (which has a lot of customization and utilities running) or to make
her use a guest account. But in general, she has her own machines.

My rule is generally that anyone who might need to use a computer more
than once I just setup an account on my laptop or on a spare desktop. Of
course, that is slightly more annoying than it used to be, but still not
bad.

But the simple fact is that it's been a ong time since anyone needed to
borrow a computer. Everyone has a smart phone or a laptop or an iPad of
their own they can use.

I do have a couple of computers that have no personal data on them and
do not sync keychains or passwords, so those computers are safe to use
without FileVault.

> - someone needs to check their e-mail or some web page. Log in on my
> iMac to my TestMe account (needs a password). There they can use Chrome
> and various other apps. This would only happen if I were around.

I do not do that because details from previous users, possibly even
including logins, cookies, etc are left behind. I could setup a logout
hook to delete the contents of the User's Library folder, but it's not
worth doing.

--
Evil is a little man afraid for his job.

[Lewis]

In message <xZmdnR9K0c6oHtHF...@giganews.com>

Alan Browne <alan....@freelunchvideotron.ca> wrote:
> On 2016-12-10 16:35, Lewis wrote:
>> In message <101220161240349584%nos...@nospam.invalid>
>> nospam <nos...@nospam.invalid> wrote:
>>> In article <UpadnU8KMtXQu9HF...@giganews.com>, Alan Browne
>>> <alan....@freelunchvideotron.ca> wrote:
>>
>>>>>> The whole "Guest" use account on a Mac is a pretty awful way to allow a
>>>>>> guest access to your computer so he can browse or check his e-mail or
>>>>>> some such. The machine reboots for the guest and has to be re-booted
>>>>>> again for the 'owner' to get back in. Tedious, wot.
>>>>>>
>>>>>> I have a guest account for such use at home. It's not special in any
>>>>>> way but it has no sharing at all of any kind, no backups, no accounts,
>>>>>> no keychains ... with that a guest could use all the installed apps.
>>>>>
>>>>> Without FileVault, my guest account can use any apps that I haven't as
>>>>> admin blocked it from. So apparently the "tedious" way is only if you
>>>>> turn on FileVault.
>>>>
>>>> There is no reason to not turn on Filevault.
>>
>>> yes there are.
>>
>>> in addition to the guest account issue, two more that come to mind is
>>> that it's a big performance hit on older macs
>>
>> That is entirely false. In no way at all is it true. At all.

> Encryption/decryption is not a 0 time transformation - it is measurable.
> I posted data about it a few years ago.

It is close enough to zero that "big performance hit" is not at all true.

--
So here's us, on the raggedy edge. Don't push me. And I won't push you.

[Lewis]

In message <o2i911$1q3r$1...@gioia.aioe.org>

Happy.Hobo <Happy...@Spam.Invalid> wrote:
> On 12-10-2016 09:59, Alan Browne wrote:
>> There is no reason to not turn on Filevault.

> If I were to turn on Filevault, I know from experience that it would not
> be long before I was unable to get to any of my files—in which there is
> NOTHING that would profit anybody.

You know from a complete lack of experience, you mean?

> There is a "wallet" on my computer containing some hundreds of dollars
> worth of bitcoin. Somehow the password carefully recorded elsewhere is
> not the password and all the similar ones I can think of also don't work.

What does that have to do with FileVault? Oh right, nothing.

--
He wasn't good or evil or cruel or extreme in any way but one, which was
that he had elevated greyness to the status of a fine art and cultivated
a mind that was as bleak and pitiless and logical as the slopes of Hell.

[Jolly Roger]

On 2016-12-11, Happy.Hobo <Happy...@Spam.Invalid> wrote:
> On 12-10-2016 09:59, Alan Browne wrote:
>> There is no reason to not turn on Filevault.
>
> If I were to turn on Filevault, I know from experience that it would
> not be long before I was unable to get to any of my files—in which
> there is NOTHING that would profit anybody.

And why would that be? I have turned on FileVault for *many* years
without losing access to *any* of my files. In all this time, I haven't
lost access to a single thing. Pray tell what mysterious all-powerful
force is at play in your household and work environment that is
non-existent in mine?

> There is a "wallet" on my computer containing some hundreds of dollars
> worth of bitcoin.

Should we be somehow impressed by this factoid?

> Somehow the password carefully recorded elsewhere is not the password
> and all the similar ones I can think of also don't work.

You sound extremely confused. Perhaps this whole "computing" thing isn't
for you?

> Good enough reason for me.

Ok then.

[Happy.Hobo]

On 12-10-2016 20:50, Jolly Roger wrote:
> On 2016-12-11, Happy.Hobo <Happy...@Spam.Invalid> wrote:
>> On 12-10-2016 09:59, Alan Browne wrote:
>>> There is no reason to not turn on Filevault.
>>
>> If I were to turn on Filevault, I know from experience that it would
>> not be long before I was unable to get to any of my files—in which
>> there is NOTHING that would profit anybody.
>
> And why would that be? I have turned on FileVault for *many* years
> without losing access to *any* of my files. In all this time, I haven't
> lost access to a single thing. Pray tell what mysterious all-powerful
> force is at play in your household and work environment that is
> non-existent in mine?

A 62-year-old memory? What's your point? You want to convince me that
I dreamed the whole thing and Alan is correct that there is NEVER a
reason to not use it?

[nospam]

In article <slrno4pcoc....@snow.local>, Lewis

<g.k...@gmail.com.dontsendmecopies> wrote:

> >> >>
> >> >> There is no reason to not turn on Filevault.
> >>
> >> > yes there are.
> >>
> >> > in addition to the guest account issue, two more that come to mind is
> >> > that it's a big performance hit on older macs
> >>
> >> That is entirely false. In no way at all is it true. At all.
>
> > it's very true, for the reason i gave that you snipped, which is that
> > intel processors prior to core i5/i7 (i.e., core 2 duo) don't have aes
> > encryption in hardware.
>
> And the amount of processing needed to manage full disk encryption is
> still negligible on those system. It is by no means a big performance
> hit. It is *maybe* measurable.

it's very measurable.

there is a very noticeable performance hit when using filevault on a
core 2 duo system because once again, there's no hardware level
encryption.

[nospam]

In article <slrno4pdla....@snow.local>, Lewis

<g.k...@gmail.com.dontsendmecopies> wrote:

>
> > Encryption/decryption is not a 0 time transformation - it is measurable.
> > I posted data about it a few years ago.
>
> It is close enough to zero that "big performance hit" is not at all true.

on core i5/i7 there is a minor hit because the encryption is done in
hardware. however, on core 2 duo, it's done in software and the
performance hit is very noticeable.

[nospam]

In article <o2is6g$cmc$1...@gioia.aioe.org>, Happy.Hobo

<Happy...@Spam.Invalid> wrote:

> >>
> >> If I were to turn on Filevault, I know from experience that it would

> >> not be long before I was unable to get to any of my files喫n which

> >> there is NOTHING that would profit anybody.
> >
> > And why would that be? I have turned on FileVault for *many* years
> > without losing access to *any* of my files. In all this time, I haven't
> > lost access to a single thing. Pray tell what mysterious all-powerful
> > force is at play in your household and work environment that is
> > non-existent in mine?
>
> A 62-year-old memory? What's your point? You want to convince me that
> I dreamed the whole thing and Alan is correct that there is NEVER a
> reason to not use it?

whatever you did, it's of your own doing and not that of filevault.

[Alan Browne]

On 2016-12-10 20:09, Happy.Hobo wrote:
> On 12-10-2016 09:59, Alan Browne wrote:
>> There is no reason to not turn on Filevault.
>
> If I were to turn on Filevault, I know from experience that it would not
> be long before I was unable to get to any of my files—in which there is
> NOTHING that would profit anybody.
>
> There is a "wallet" on my computer containing some hundreds of dollars
> worth of bitcoin. Somehow the password carefully recorded elsewhere is
> not the password and all the similar ones I can think of also don't work.

All my BTC and ETH are spinning and safe and accessible. Did some
trades yesterday. No issues at all. Several backup copies, mind you.

>
> Good enough reason for me.

I've got FileVault2 running on 5 disks. No issues ever. Not once.

[Alan Browne]

On 2016-12-10 20:58, Lewis wrote:
> In message <101220161652206003%nos...@nospam.invalid>
> nospam <nos...@nospam.invalid> wrote:
>> In article <slrno4otch....@snow.local>, Lewis
>> <g.k...@gmail.com.dontsendmecopies> wrote:
>
>>>>>
>>>>> There is no reason to not turn on Filevault.
>>>
>>>> yes there are.
>>>
>>>> in addition to the guest account issue, two more that come to mind is
>>>> that it's a big performance hit on older macs
>>>
>>> That is entirely false. In no way at all is it true. At all.
>
>> it's very true, for the reason i gave that you snipped, which is that
>> intel processors prior to core i5/i7 (i.e., core 2 duo) don't have aes
>> encryption in hardware.
>
> And the amount of processing needed to manage full disk encryption is
> still negligible on those system. It is by no means a big performance
> hit. It is *maybe* measurable.

On an i7 quad core iMac (late 2012).

2 files of 1 GB of random data to an external flash memory card:

Encrypted: 46.388 s | 46.3 MB/s

Not encrypted: 40.882 s | 52.5 MB/s

So while not an important difference, very measurable at 11.8% speed
difference.

Note that the above was to external flash using a USB 2.0 connection, so
a lot of wait time in there. I don't have a spare HD to test with.

As I recall from a past test I was getting around 150 MB/s to a USB 3
external disk with encryption enabled (Filevault2).

[Alan Browne]

I certainly never said big performance hit and all my disks are
Filevaulted. See my other post of this am on an i7. No older machine
to test with but even then it would not be so huge considering the
security benefit. I certainly ran my old Core 2 Duo Filevaulted.

[Lewis]

In message <111220160736243575%nos...@nospam.invalid>

I have a 2010 Mac mini server, still in use. It has a Core 2 Duo Penryn
processor. There is no noticeable difference running File Vault on it.

--
Growing up leads to growing old, and then to dying/And dying to me don't
sound like all that much fun.