FileVault Users - Sleep or Shutdown?

Discussion in 'OS X El Capitan (10.11)' started by richard13, Dec 29, 2015.

  1. richard13 macrumors 6502a

    Joined:
    Aug 1, 2008
    Location:
    Mill Creek, WA
    #1
    I have had FileVault enabled for the last few versions of OS X and I like it but I do have a couple concerns that may have been addressed since Apple released FileVault 2.

    For instance, as I understand it, FV2 unlocks the entire disk once you have logged in. How protected am I if my Mac goes to sleep or the screensaver kicks in or I'm otherwise "logged out"?

    Isn't the disk still mounted and unlocked under these circumstances? Is shutting down the only way the data is really protected?

    What do you other FileVault users do? Shutdown all the time? Or trust that sleep/log out is "good enough"?

    Thanks!
     
  2. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #2
    FV is there to secure the drive(s) and data once shutdown or removed from the MBP. You still need to secure your access ie login password regime.
     
  3. Mcmeowmers macrumors 6502

    Joined:
    Jun 1, 2015
    #3
    Sleep is good enough.

    sudo pmset -a destroyfvkeyonstandby 1

    Will make it more secure. You will need to enter your admin password.
     
  4. richard13 thread starter macrumors 6502a

    Joined:
    Aug 1, 2008
    Location:
    Mill Creek, WA
    #4
    Yes, this is a good point. You still need a good login password. But this was kind of implied as FV2 turns off autologin and thus requires a password.

    My questions are really more directed at how secure the data/system is in a non-shutdown state. And if others are concerned with this. Apple doesn't really spell this out very well and doesn't seem to offer a way to shutdown your MBP (for example) on the close lid action. I think, in general, most people never think to shutdown their computer and so they may be vulnerable.
     
  5. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #5
    When the MBP comes out of sleep it will unlock the drive based on the key it holds - the command quoted above destroys this key meaning you will need to reenter the key on coming out of sleep to unlock the drive. Even if in sleep, if the drive is removed it will still need the key entering on whatever machine you connect it to, keeping the data safe.

    I have always had a login password so didn't see the change when I enabled FV2...
     
  6. Mcmeowmers macrumors 6502

    Joined:
    Jun 1, 2015
    #6
    Your concern is addressed in my post with the terminal command. Apple has a whole document outlining the specifications of Filevault 2.

    https://support.apple.com/en-ca/HT204837

    They also have a PDF with the more detailed aspects.


    I believe the only attacks on FV2 are DMA in nature. Maybe the NSA can get past it with a server farm ;p
     
  7. richard13 thread starter macrumors 6502a

    Joined:
    Aug 1, 2008
    Location:
    Mill Creek, WA
    #7
    Gotcha. I looked up MAN for pmset and came to the same conclusion. I read a post online that someone turned that on but had to enter passwords twice to unlock their system. That seems little silly to me as I'm already giving the system the correct credentials to unlock FV2 already.

    That's the same conclusion I'm coming to. It looks like Apple patched some bugs related to DMA back in Lion days. Hopefully there aren't any current vectors to exploit.
     
  8. Mcmeowmers macrumors 6502

    Joined:
    Jun 1, 2015
    #8

    There's been some suggestions that thunderbolt may give way for a similar attack
     
  9. Weaselboy, Dec 29, 2015
    Last edited: Dec 30, 2015

    Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #9
    Correct... there are still some outdated web sites out there saying you can hack FV2, but they all rely on using direct memory access (DMA). That DMA access was blocked in Lion 10.7.2 and is no longer an issue.
     

Share This Page