Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Apple Hardware > Notebooks > MacBook Air

Reply
 
Thread Tools Search this Thread Display Modes
Old Dec 27, 2012, 08:12 AM   #1
Fontane
macrumors regular
 
Join Date: Feb 2011
Filevault 2 on MBA

I am using a late-2010 MBA with Mountain Lion installed.

I enabled Filevault 2 system encryption with a long key/password. When I close the lid on my MBA is goes into standby. When I open the lid the standard login menu is there. I type in my password and the laptop resumes.

My question is, when the MBA is in standby mode and I have to login after opening the lid, is the system protected by the Filevault 2 encryption, or is it only effective when the laptop is powered down completely?
Fontane is offline   0 Reply With Quote
Old Dec 27, 2012, 01:52 PM   #2
Weaselboy
macrumors G5
 
Weaselboy's Avatar
 
Join Date: Jan 2005
You are fully protected by FV2 the way you are running. It does not need to be shut down to protect you.

There was a way for hacker with physical access to your computer to get the password using direct memory access (DMA) if you were not shutdown, but DMA access was blocked in a later Lion update and is still blocked in Mountain Lion.

One other thing you should do to stop a thief from booting from an external drive and trying to crack your password is enable a firmware (EFI) password. Just do a command-r boot to recovery and in the utilities menu you will see an option to set a firmware password.
Weaselboy is online now   1 Reply With Quote
Old Dec 28, 2012, 12:41 PM   #3
Fontane
Thread Starter
macrumors regular
 
Join Date: Feb 2011
Quote:
Originally Posted by Weaselboy View Post
You are fully protected by FV2 the way you are running. It does not need to be shut down to protect you.

There was a way for hacker with physical access to your computer to get the password using direct memory access (DMA) if you were not shutdown, but DMA access was blocked in a later Lion update and is still blocked in Mountain Lion.

One other thing you should do to stop a thief from booting from an external drive and trying to crack your password is enable a firmware (EFI) password. Just do a command-r boot to recovery and in the utilities menu you will see an option to set a firmware password.
Thanks very much for the answer. Very helpful!
Fontane is offline   1 Reply With Quote
Old Jan 18, 2013, 01:42 PM   #4
Fontane
Thread Starter
macrumors regular
 
Join Date: Feb 2011
Quote:
Originally Posted by Fontane View Post
Thanks very much for the answer. Very helpful!
I wanted to follow-up on this because as it turns out Filevault2 only protects the user when the hard disk not mounted, i.e. the laptop is powered off.

When I log in to my MBA, I first give the password to decrypt the machine. I am then taken to the user login screen to give the password for whichever user I want to sign in to the machine. The machine boots.

When I wake the computer from sleep mode, I am only required to give the user password to unlock the OS, there is no requirement to unlock the filesystem because the encryption keys are cached and thus stored in memory. In order to encrypt your drive you must power down the laptop completely.

For most people, the OS password is sufficient when their laptop is in the house or in their possession, but the user should always be aware that when you put your system into sleep mode (close the lid on the MBA), the hard drive is NOT protected with FileVault.

For maximum security, you must power down your system to ensure the hard drive dismounts.
Fontane is offline   0 Reply With Quote
Old Jan 18, 2013, 02:02 PM   #5
mfram
macrumors 6502a
 
Join Date: Jan 2010
Location: San Diego, CA USA
It depends on what you mean by "protected". The data physically on the hard drive is always encrypted, even after you "unlock" it. One you type in the unlock password, then anyone logged into the machine can see the "unlocked" data on the hard drive. But if you turn off your laptop (or it suspends to disk), the data cannot be accessed without the unlock password.

Here are two scenarios:

1. You unlock the drive after turning the computer on with the unlock password. You log into an account and sleep the machine. Someone steals the laptop but can't figure out your account password so they remove the hard drive and try to read the data from another computer. In this case, your data is safe on the hard drive unless the attacker knows the unlock password. The data on the hard drive is encrypted.

2. You unlock the drive after turning the computer on with the unlock password. You log into an account with a weak password and sleep the machine. Someone steals your computer and unlocks the screen saver with your weak account password. At that point the person who stole your computer can access whatever data that account can access. The data is encrypted on the drive, but the unlock keys are still saved in memory. If the computer is ever turned off, the data becomes unavailable at that point without the unlock password.

So assuming a strong unlock password the data is only available as long as the computer never turns off by some kind of power down. Overall, make sure your account passwords are strong as well as your unlock password (if they are different).

I don't see how an EFI password really "helps" anything to protect the hard drive. If the attacker wants to get to the data on your hard drive then can always remove the drive from the computer and get to the data directly. No EFI password needed.
mfram is offline   0 Reply With Quote
Old Jan 18, 2013, 02:28 PM   #6
Fontane
Thread Starter
macrumors regular
 
Join Date: Feb 2011
Quote:
Originally Posted by mfram View Post
It depends on what you mean by "protected". The data physically on the hard drive is always encrypted, even after you "unlock" it. One you type in the unlock password, then anyone logged into the machine can see the "unlocked" data on the hard drive. But if you turn off your laptop (or it suspends to disk), the data cannot be accessed without the unlock password.

Here are two scenarios:

1. You unlock the drive after turning the computer on with the unlock password. You log into an account and sleep the machine. Someone steals the laptop but can't figure out your account password so they remove the hard drive and try to read the data from another computer. In this case, your data is safe on the hard drive unless the attacker knows the unlock password. The data on the hard drive is encrypted.

2. You unlock the drive after turning the computer on with the unlock password. You log into an account with a weak password and sleep the machine. Someone steals your computer and unlocks the screen saver with your weak account password. At that point the person who stole your computer can access whatever data that account can access. The data is encrypted on the drive, but the unlock keys are still saved in memory. If the computer is ever turned off, the data becomes unavailable at that point without the unlock password.

So assuming a strong unlock password the data is only available as long as the computer never turns off by some kind of power down. Overall, make sure your account passwords are strong as well as your unlock password (if they are different).

I don't see how an EFI password really "helps" anything to protect the hard drive. If the attacker wants to get to the data on your hard drive then can always remove the drive from the computer and get to the data directly. No EFI password needed.
I believe everything you said is exactly correct.

I prefer to never rely on the OS password as my line of defense. I always want my laptop powered down and encrypted when I'm traveling -- especially to other 2nd/3rd world nations. I was originally led to believe that sleep mode was protecting my computer with FileVault but soon realized that wasn't the case once I powered on and was not prompted for my encryption (FileVault) password.
Thanks for providing your thoughts on this one.
Fontane is offline   0 Reply With Quote
Old Jan 18, 2013, 02:33 PM   #7
Weaselboy
macrumors G5
 
Weaselboy's Avatar
 
Join Date: Jan 2005
Quote:
Originally Posted by Fontane View Post
I wanted to follow-up on this because as it turns out Filevault2 only protects the user when the hard disk not mounted, i.e. the laptop is powered off.

When I log in to my MBA, I first give the password to decrypt the machine. I am then taken to the user login screen to give the password for whichever user I want to sign in to the machine. The machine boots.

When I wake the computer from sleep mode, I am only required to give the user password to unlock the OS, there is no requirement to unlock the filesystem because the encryption keys are cached and thus stored in memory. In order to encrypt your drive you must power down the laptop completely.

For most people, the OS password is sufficient when their laptop is in the house or in their possession, but the user should always be aware that when you put your system into sleep mode (close the lid on the MBA), the hard drive is NOT protected with FileVault.

For maximum security, you must power down your system to ensure the hard drive dismounts.
I'm not sure what you mean by two passwords? When you boot a system with FV2, it boots from the Recovery HD partition (FV2 is still locked) and presents the screen below with user accounts. For example, in the screen below if I click the test account and enter the PW it logs in and at the same times opens the FV2 image and allows access. There is no second password.

You are correct that the FV2 is open unless you shutdown, but the system is still protected by your user password, which is the same password used to open the FV2 encryption anyway. So if you have a strong PW, the system is just as safe either way. Theoretically, yes, I suppose it would be better to shutdown... but as a practical matter there is currently no way to get past the PW either way.

There is no way to grab the PW from the system, even though it is logged on. There was a away to do this via "direct memory access" (DMA) over Firewire/Thunderbolt, but that was blocked with Lion 10.7.2.

Thumb resize.

----------

Quote:
Originally Posted by mfram View Post
I don't see how an EFI password really "helps" anything to protect the hard drive. If the attacker wants to get to the data on your hard drive then can always remove the drive from the computer and get to the data directly. No EFI password needed.
It helps because with Lion and Mountain Lion the admin password can be reset by booting to the Recovery HD, and having EFI locked stops that. It will also stop a "maid in the middle" attack from setting up an alternate boot drive to snag your password. Like you said, neither would crack FV2, but it would at least make the thieving weasels have to remove the drive before that even tried any hacks.
Weaselboy is online now   0 Reply With Quote
Old Jan 18, 2013, 02:47 PM   #8
Fontane
Thread Starter
macrumors regular
 
Join Date: Feb 2011
Quote:
Originally Posted by Weaselboy View Post
You are correct that the FV2 is open unless you shutdown, but the system is still protected by your user password, which is the same password used to open the FV2 encryption anyway.
Not true. The FileVault and user password on my system are completely different. They used to be the same. It was only when I changed the user password that I discovered my FileVault password was not unlocking the drive from sleep mode.
Fontane is offline   0 Reply With Quote
Old Jan 18, 2013, 02:52 PM   #9
Weaselboy
macrumors G5
 
Weaselboy's Avatar
 
Join Date: Jan 2005
Quote:
Originally Posted by Fontane View Post
Not true. The FileVault and user password on my system are completely different. They used to be the same. It was only when I changed the user password that I discovered my FileVault password was not unlocking the drive from sleep mode.
I don't understand what you did to cause this? The way FV2 works is you are telling it to allow listed accounts to open the "vault". So for example in my screenshot above that test account I setup to try some things out has the PW "test"... so I I start the machine from a cold start I get the grey screen in my screen shot, then click the test account and type in the PW "test" and FV2 is opened and I am logged in to the account. I never enter two passwords, and the test accounts PW of "test" is not the FV2 PW.

When you shutdown and restart are you getting the grey screen like in my screenshot?
Weaselboy is online now   0 Reply With Quote
Old Jan 18, 2013, 04:19 PM   #10
dyn
macrumors 65816
 
Join Date: Aug 2009
Location: .nl
Apple has put all the info about Filevault2 in a support document: OS X: About FileVault 2. What it says there is for people who migrate. If you create a new user account after turning on Filevault2 it will automatically get the right to unlock the volume.

There are simply 2 ways for unlocking a volume: a volume password (it can be used without a user account) and with a user account that has been given the privilege of unlocking the volume.

Is Filevault2 any good? It certainly is! However, due to the fact that users can unlock the volume with their own passwords, strong passwords are even more important.
dyn is offline   0 Reply With Quote
Old Jan 18, 2013, 04:21 PM   #11
Bear
macrumors G3
 
Join Date: Jul 2002
Location: Sol III - Terra
Quote:
Originally Posted by Weaselboy View Post
...
It helps because with Lion and Mountain Lion the admin password can be reset by booting to the Recovery HD, and having EFI locked stops that. It will also stop a "maid in the middle" attack from setting up an alternate boot drive to snag your password. Like you said, neither would crack FV2, but it would at least make the thieving weasels have to remove the drive before that even tried any hacks.
Actually if you have FileVault 2 enabled, you cannot change the admin password via Recovery since the disk is encrypted and it has no way of writing the new password to the disk without the disk being "unlocked" with a good password.

The EFI lock is not needed in most cases when FileVault 2 is enabled.
__________________
-----Bear
Bear is offline   0 Reply With Quote
Old Jan 18, 2013, 04:44 PM   #12
Weaselboy
macrumors G5
 
Weaselboy's Avatar
 
Join Date: Jan 2005
Quote:
Originally Posted by dyn View Post
Apple has put all the info about Filevault2 in a support document: OS X: About FileVault 2. What it says there is for people who migrate. If you create a new user account after turning on Filevault2 it will automatically get the right to unlock the volume.

There are simply 2 ways for unlocking a volume: a volume password (it can be used without a user account) and with a user account that has been given the privilege of unlocking the volume.

Is Filevault2 any good? It certainly is! However, due to the fact that users can unlock the volume with their own passwords, strong passwords are even more important.
I am familiar with that, but still not quite clear why Fontane is having to enter two login passwords. Even after he changed his PW, if that account is on the list of FV2 users (below), the account PW should be all that is needed?

I am wondering if he removed the account from the FV enabled list in the process of changing the PW?

Thumb resize.

----------

Quote:
Originally Posted by Bear View Post
Actually if you have FileVault 2 enabled, you cannot change the admin password via Recovery since the disk is encrypted and it has no way of writing the new password to the disk without the disk being "unlocked" with a good password.
Yes, that is a good point I had not thought through.

Quote:
Originally Posted by Bear View Post
The EFI lock is not needed in most cases when FileVault 2 is enabled.
Let's just say we disagree then.

The way I see it is it costs nothing and is no trouble during normal usage, so why not enable it to prevent external boot drives from having an avenue of attack.
Weaselboy is online now   0 Reply With Quote
Old Jan 18, 2013, 08:45 PM   #13
Bear
macrumors G3
 
Join Date: Jul 2002
Location: Sol III - Terra
Quote:
Originally Posted by Weaselboy View Post
...
Let's just say we disagree then.

The way I see it is it costs nothing and is no trouble during normal usage, so why not enable it to prevent external boot drives from having an avenue of attack.
True it does remove one avenue of attack, however if someone is going that far for your data, they're probably willing to remove the drive from the system and attach it to a system that is properly set up for breaking into a drive.
__________________
-----Bear
Bear is offline   0 Reply With Quote
Old Jan 18, 2013, 10:55 PM   #14
micrors4racer
macrumors 6502
 
Join Date: Apr 2012
The system would still be secure even if the system is only in sleep mode. If they need to take the drive out to try and decrypt it, it would still end with the laptop being shut down.
micrors4racer is offline   0 Reply With Quote
Old Jan 19, 2013, 11:22 AM   #15
Weaselboy
macrumors G5
 
Weaselboy's Avatar
 
Join Date: Jan 2005
Quote:
Originally Posted by Bear View Post
True it does remove one avenue of attack, however if someone is going that far for your data, they're probably willing to remove the drive from the system and attach it to a system that is properly set up for breaking into a drive.
I also like the idea that some bastard stole my machine and by having EFI PW on with FV2, the machine is essentially worthless. Can't boot to my drive, can't boot to a new drive. Boat anchor.
Weaselboy is online now   0 Reply With Quote
Old Jan 19, 2013, 01:42 PM   #16
Nimravus
macrumors member
 
Join Date: Jan 2013
Isn't the data encrypted when it is written and decrypted when read? The entire drive doesn't become "decrypted" when you enter your password each time right? The password just allows the machine to decrypt the already encrypted data on the drive?

So even when you are logged in, the data on the drive is still encrypted, its just available because you gave your OS permission to decrypt it?

So confused now.. lol
Nimravus is offline   0 Reply With Quote
Old Jan 19, 2013, 01:50 PM   #17
Weaselboy
macrumors G5
 
Weaselboy's Avatar
 
Join Date: Jan 2005
Quote:
Originally Posted by Nimravus View Post
Isn't the data encrypted when it is written and decrypted when read? The entire drive doesn't become "decrypted" when you enter your password each time right? The password just allows the machine to decrypt the already encrypted data on the drive?

So even when you are logged in, the data on the drive is still encrypted, its just available because you gave your OS permission to decrypt it?

So confused now.. lol
The way it works is when you turn on FV2, the system makes an encrypted image and puts the entire OS and all data etc. into that encrypted image. So when you enter the password all you are doing is opening that encrypted image and not really "unencrypting" anything in a sense. So data put on (inside) the image is itself not encrypted... it is just put inside an encrypted container.

When you logout the "container" is closed.
Weaselboy is online now   0 Reply With Quote
Old Jan 19, 2013, 04:16 PM   #18
dyn
macrumors 65816
 
Join Date: Aug 2009
Location: .nl
The old Filevault that only encrypted the users homedir was an image (an ordinary encrypted .dmg). The new Filevault 2 is definitely not an image but you could compare it to one though. When you enable it, the partition scheme will be converted to a CoreStorage volume group with a volume on it. That volume group is then encrypted with AES. Because the volume group holds the volume you could think of it as if it were an image.
If you have Filevault 2 enabled you can check the layout with the commandline (Terminal) by entering the following command:
Code:
diskutil cs list
This might make it easier to understand because it gives you a somewhat graphical representation of it.

Since everything is encrypted you can't read it thus you need to decrypt that first. For that you need something like a key, passphrase, password, etc. Simply put: when a user wants to be able to view/use what's on a Filevault 2 volume they need to unlock that drive by entering the password (either one from a useraccount that is allowed to unlock it or the password set for that particular drive). This also explains why certain things such as safe boot is not available when you've set up Filevault 2.

Since the entire drive is encrypted logging out won't do anything. OS X is on that encrypted drive as well thus that drive will need to be unlocked. If it isn't OS X wouldn't be able to run because it is encrypted data you can't use. It's just gibberish. Logging out did matter with the old Filevault where the homedir was stored in an encrypted .dmg image. It wrote all the data to that image logged you out and then closed the image. In case of the whole disk encryption that is Filevault 2 this doesn't happen. Everything happens on the fly.
dyn is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Hardware > Notebooks > MacBook Air

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
FileVault jakesaunders27 Mac Pro 2 Jan 7, 2014 03:40 PM
FileVault Tander OS X 10.8 Mountain Lion 10 Sep 1, 2013 11:38 AM
HELP filevault wozzerage Mac Basics and Help 1 Feb 25, 2013 12:08 AM
FileVault 2 Performance on MBA Alameda Mac OS X 10.7 Lion 4 Jul 11, 2012 02:26 PM
The new MBA, FileVault 2 and Sandforce controller - issues? revs MacBook Air 2 Jun 19, 2012 02:22 AM

Forum Jump

All times are GMT -5. The time now is 12:27 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC