How do you relock Filevault 2 external drives?

[glutenenvy]

I've been bouncing around several google searches and coming up empty.
I have an external drive partition encrypted with Filevault2. After I enter the encryption password it unlocks properly. According to the docs, ejecting (or diskutil eject) is supposed to bring that partition back to a locked state.

It does not. A simple remount is possible without the need to enter the encryption password. The encryption key is kept in memory. This is an unnecessary security risk.

This encryption key has not been added to keychain. When I look at keychain, I have no encrypted drive passwords saved.

I'm looking for a solution that does not require unplugging the drive, rebooting the computer or changing the encryption to a different format.

Has anybody tackled this successfully? Am I overlooking something important?

 

[scaredpoet]

First thing I would do is report your finding via the feedback page, including your assessment that this is a security risk. Others have done this (and pointed out that the man page for command line 'diskutil eject' command incorrectly claims that an encrypted volume should relock upon eject). However, it's important the people continue to needle Apple on this, so they can either fix the software to work as documented, or fix the documentation to reflect what the software does, depending on how they want to go with this.

Until then, a (very clunky) workaround is to first eject all encrypted volumes (and I DO mean all) and then issue the following command in terminal:

sudo kextunload -pb com.apple.driver.CoreStorage

then

sudo kextload -b com.apple.driver.CoreStorage

The first command forces CoreStorage to terminate, forcing all encrypted volumes to lock. The second command reloads CoreStorage, enabling the ability to unlock encrypted volumes again. As you can guess, ejecting the volumes first is important to avoid the possibility of file system corruption, since this is a very brute force way of stopping CoreStorage.

A less clunky (but still not ideal) workaround would be to use encrypted DMG disk images to store sensitive data that you want locked up open eject, rather than relying on full disk encryption to do it. If you eject an image, you will need a password to unlock it again when you remount it.

And FWIW: Apparently, using clunky workarounds to relock encrypted volumes is also the case on Windows.