How can a hard-drive be accessed?

[DeltaMac]

First, the support files for FileVault 2 reside within the macOS system.
So, unlocking would require a macOS/OS X system.
Does NOT require that the hard drive be installed, or connected to hardware used to encrypt the drive.
I would say you definitely cannot unlock the drive from Windows, and probably not with any Linux system.
I would be less sure of the answer if you booted to a Unix system.

 

[Ambrosia7177]

First, the support files for FileVault 2 reside within the macOS system.

I thought macOS was on the inside of the encrypt partition created by FileVault 2? If so, how do you boot to macOS if it is encrypted as well?

My understanding of how FDE works on a Mac, is that you boot up with firmware on the EFI, you enter your system password into the pre-boot environment, it unlocks your disk/partion, and then macOS comes to life and boots up the OS.

I believe this to be true, because when you boot up into Recovery Mode, you are in the pre-boot EFI environment, and that is where you can change your system passwords. So it seems like that is also where you would "unlock" the encrypted container made by FileVault 2.

So, unlocking would require a macOS/OS X system.
Does NOT require that the hard drive be installed, or connected to hardware used to encrypt the drive.
I would say you definitely cannot unlock the drive from Windows, and probably not with any Linux system.
I would be less sure of the answer if you booted to a Unix system.

As far as this comment, I too would think you would need the Mac environment and the password to unlock the encrypted container.

So, back to my latest question...

If someone stole your hard-drive, and you had Filevault 2 turned on, and you had a strong password, but the thief somehow got it - maybe at gunpoint - then even though they could boot into Linux or Unix or Windows, they wouldn't be able to get into your encrypted Mac container even if they did know your password, because Linux/Unix/Windows probably doesn't have the right hardware/firmware/software to take you password and unlock Filevault 2, right?

(I wasn't sure if this was more like a file with a password on it, where regardless of the OS, when you mounted the encrypted drive, say in Linux, you'd simply get a login screen, and in this case if you knew the password, then you could type it in the login screen, and you'd be in scot-free!)

 

[DeltaMac]

Ah (You said that you were having fun with this thread, so this is a non-answer, maybe someone with some actual knowledge of the encryption tech used in Filevault 2 can provide a probably-techy answer) ---- anyway -- someone with the knowledge to remove the storage drive from a Mac (not in any way a minor task on most modern Macs) would (should) also realize that they need the macOS to actually access the drive - particularly if the drive is also APFS format. Not sure what one could do with an APFS format drive that was ALSO encrypted and locked, in a non-Mac environment, if one could do anything at all.
I think THAT "little" hurdle would be the one that would concern someone else. Not you, because if you need the protection, you would have an APFS-format drive, also encrypted.

 

[Ambrosia7177]

Ah (You said that you were having fun with this thread, so this is a non-answer, maybe someone with some actual knowledge of the encryption tech used in Filevault 2 can provide a probably-techy answer) ---- anyway -- someone with the knowledge to remove the storage drive from a Mac (not in any way a minor task on most modern Macs) would (should) also realize that they need the macOS to actually access the drive - particularly if the drive is also APFS format. Not sure what one could do with an APFS format drive that was ALSO encrypted and locked, in a non-Mac environment, if one could do anything at all.
I think THAT "little" hurdle would be the one that would concern someone else. Not you, because if you need the protection, you would have an APFS-format drive, also encrypted.

So these are my takeaways on physical attacks...

- If you have a strong password but don't set up an EFI password on your Mac, then you might as well not have a password.

- If you have a strong password and an EFI password, and someone removes your drive or boots to anther OS, then you might as well not have a strong password or EFI password, as they can be by passed.

- If you run FileVault 2 and have a strong password, then it sounds like regardless of what someone does to try and access your hard-drive, you are safe as long as they can't figure out your password.

- With an encrypted drive, removing the drive would serve no extra benefit to a criminal, whereas it would help bypass the password and EFI on a non-encrypted drive.

I guess the last thing I am pondering is whether there is any benefit to setting an EFI password if you are also running FileVault 2??

 

[DeltaMac]

No quite. Your ideas are not all correct.
If you have an EFI (firmware) password, then you can't boot to another OS without entering that password.
If the hard drive is removed from the EFI-protected computer, then the hard drive can be accessed, assuming it is not locked/encrypted.
(You make it sound like it is simple to remove the drive.)
You would require the passcode for a locked, encrypted hard drive, as it can't be accessed without it.

EFI password will prevent booting to another system, or to another boot volume (even if that alternate boot volume is on the same internal drive.)
BUT, you do have to consider that an EFI password might be rarely used, and if you need to boot to another system (or even reset NVRAM), and you realize that you forgot the EFI password, then you must contact Apple to reset that password. There is no other alternative for a forgotten password. BUT, the EFI protection does not protect your data, it only prevents access to the hardware. If you need to protect your data, then you need to use another protection scheme, such as encryption.

So, an EFI password is something like a kensington lock, which might help avoid casual thefts, but not brute force thefts. Same for the EFI password, no access to the system, but removing the drive completely gets you past that level, which simply is a software layer provided by the EFI.
The "Mac-knowledgable" criminal will understand the limitations of EFI (removing the drive, if necessary), and can easily bypass a login password. An encrypted hard drive might not hold off a determined, talented thief.
As Apple is likely going to start providing an "enclave" chip, that should make any attempts at taking data extraordinarily difficult, if not impossible (like a locked iPhone...)

But, then again, if I was an expert, wanting to get at someone's data, and it was some quite valuable stuff, I would probably try to discover the local backup drive - which might not be protected at all, just laying out there in the open.

 

[clystron]

That seems like a dumb design that they can't make your system password protect files regardless of where the HDD is located.

Its not so much about where its located, its about whos in charge. The password for your user-account is enforced by OS/X, now if I take your drive and access it with another operating-system there is no way for your OS/X to enforce that password. If I take your drive, put it in another mac and boot your OS/X from it your password would still be enforced.

A physical analogy (not perfectly accurate though) would be a box (Filesystem) that sits inside a locked room (OS/X), if I remove the box from the room the lock does no longer provide any protection.

For the box to stay protected it has to have a mechanism for that and that is what encryption does.

 

[Weaselboy]

My understanding of how FDE works on a Mac, is that you boot up with firmware on the EFI, you enter your system password into the pre-boot environment, it unlocks your disk/partion, and then macOS comes to life and boots up the OS.

I believe this to be true, because when you boot up into Recovery Mode, you are in the pre-boot EFI environment, and that is where you can change your system passwords. So it seems like that is also where you would "unlock" the encrypted container made by FileVault 2.

When you have FV on, it does not boot from firmware, but rather from the recovery partition where the login/unlock screen is presented. Once you enter the correct password the login/boot process is handed off to the now unlocked main drive.

I guess the last thing I am pondering is whether there is any benefit to setting an EFI password if you are also running FileVault 2??

Having both on does not really make your data more secure, since that is locked down by FV anyway. But it would stop someone from booting into Internet recovery and erasing your drive to use the computer... essentially they will have stolen a useless boat anchor.

I always turn on FV and the EFI password for this reason. The downside is if you lose the EFI password it would be a hassle to take your Mac to Apple with proof of purchase to get it removed.