Secure encryption with primary SSD and secondary HDD

Discussion in 'Mac OS X Lion (10.7)' started by joe4444, Feb 17, 2015.

  1. joe4444 macrumors newbie

    Joined:
    Feb 14, 2015
    #1
    While waiting for my new SSD to arrive in the mail, I've been looking into FileVault 2. I like the idea of knowing that IF my MacBook were stolen, then my data would be as inaccessible as possible. However, I am one of those "always sleep, never shut down" users.

    After some reading, I realize that even with FileVault 2, when its asleep my computer would be vulnerable to a cold boot attack. A fairly simple workaround is to configure sleep to go straight to hibernate mode, so then contents of RAM go to the disk, mitigating a cold boot attack. (I'm fine with the slower waking from hibernate, and I'm already used to typing my password when waking from sleep.) I've tested this on my current HDD, and while it's a little slow to wake, I'm okay with it as a more secure alternative to super fast wake from sleep.

    However, the problem is that writing contents of RAM to an SSD every time I close the lid (on average at least 10 times/day) will kill the SSD probably within its warranty period because 8GB RAM x 10 hibernations/day = writing 80GB/day x 3 years = over 80TB written...excluding normal use. The Crucial MX100 SSD that I ordered has a 3 year warranty and an endurance rating for 72TB written, so that's really pushing the limit. I don't want to risk a drive failure after only a few years. I'll probably replace the drive after a few years just to be safe, but I'd like to do that on my time, not when forced to do so by a sudden crash.

    So, I looked into moving the sleepimage file to the secondary HDD. Of course this is not so simple because FileVault 2 would only encrypt the primary SSD. Thus, manual encryption of the secondary HDD would be needed (otherwise a "cold boot attack" would be even easier with RAM contents firmly planted on the HDD). Many people have noted that if they move their Users folder to an encrypted secondary HDD when using FileVault 2 on their primary SSD, it causes login problems, but these issues can be resolved with a utility like Unlock. I don't care about moving my Users folder, so I would only be putting the hibernation file sleepimage on the encrypted secondary HDD (along with media files like photos, music, and movies that require storage capacity beyond an affordable SSD).

    Would a tool such as Unlock also work well for the setup I described?


    Note: Yes, I realize that I could try to break my "never shut down" habit, but if there is a workable solution to avoid that, I'd like to make it happen. I already tried to find a solution that shuts down the MacBook when closing the lid (instead of sleep or hibernate), but that seems to be impossible.
     
  2. dyt1983 macrumors 65816

    Joined:
    May 6, 2014
    Location:
    USA USA USA
    #2
    You could also just buy a SSD that is rated for your intended usage.
     
  3. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #3
    With an SSD with limited space I would forgo a full encryption on the SSD and use something like Espionage and only encrypt and hide files you choose.
     
  4. dyt1983, Feb 18, 2015
    Last edited: Jun 1, 2015

    dyt1983 macrumors 65816

    Joined:
    May 6, 2014
    Location:
    USA USA USA
    #4
    edit: To remove personally identifying info not relevant to the conversation.
     
  5. joe4444, Feb 18, 2015
    Last edited: Feb 18, 2015

    joe4444 thread starter macrumors newbie

    Joined:
    Feb 14, 2015
    #5
    The issue is not limited SSD space. I was concerned about bringing the drive to an early death caused by numerous daily writes of 8GB whenever I hibernate. However, after seeing some stress tests of similar SSDs, which survived 1,000TB to 3,000TB of writes before failing, I think the manufacturer's endurance rating of 72TB is extremely conservative. I also found one Japanese endurance test of the MX100 that I ordered, and through Google translate it appears to show that the MX100 made it to 1,400TB of writes (20X the endurance rating) before it began to fail. With my typical "close the lid and go" habit, it would be 10 years before I'm even approaching 10% of the 1,000TB - 2,000TB write levels that those extreme stress tests showed SSDs can handle. I'll probably just replace the SSD after 3-5 years anyway to be safe because prices will have dropped considerably by then.

    That said, I would still like to offload the hibernate sleepimage file from the SSD to a secondary, encrypted HDD just for some added peace of mind, but so far it does not seem to work. Based on my testing with the Unlock tool, it looks like OS X might unmount any non-system partitions before it tries to write RAM to sleepimage because I can track the file's timestamp in two scenarios: when sleepimage is on the encrypted system partition and waking from hibernation works correctly, and when sleepimage is on an encrypted non-system partition and waking from hibernation fails. It seems the system does not even get to write RAM to sleepimage if it is on an encrypted non-system partition before it goes into hibernation, so there is no sleepimage file to access when it tries to wake up again.

    Anyone have any ideas that might help to work around this?
     

Share This Page