or Connect
AppleInsider › Forums › Software › Mac OS X › Inside Mac OS X 10.7 Lion: File Vault full disk encryption and cloud key storage
New Posts  All Forums:Forum Nav:

Inside Mac OS X 10.7 Lion: File Vault full disk encryption and cloud key storage

post #1 of 47
Thread Starter 
In Mac OS X Lion, Apple has completely revamped FileVault, removing it as a simple encryption of users' Home folders and reinstating it as full disk encryption solution, with an apparent option to save disk encryption keys with Apple, likely via MobileMe.

Full disk encryption

FileVault previously helped to secure a user's files by encrypting the data within their Home folder, which includes documents, settings, Keychains, and most but not all sensitive data (excluding anything the user might save outside the Home folder).

In Lion, Apple has upgraded FileVault to the status of full disk encryption, a feature that secures the entire disk.

To access a FileVault encrypted disk, each user on the machine can be assigned the right to unlock the disk by adding a generated encryption key to the users' Keychains, a step that requires that they only need to remember their login password.

Decrypting the disk can be performed by those users at login, or with the key itself. Apple warns users in Lion that turning on Disk Encryption and subsequently forgetting both their login password and their recovery key will render the drive inaccessible, and data will be irrecoverably lost.





Disk encryption key storage

To help prevent users from losing their data, it appears Lion will offer an option to store the encryption key with Apple, apparently as part of its MobileMe cloud service (noting "fees may apply"). The feature is not currently active, as depicted in the screen shot below.

post #2 of 47
How can you boot of an encrypted disk and enter your login password only at, eh, login? If the whole disk is encrypted how can the computer boot without been given the password?
post #3 of 47
So how does Time Machine integrate with this? Is the backup not encrypted or does the entire disk get backed up every time a one-character update is made to one file or is it just that every file on the disk is encrypted separately or what?
post #4 of 47
Quote:
Originally Posted by noirdesir View Post

How can you boot of an encrypted disk and enter your login password only at, eh, login? If the whole disk is encrypted how can the computer boot without been given the password?

The boot volume could be separate and unencrypted.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #5 of 47
Quote:
Originally Posted by Suddenly Newton View Post

The boot volume could be separate and unencrypted.

Yes, but that would require two volumes, one for the OS and one for the user account(s). If that would be necessary, shouldn't the System Preferences for full disk encryption at least refer to that?
(And I would not call it 'Full Disk Encryption' if it only encrypted the user account(s). And didn't Appleinsider say that in contrast to FileVault, the whole disk gets encrypted, if it now would only be the user accounts, that would not make sense.)
post #6 of 47
Quote:
Originally Posted by quinney View Post

So how does Time Machine integrate with this? Is the backup not encrypted or does the entire disk get backed up every time a one-character update is made to one file or is it just that every file on the disk is encrypted separately or what?

TM would see, as the user, the unencrypted files. To ensure that the TM backup is also encrypted, you would need to backup to an encrypted sparse bundle disk image.
post #7 of 47
Quote:
Originally Posted by noirdesir View Post

TM would see, as the user, the unencrypted files. To ensure that the TM backup is also encrypted, you would need to backup to encrypted sparse bundle disk image.

I'd rather have each file backed up and restored in encrypted form. As long as I'm logged in, it should look as it does today.

Last time I tried, TM didn't work with encrypted sparsebundle images.
post #8 of 47
Quote:
Originally Posted by noirdesir View Post

How can you boot of an encrypted disk and enter your login password only at, eh, login? If the whole disk is encrypted how can the computer boot without been given the password?

This is what I'm wondering too. The article didn't really convey the impression that disk encryption was actually tested, so I wouldn't take any comments about 'password at logon' as meaning OS logon. I assume that it works the same as PGP WDE, in which a decryption prompt appears pre-logon. It would be great if someone could clarify this point, though.

Otherwise it just gets too messy (i.e. multiple boot volumes), or the decryption key has to be stored somewhere the OS can access it (insecure).
post #9 of 47
Quote:
Originally Posted by Kevin McMurtrie View Post

I'd rather have each file backed up and restored in encrypted form. As long as I'm logged in, it should look as it does today.

Last time I tried, TM didn't work with encrypted sparsebundle images.

It does work, google it. You need to jump through a couple of hoops though, ie, create the encrypted image first manually, create an entry for the key in your keychain:
http://thepracticeofcode.com/post/74...ackups-on-snow
post #10 of 47
Quote:
Originally Posted by noirdesir View Post

Yes, but that would require two volumes, one for the OS and one for the user account(s). If that would be necessary, shouldn't the System Preferences for full disk encryption at least refer to that?
(And I would not call it 'Full Disk Encryption' if it only encrypted the user account(s). And didn't Appleinsider say that in contrast to FileVault, the whole disk gets encrypted, if it now would only be the user accounts, that would not make sense.)

There are two options for full disk encryption. The encryption/check is done at the EFI, or the MBR is not encrypted. Both are called "full disk encryption" even when the later has a small part that is unencrypted.
Do not know how this was implemented at Lion.
post #11 of 47
irrecoverably lost
irrecoverably lost
irrecoverably lost
irrecoverably lost
irrecoverably lost
irrecoverably lost
irrecoverably lost

That's all I can hear in my head right now.
post #12 of 47
I like what has been described so far. But, the questions about TM integration with this feature must be answered. I would like see a preference checkbox somewhere regarding encrypting the TM drive. The user should not have to take additional actions beyond checking that checkbox.

{deleted}

Finally, IMO, it makes sense to wait until after Mac OS X 10.7.0 is released into the field, and to read up on reviews and reader experiences first. Then, perhaps try it out with a subsequent point release.

Nullis in verba -- "on the word of no one"

 

 

 

Reply

Nullis in verba -- "on the word of no one"

 

 

 

Reply
post #13 of 47
Quote:
Originally Posted by WelshDog View Post

irrecoverably lost
irrecoverably lost
irrecoverably lost
irrecoverably lost
irrecoverably lost
irrecoverably lost
irrecoverably lost

That's all I can hear in my head right now.

Isn't that kind of the point of encryption? So that data will be irrecoverable if you don't have the key?
post #14 of 47
Quote:
Originally Posted by WelshDog View Post

irrecoverably lost

That's all I can hear in my head right now.

You don't backup?

If so, full disk encryption is the least of your worries
post #15 of 47
Perhaps these rumours of a SSD boot volume are true. Lion will support a boot partition separate from the files and applications. This partition would not be encrypted. And, as a separate partition, it could live anywhere - a separate partition on the same physical disk as the data, or, on a different physical disk (SSD or spinning).
post #16 of 47
File Vault on an SSD is a security pain. Leaves leaked file fragments once the encrypted Home Folder image is closed. And more troublesome, with no OS TRIM support to clean up blocks and pages after the image closes, fragments persist like weeds in a meadow -- all plum looking through a firewire port.


Remember sports fans, File Vault locks the door behind you only after you log-out. So, my fellow laptop owners, we're all logging out anytime we're on the move, right?? Great, we're all nodding our heads in unison.


For those insomniacs looking for some nighttime reading and have yet to discover, Apple's "OS X Security Configuration" can help burn the midnight hour.

http://www.apple.com/support/security/guides/
post #17 of 47
This is going to sound totally out of the blue, but one of the things I still miss from System 9 was being able to encrypt just a single file or folder, rather than your entire disk, and being able to log in to your account with your voice rather than a password.

I'm sure FileVault is a hundred times more matured than anything in System 9 ever was, but sometimes I'd really rather just have one file encrypted, not my entire disk.
post #18 of 47
Quote:
Originally Posted by noirdesir View Post

How can you boot of an encrypted disk and enter your login password only at, eh, login? If the whole disk is encrypted how can the computer boot without been given the password?

You login twice, in effect, once to unlock the encryption and to allow the boot process to begin, the other to actually log in. The user/password combination is pulled from the OS so there is no need to maintain seperate details, but it's that simple. When you first boot, you get to a login screen that looks almost identical to the normal login window, the difference is there is a localisation button which is set to US by default (annoyingly), but other than that it looks like normal login, only on my Air is boots to this screen in literally < 2 seconds. Once you etner the password here the process contonies as it always has done, and you will remain blissfully unware of the encryption from this point on.

Time machine won't know anything is encryyped, it will just back up as normal. I don't know if the backups will also be encrypted, but I think that my Time Machine backup to an airdisk of an AE router are kept in a sparesbundle these days, so probably no reason why not.

The interesting bit which I have not heard much about yet is block level backups for TM. I believe that Versions stores block-level differences between file versions, and if this is expanded to TM it could cause some serious space shrinkage and speed improvements for TM backups.
post #19 of 47
Quote:
Originally Posted by macfan246 View Post

This is what I'm wondering too. The article didn't really convey the impression that disk encryption was actually tested, so I wouldn't take any comments about 'password at logon' as meaning OS logon. I assume that it works the same as PGP WDE, in which a decryption prompt appears pre-logon. It would be great if someone could clarify this point, though.

Otherwise it just gets too messy (i.e. multiple boot volumes), or the decryption key has to be stored somewhere the OS can access it (insecure).

I am not sure where the initial "unencryption login" checks it's password against. Clearly it can't get at your actual passwd file as it's encrypted....so it must maintain a synchronised list of passwords within the boot partition that presents the unencryption screen. Perhaps the password changing process knows to check the list of users that are allowed to unencrypt and keeps a copie of their password hashes on the boot sector also - that is most likely.
post #20 of 47
Quote:
Originally Posted by BertP View Post

I like what has been described so far. But, the questions about TM integration with this feature must be answered. I would like see a preference checkbox somewhere regarding encrypting the TM drive. The user should not have to take additional actions beyond checking that checkbox.

{deleted}

Finally, IMO, it makes sense to wait until after Mac OS X 10.7.0 is released into the field, and to read up on reviews and reader experiences first. Then, perhaps try it out with a subsequent point release.

I set up a new TM backup recently, and will be doing same on my Lion partition soon to test this. 10.6 currently backups up into sparsebundles at present now anyway, for new backups, and I expect that you will (if not now, before 10.7 goes live) be able to choose the encryption status of your backups when you initiate them. It would make sense to match the current system setting, but given that you can turn on encryption at any point in the OS, and I am not sure if you can suddenly choose to encrypt an unencrypted sparesebundle at any time other than creation, that could cause an issue where the backup remains unencrypted once the main OS becomes encrypted.
post #21 of 47
Quote:
Originally Posted by PeterO View Post

File Vault on an SSD is a security pain. Leaves leaked file fragments once the encrypted Home Folder image is closed. And more troublesome, with no OS TRIM support to clean up blocks and pages after the image closes, fragments persist like weeds in a meadow -- all plum looking through a firewire port.


Remember sports fans, File Vault locks the door behind you only after you log-out. So, my fellow laptop owners, we're all logging out anytime we're on the move, right?? Great, we're all nodding our heads in unison.


For those insomniacs looking for some nighttime reading and have yet to discover, Apple's "OS X Security Configuration" can help burn the midnight hour.

http://www.apple.com/support/security/guides/

Filevault in Lion shares only the name. It's a different process entirely that has everything encrypted. Of course, when you have unencrypted your data (whether at boot with Lion, or Login with Leopard) then naturally your data is unencrypted and available by the user there is simply no way around this unless you encrypt each of your files with a different password. That's the nature of actually using a machine, you can have it secured when you turn it off for if it gets stolen etc, but when it use, well you know, it's there to use...much like you cannot encrypt your screen so only you can see it. Good user practice is all that's required, password on screensaver, locking your screen or putting into sleep with password on wake etc when you walk away from it etc etc.
post #22 of 47
Quote:
Originally Posted by djames4242 View Post

Perhaps these rumours of a SSD boot volume are true. Lion will support a boot partition separate from the files and applications. This partition would not be encrypted. And, as a separate partition, it could live anywhere - a separate partition on the same physical disk as the data, or, on a different physical disk (SSD or spinning).

I suspect (suspect only!) that these rumours are wide of the mark, if anything I need fast access to my apps and files, not the OS per se, whcih is probably not the limiting factor when it comes to slowing down my computer. With enough RAM to prevent excessive paging the OS disk load of probably quite small.

I think that someone somewhere got wind of the storing of the password hashes etc for Filefault "off volume", and put 2 and 2 together, when I suspect that they have done something like just put it into the EFI boot sector (or equivalent, I am probably getting my words mixed up here) in the same way the list of volumes to boot from appears. It's just increasing the intelligence of the boot process to allow it to handle encryption, but not moving the whole boot procedure onto a seperate drive.
post #23 of 47
Quote:
Originally Posted by stuffe View Post

I am not sure where the initial "unencryption login" checks it's password against. Clearly it can't get at your actual passwd file as it's encrypted....so it must maintain a synchronised list of passwords within the boot partition that presents the unencryption screen. Perhaps the password changing process knows to check the list of users that are allowed to unencrypt and keeps a copie of their password hashes on the boot sector also - that is most likely.



This is a two step process, the MBR is not encrypted and it contains a list of CMS (or other encrypted message), one per each user that is allowed to unencrypt the rest of the disk (usually the hash of the login is kept, so this information is in the clear). When the box boots, the MBR start a small login program that asks for your credentials, it uses this information to locate the right CMS and unencrypt it using the password. The content of the CMS is the key to unencrypt the rest of the volume. If this goes ok, then the boot continues and OS X is loaded. You may have to login again at OS X.
post #24 of 47
So will this encryption be only for boot drives or will you be able to encrypt external drives too?
post #25 of 47
You could always encrypt external drives, by creating an encrypted disk image the size of the disk it was sitting on. This might reduce the steps a user needs to understand in order to make it more accessible, but the functionality is there now, for those that understand it.
post #26 of 47
Quote:
Originally Posted by PeterO View Post

File Vault on an SSD is a security pain. Leaves leaked file fragments once the encrypted Home Folder image is closed. And more troublesome, with no OS TRIM support to clean up blocks and pages after the image closes, fragments persist like weeds in a meadow -- all plum looking through a firewire port.

That's not true, nothing is written to the disk without being encrypted first. If what you say is true, the same problem would exist on a spinning disk too. Filevault (pre-Lion) is simply an encrypted disk image, where any data is encrypted before it is actually written to a disk (SSD, HDD, whichever). Any fragments of the FileVault image are encrypted, and thus useless without the key.
post #27 of 47
Quote:
Originally Posted by stuffe View Post

You could always encrypt external drives, by creating an encrypted disk image the size of the disk it was sitting on. This might reduce the steps a user needs to understand in order to make it more accessible, but the functionality is there now, for those that understand it.

I actually do that now in a way with my image collection. But instead of one volume I've created multiple encrypted disc images that I can mount individually. I did that so that if an image got corrupted somehow, I only lost that particular one (paranoid). I'd hat to lost 60k of images at once.

I was just wondering that if this new addition might be a more convenient/faster route than disc images.
post #28 of 47
Quote:
Originally Posted by Elijahg View Post

That's not true, nothing is written to the disk without being encrypted first. If what you say is true, the same problem would exist on a spinning disk too. Filevault (pre-Lion) is simply an encrypted disk image, where any data is encrypted before it is actually written to a disk (SSD, HDD, whichever). Any fragments of the FileVault image are encrypted, and thus useless without the key.

Also it appears Lion will have TRIM support.
post #29 of 47
Quote:
Originally Posted by delete View Post

I actually do that now in a way with my image collection. But instead of one volume I've created multiple encrypted disc images that I can mount individually. I did that so that if an image got corrupted somehow, I only lost that particular one (paranoid). I'd hat to lost 60k of images at once.

I was just wondering that if this new addition might be a more convenient/faster route than disc images.

I would hope so, perhaps Disk Utility has an new option - I will play when I get home.
post #30 of 47
Have none of you read the Lion Preview page on Apple's website?

http://www.apple.com/macosx/lion/

"Keep all the data on your Mac even more secure with XTS-AES 128 data encryption at the disk level. Initial encryption is fast and unobtrusive it encrypts everything in the background while you work. FileVault also encrypts for your external drives, and provides the ability to wipe all the data from your Mac instantaneously."

This works similar to iOS. To instantly wipe all your data, it simply deletes the encryption keys. No recovery is available at that point. I downloaded Lion and encrypted my drive. It took 6-7 hours for a 320GB 7200 RPM SATA on an early 2009 17" MBP w/ 2.9HGz Intel Core 2 Duo. I even rebooted a few times in the middle to do some other things. The encryption process intelligently saves state and picks up where it left off across reboots and shutdowns just like PGP, CheckPoint, SecureDoc.
Walter Rowe Photography
Columbia, Maryland - USA
Reply
Walter Rowe Photography
Columbia, Maryland - USA
Reply
post #31 of 47
Apologies for a slightly off topic question, but I was hoping one of you could answer a question for me about Lion. I have heard that it is available somewhere on the net , but also that it phones home when being installed. I like to play with Beta software, but I'm not really a developer and don't want to pay $99 buck to get an early preview. Has anyone here tied out Lion from sources other than the Apple download? I apologize if this is bad etiquette to ask here, but my intentions are just to play with Lion directly, and I am willing to deal with some issues on a non-production machine.
post #32 of 47
The Lion Developer Preview is only available to registered Apple developers. Anyone can pay $99/yr to register as a developer and download the Lion preview.

Quote:
Originally Posted by nunyabinez View Post

Apologies for a slightly off topic question, but I was hoping one of you could answer a question for me about Lion. I have heard that it is available somewhere on the net , but also that it phones home when being installed. I like to play with Beta software, but I'm not really a developer and don't want to pay $99 buck to get an early preview. Has anyone here tied out Lion from sources other than the Apple download? I apologize if this is bad etiquette to ask here, but my intentions are just to play with Lion directly, and I am willing to deal with some issues on a non-production machine.
Walter Rowe Photography
Columbia, Maryland - USA
Reply
Walter Rowe Photography
Columbia, Maryland - USA
Reply
post #33 of 47
Quote:
Originally Posted by nunyabinez View Post

Apologies for a slightly off topic question, but I was hoping one of you could answer a question for me about Lion. I have heard that it is available somewhere on the net , but also that it phones home when being installed. I like to play with Beta software, but I'm not really a developer and don't want to pay $99 buck to get an early preview. Has anyone here tied out Lion from sources other than the Apple download? I apologize if this is bad etiquette to ask here, but my intentions are just to play with Lion directly, and I am willing to deal with some issues on a non-production machine.

Yeah, I know of some places, publicly linked on what should be a Tech news website that knows better (in the actual articles, not even the comments), but no, I won't share, and I already attempted to blast said website in it's comments section for being such idiots.

Sorry, but if you want it, go pay. I would say that it's Pre-BETA anyway, it's only a preview, and frankly I wouldn't use it every day on any machine, yet.
post #34 of 47
Quote:
Originally Posted by wprowe View Post

The Lion Developer Preview is only available to registered Apple developers. Anyone can pay $99/yr to register as a developer and download the Lion preview.

Yep, realize that, but I'm not a developer and don't want to spend $99 for a couple month preview. A quick google search indicates that there are other ways to get the file, but I wanted to make sure that it would install and run if I spent the bandwidth to download it since I had also heard rumors that the software called home to see if you are a developer or not.

I used Office 2011 for months before it was out despite not being a part of the formal Beta and bought it the day it was released. Not trying to get free software, just don't want to pay to try it out.
post #35 of 47
Quote:
Originally Posted by stuffe View Post

Yeah, I know of some places, publicly linked on what should be a Tech news website that knows better (in the actual articles, not even the comments), but no, I won't share, and I already attempted to blast said website in it's comments section for being such idiots.

Sorry, but if you want it, go pay. I would say that it's Pre-BETA anyway, it's only a preview, and frankly I wouldn't use it every day on any machine, yet.

Good to know, I assumed with a "Summer" release that it was fairly stable and complete, but it might be better to wait and see. Thanks.
post #36 of 47
Quote:
Originally Posted by nunyabinez View Post

Yep, realize that, but I'm not a developer and don't want to spend $99 for a couple month preview.

You can get the preview of Lion for $99 legally, or for free illegally. Your choice. Unless you think you have a moral right to get it for free, then you will not consider the free 'option' illegal.
post #37 of 47
Quote:
Originally Posted by Quillz View Post

This is going to sound totally out of the blue, but one of the things I still miss from System 9 was being able to encrypt just a single file or folder, rather than your entire disk, and being able to log in to your account with your voice rather than a password.

I'm sure FileVault is a hundred times more matured than anything in System 9 ever was, but sometimes I'd really rather just have one file encrypted, not my entire disk.

Create an encrypted disk image in Disk Utility and move the files you want to encrypt to the image. This will encrypt those files for you
Summer '09 Macbook 6 GB RAM, SSD; iPhone 3GS, aTV v.2

Jesus told her, I am the resurrection and the life. Anyone who believes in me will live, even after dying. Anyone who lives in me and [trusts]...
Reply
Summer '09 Macbook 6 GB RAM, SSD; iPhone 3GS, aTV v.2

Jesus told her, I am the resurrection and the life. Anyone who believes in me will live, even after dying. Anyone who lives in me and [trusts]...
Reply
post #38 of 47
Quote:
Originally Posted by noirdesir View Post

Yes, but that would require two volumes, one for the OS and one for the user account(s). If that would be necessary, shouldn't the System Preferences for full disk encryption at least refer to that?
(And I would not call it 'Full Disk Encryption' if it only encrypted the user account(s). And didn't Appleinsider say that in contrast to FileVault, the whole disk gets encrypted, if it now would only be the user accounts, that would not make sense.)

I wonder if they figured out filesystem-level encryption. This was a feature of ZFS but presumably what Apple uses works for current systems without formatting.

The most likely scenario is that it asks for a password at boot to prevent any command-line trickery but there's a possibility they have separated the system and data too. Whatever they are using, at least it'll be better than the current implementation.
post #39 of 47
PeterO:

You're actually incorrect about file vault and needing to logout. Apple has finally got rid of the fake security of your screensaver or sleep password app, and uses the loginwindow process to let you back in after screensaver runs. Apple has asked many of my friends in security consulting to bang on OS X Lion right now. Also they have one of the top security experts for Unix hired away last year work on Lion.

SSD in 10.7 has trim support, before that most people have intel SSDs which DO NOT support trim in the first place.

I just want to point out that security in 10.7 is serious this time. I have a job where one of my machines is forced to use a special RFID hard disk key to unencrypt the disk, as well as use software whole disk encryption like true crypt. I'm using 10.7 on a test notebook (11" SSD macbook air, and file vault is extremely fast)

Quote:
Originally Posted by PeterO View Post

File Vault on an SSD is a security pain. Leaves leaked file fragments once the encrypted Home Folder image is closed. And more troublesome, with no OS TRIM support to clean up blocks and pages after the image closes, fragments persist like weeds in a meadow -- all plum looking through a firewire port.


Remember sports fans, File Vault locks the door behind you only after you log-out. So, my fellow laptop owners, we're all logging out anytime we're on the move, right?? Great, we're all nodding our heads in unison.


For those insomniacs looking for some nighttime reading and have yet to discover, Apple's "OS X Security Configuration" can help burn the midnight hour.

http://www.apple.com/support/security/guides/
post #40 of 47
Quote:
Originally Posted by quinney View Post

So how does Time Machine integrate with this? Is the backup not encrypted or does the entire disk get backed up every time a one-character update is made to one file or is it just that every file on the disk is encrypted separately or what?

Also, do you have to log out before Time Machine can run?

I still don't understand why logging out is required in the current version of Filevault. If you can log in and access your Filevault home directory, shouldn't Time Machine also have access while you are logged in?
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Inside Mac OS X 10.7 Lion: File Vault full disk encryption and cloud key storage