Filevault 2 on MBA

Fontane · Dec 27, 2012

I am using a late-2010 MBA with Mountain Lion installed.

I enabled Filevault 2 system encryption with a long key/password. When I close the lid on my MBA is goes into standby. When I open the lid the standard login menu is there. I type in my password and the laptop resumes.

My question is, when the MBA is in standby mode and I have to login after opening the lid, is the system protected by the Filevault 2 encryption, or is it only effective when the laptop is powered down completely?

Weaselboy · Dec 27, 2012

You are fully protected by FV2 the way you are running. It does not need to be shut down to protect you.

There was a way for hacker with physical access to your computer to get the password using direct memory access (DMA) if you were not shutdown, but DMA access was blocked in a later Lion update and is still blocked in Mountain Lion.

One other thing you should do to stop a thief from booting from an external drive and trying to crack your password is enable a firmware (EFI) password. Just do a command-r boot to recovery and in the utilities menu you will see an option to set a firmware password.

Fontane · Dec 28, 2012

Weaselboy said:
You are fully protected by FV2 the way you are running. It does not need to be shut down to protect you.

There was a way for hacker with physical access to your computer to get the password using direct memory access (DMA) if you were not shutdown, but DMA access was blocked in a later Lion update and is still blocked in Mountain Lion.

One other thing you should do to stop a thief from booting from an external drive and trying to crack your password is enable a firmware (EFI) password. Just do a command-r boot to recovery and in the utilities menu you will see an option to set a firmware password.

Thanks very much for the answer. Very helpful!

Fontane · Jan 18, 2013

Fontane said:
Thanks very much for the answer. Very helpful!

I wanted to follow-up on this because as it turns out Filevault2 only protects the user when the hard disk not mounted, i.e. the laptop is powered off.

When I log in to my MBA, I first give the password to decrypt the machine. I am then taken to the user login screen to give the password for whichever user I want to sign in to the machine. The machine boots.

When I wake the computer from sleep mode, I am only required to give the user password to unlock the OS, there is no requirement to unlock the filesystem because the encryption keys are cached and thus stored in memory. In order to encrypt your drive you must power down the laptop completely.

For most people, the OS password is sufficient when their laptop is in the house or in their possession, but the user should always be aware that when you put your system into sleep mode (close the lid on the MBA), the hard drive is NOT protected with FileVault.

For maximum security, you must power down your system to ensure the hard drive dismounts.

mfram · Jan 18, 2013

It depends on what you mean by "protected". The data physically on the hard drive is always encrypted, even after you "unlock" it. One you type in the unlock password, then anyone logged into the machine can see the "unlocked" data on the hard drive. But if you turn off your laptop (or it suspends to disk), the data cannot be accessed without the unlock password.

Here are two scenarios:

1. You unlock the drive after turning the computer on with the unlock password. You log into an account and sleep the machine. Someone steals the laptop but can't figure out your account password so they remove the hard drive and try to read the data from another computer. In this case, your data is safe on the hard drive unless the attacker knows the unlock password. The data on the hard drive is encrypted.

2. You unlock the drive after turning the computer on with the unlock password. You log into an account with a weak password and sleep the machine. Someone steals your computer and unlocks the screen saver with your weak account password. At that point the person who stole your computer can access whatever data that account can access. The data is encrypted on the drive, but the unlock keys are still saved in memory. If the computer is ever turned off, the data becomes unavailable at that point without the unlock password.

So assuming a strong unlock password the data is only available as long as the computer never turns off by some kind of power down. Overall, make sure your account passwords are strong as well as your unlock password (if they are different).

I don't see how an EFI password really "helps" anything to protect the hard drive. If the attacker wants to get to the data on your hard drive then can always remove the drive from the computer and get to the data directly. No EFI password needed.

Fontane · Jan 18, 2013

mfram said:
It depends on what you mean by "protected". The data physically on the hard drive is always encrypted, even after you "unlock" it. One you type in the unlock password, then anyone logged into the machine can see the "unlocked" data on the hard drive. But if you turn off your laptop (or it suspends to disk), the data cannot be accessed without the unlock password.

Here are two scenarios:

1. You unlock the drive after turning the computer on with the unlock password. You log into an account and sleep the machine. Someone steals the laptop but can't figure out your account password so they remove the hard drive and try to read the data from another computer. In this case, your data is safe on the hard drive unless the attacker knows the unlock password. The data on the hard drive is encrypted.

2. You unlock the drive after turning the computer on with the unlock password. You log into an account with a weak password and sleep the machine. Someone steals your computer and unlocks the screen saver with your weak account password. At that point the person who stole your computer can access whatever data that account can access. The data is encrypted on the drive, but the unlock keys are still saved in memory. If the computer is ever turned off, the data becomes unavailable at that point without the unlock password.

So assuming a strong unlock password the data is only available as long as the computer never turns off by some kind of power down. Overall, make sure your account passwords are strong as well as your unlock password (if they are different).

I don't see how an EFI password really "helps" anything to protect the hard drive. If the attacker wants to get to the data on your hard drive then can always remove the drive from the computer and get to the data directly. No EFI password needed.

I believe everything you said is exactly correct.

I prefer to never rely on the OS password as my line of defense. I always want my laptop powered down and encrypted when I'm traveling -- especially to other 2nd/3rd world nations. I was originally led to believe that sleep mode was protecting my computer with FileVault but soon realized that wasn't the case once I powered on and was not prompted for my encryption (FileVault) password.
Thanks for providing your thoughts on this one.

Weaselboy · Jan 18, 2013

Fontane said:
I wanted to follow-up on this because as it turns out Filevault2 only protects the user when the hard disk not mounted, i.e. the laptop is powered off.

When I log in to my MBA, I first give the password to decrypt the machine. I am then taken to the user login screen to give the password for whichever user I want to sign in to the machine. The machine boots.

When I wake the computer from sleep mode, I am only required to give the user password to unlock the OS, there is no requirement to unlock the filesystem because the encryption keys are cached and thus stored in memory. In order to encrypt your drive you must power down the laptop completely.

For most people, the OS password is sufficient when their laptop is in the house or in their possession, but the user should always be aware that when you put your system into sleep mode (close the lid on the MBA), the hard drive is NOT protected with FileVault.

For maximum security, you must power down your system to ensure the hard drive dismounts.

I'm not sure what you mean by two passwords? When you boot a system with FV2, it boots from the Recovery HD partition (FV2 is still locked) and presents the screen below with user accounts. For example, in the screen below if I click the test account and enter the PW it logs in and at the same times opens the FV2 image and allows access. There is no second password.

You are correct that the FV2 is open unless you shutdown, but the system is still protected by your user password, which is the same password used to open the FV2 encryption anyway. So if you have a strong PW, the system is just as safe either way. Theoretically, yes, I suppose it would be better to shutdown... but as a practical matter there is currently no way to get past the PW either way.

There is no way to grab the PW from the system, even though it is logged on. There was a away to do this via "direct memory access" (DMA) over Firewire/Thunderbolt, but that was blocked with Lion 10.7.2.

----------

mfram said:
I don't see how an EFI password really "helps" anything to protect the hard drive. If the attacker wants to get to the data on your hard drive then can always remove the drive from the computer and get to the data directly. No EFI password needed.

It helps because with Lion and Mountain Lion the admin password can be reset by booting to the Recovery HD, and having EFI locked stops that. It will also stop a "maid in the middle" attack from setting up an alternate boot drive to snag your password. Like you said, neither would crack FV2, but it would at least make the thieving weasels have to remove the drive before that even tried any hacks.

Fontane · Jan 18, 2013

Weaselboy said:
You are correct that the FV2 is open unless you shutdown, but the system is still protected by your user password, which is the same password used to open the FV2 encryption anyway.

Not true. The FileVault and user password on my system are completely different. They used to be the same. It was only when I changed the user password that I discovered my FileVault password was not unlocking the drive from sleep mode.

Weaselboy · Jan 18, 2013

Fontane said:
Not true. The FileVault and user password on my system are completely different. They used to be the same. It was only when I changed the user password that I discovered my FileVault password was not unlocking the drive from sleep mode.

I don't understand what you did to cause this? The way FV2 works is you are telling it to allow listed accounts to open the "vault". So for example in my screenshot above that test account I setup to try some things out has the PW "test"... so I I start the machine from a cold start I get the grey screen in my screen shot, then click the test account and type in the PW "test" and FV2 is opened and I am logged in to the account. I never enter two passwords, and the test accounts PW of "test" is not the FV2 PW.

When you shutdown and restart are you getting the grey screen like in my screenshot?

dyn · Jan 18, 2013

Apple has put all the info about Filevault2 in a support document: OS X: About FileVault 2. What it says there is for people who migrate. If you create a new user account after turning on Filevault2 it will automatically get the right to unlock the volume.

There are simply 2 ways for unlocking a volume: a volume password (it can be used without a user account) and with a user account that has been given the privilege of unlocking the volume.

Is Filevault2 any good? It certainly is! However, due to the fact that users can unlock the volume with their own passwords, strong passwords are even more important.

Bear · Jan 18, 2013

Weaselboy said:
...
It helps because with Lion and Mountain Lion the admin password can be reset by booting to the Recovery HD, and having EFI locked stops that. It will also stop a "maid in the middle" attack from setting up an alternate boot drive to snag your password. Like you said, neither would crack FV2, but it would at least make the thieving weasels have to remove the drive before that even tried any hacks.

Actually if you have FileVault 2 enabled, you cannot change the admin password via Recovery since the disk is encrypted and it has no way of writing the new password to the disk without the disk being "unlocked" with a good password.

The EFI lock is not needed in most cases when FileVault 2 is enabled.

Weaselboy · Jan 18, 2013

dyn said:
Apple has put all the info about Filevault2 in a support document: OS X: About FileVault 2. What it says there is for people who migrate. If you create a new user account after turning on Filevault2 it will automatically get the right to unlock the volume.

There are simply 2 ways for unlocking a volume: a volume password (it can be used without a user account) and with a user account that has been given the privilege of unlocking the volume.

Is Filevault2 any good? It certainly is! However, due to the fact that users can unlock the volume with their own passwords, strong passwords are even more important.

I am familiar with that, but still not quite clear why Fontane is having to enter two login passwords. Even after he changed his PW, if that account is on the list of FV2 users (below), the account PW should be all that is needed?

I am wondering if he removed the account from the FV enabled list in the process of changing the PW?

----------

Bear said:
Actually if you have FileVault 2 enabled, you cannot change the admin password via Recovery since the disk is encrypted and it has no way of writing the new password to the disk without the disk being "unlocked" with a good password.

Yes, that is a good point I had not thought through.

Bear said:
The EFI lock is not needed in most cases when FileVault 2 is enabled.

Let's just say we disagree then.

The way I see it is it costs nothing and is no trouble during normal usage, so why not enable it to prevent external boot drives from having an avenue of attack.

Bear · Jan 18, 2013

Weaselboy said:
...
Let's just say we disagree then.

The way I see it is it costs nothing and is no trouble during normal usage, so why not enable it to prevent external boot drives from having an avenue of attack.

True it does remove one avenue of attack, however if someone is going that far for your data, they're probably willing to remove the drive from the system and attach it to a system that is properly set up for breaking into a drive.

micrors4racer · Jan 18, 2013

The system would still be secure even if the system is only in sleep mode. If they need to take the drive out to try and decrypt it, it would still end with the laptop being shut down.

Weaselboy · Jan 19, 2013

Bear said:
True it does remove one avenue of attack, however if someone is going that far for your data, they're probably willing to remove the drive from the system and attach it to a system that is properly set up for breaking into a drive.

I also like the idea that some bastard stole my machine and by having EFI PW on with FV2, the machine is essentially worthless. Can't boot to my drive, can't boot to a new drive. Boat anchor.

Nimravus · Jan 19, 2013

Isn't the data encrypted when it is written and decrypted when read? The entire drive doesn't become "decrypted" when you enter your password each time right? The password just allows the machine to decrypt the already encrypted data on the drive?

So even when you are logged in, the data on the drive is still encrypted, its just available because you gave your OS permission to decrypt it?

So confused now.. lol

Weaselboy · Jan 19, 2013

Nimravus said:
Isn't the data encrypted when it is written and decrypted when read? The entire drive doesn't become "decrypted" when you enter your password each time right? The password just allows the machine to decrypt the already encrypted data on the drive?

So even when you are logged in, the data on the drive is still encrypted, its just available because you gave your OS permission to decrypt it?

So confused now.. lol

The way it works is when you turn on FV2, the system makes an encrypted image and puts the entire OS and all data etc. into that encrypted image. So when you enter the password all you are doing is opening that encrypted image and not really "unencrypting" anything in a sense. So data put on (inside) the image is itself not encrypted... it is just put inside an encrypted container.

When you logout the "container" is closed.

dyn · Jan 19, 2013

The old Filevault that only encrypted the users homedir was an image (an ordinary encrypted .dmg). The new Filevault 2 is definitely not an image but you could compare it to one though. When you enable it, the partition scheme will be converted to a CoreStorage volume group with a volume on it. That volume group is then encrypted with AES. Because the volume group holds the volume you could think of it as if it were an image.
If you have Filevault 2 enabled you can check the layout with the commandline (Terminal) by entering the following command:

Code:

diskutil cs list

This might make it easier to understand because it gives you a somewhat graphical representation of it.

Since everything is encrypted you can't read it thus you need to decrypt that first. For that you need something like a key, passphrase, password, etc. Simply put: when a user wants to be able to view/use what's on a Filevault 2 volume they need to unlock that drive by entering the password (either one from a useraccount that is allowed to unlock it or the password set for that particular drive). This also explains why certain things such as safe boot is not available when you've set up Filevault 2.

Since the entire drive is encrypted logging out won't do anything. OS X is on that encrypted drive as well thus that drive will need to be unlocked. If it isn't OS X wouldn't be able to run because it is encrypted data you can't use. It's just gibberish. Logging out did matter with the old Filevault where the homedir was stored in an encrypted .dmg image. It wrote all the data to that image logged you out and then closed the image. In case of the whole disk encryption that is Filevault 2 this doesn't happen. Everything happens on the fly.

Search

Search

Filevault 2 on MBA

Fontane

macrumors regular

Weaselboy

Moderator

Fontane

macrumors regular

Fontane

macrumors regular

mfram

Contributor

Fontane

macrumors regular

Weaselboy

Moderator

Fontane

macrumors regular

Weaselboy

Moderator

dyn

macrumors 68030

Bear

macrumors G3

Weaselboy

Moderator

Bear

macrumors G3

micrors4racer

macrumors 6502

Weaselboy

Moderator

Nimravus

macrumors member

Weaselboy

Moderator

dyn

macrumors 68030

Our Staff