Inside Mac OS X 10.7 Lion: File Vault full disk encryption and cloud key storage

Posted:
in macOS edited January 2014
In Mac OS X Lion, Apple has completely revamped FileVault, removing it as a simple encryption of users' Home folders and reinstating it as full disk encryption solution, with an apparent option to save disk encryption keys with Apple, likely via MobileMe.



Full disk encryption



FileVault previously helped to secure a user's files by encrypting the data within their Home folder, which includes documents, settings, Keychains, and most but not all sensitive data (excluding anything the user might save outside the Home folder).



In Lion, Apple has upgraded FileVault to the status of full disk encryption, a feature that secures the entire disk.



To access a FileVault encrypted disk, each user on the machine can be assigned the right to unlock the disk by adding a generated encryption key to the users' Keychains, a step that requires that they only need to remember their login password.



Decrypting the disk can be performed by those users at login, or with the key itself. Apple warns users in Lion that turning on Disk Encryption and subsequently forgetting both their login password and their recovery key will render the drive inaccessible, and data will be irrecoverably lost.











Disk encryption key storage



To help prevent users from losing their data, it appears Lion will offer an option to store the encryption key with Apple, apparently as part of its MobileMe cloud service (noting "fees may apply"). The feature is not currently active, as depicted in the screen shot below.



«13

Comments

  • Reply 1 of 46
    noirdesirnoirdesir Posts: 1,027member
    How can you boot of an encrypted disk and enter your login password only at, eh, login? If the whole disk is encrypted how can the computer boot without been given the password?
  • Reply 2 of 46
    quinneyquinney Posts: 2,528member
    So how does Time Machine integrate with this? Is the backup not encrypted or does the entire disk get backed up every time a one-character update is made to one file or is it just that every file on the disk is encrypted separately or what?
  • Reply 3 of 46
    Quote:
    Originally Posted by noirdesir View Post


    How can you boot of an encrypted disk and enter your login password only at, eh, login? If the whole disk is encrypted how can the computer boot without been given the password?



    The boot volume could be separate and unencrypted.
  • Reply 4 of 46
    noirdesirnoirdesir Posts: 1,027member
    Quote:
    Originally Posted by Suddenly Newton View Post


    The boot volume could be separate and unencrypted.



    Yes, but that would require two volumes, one for the OS and one for the user account(s). If that would be necessary, shouldn't the System Preferences for full disk encryption at least refer to that?

    (And I would not call it 'Full Disk Encryption' if it only encrypted the user account(s). And didn't Appleinsider say that in contrast to FileVault, the whole disk gets encrypted, if it now would only be the user accounts, that would not make sense.)
  • Reply 5 of 46
    noirdesirnoirdesir Posts: 1,027member
    Quote:
    Originally Posted by quinney View Post


    So how does Time Machine integrate with this? Is the backup not encrypted or does the entire disk get backed up every time a one-character update is made to one file or is it just that every file on the disk is encrypted separately or what?



    TM would see, as the user, the unencrypted files. To ensure that the TM backup is also encrypted, you would need to backup to an encrypted sparse bundle disk image.
  • Reply 6 of 46
    Quote:
    Originally Posted by noirdesir View Post


    TM would see, as the user, the unencrypted files. To ensure that the TM backup is also encrypted, you would need to backup to encrypted sparse bundle disk image.



    I'd rather have each file backed up and restored in encrypted form. As long as I'm logged in, it should look as it does today.



    Last time I tried, TM didn't work with encrypted sparsebundle images.
  • Reply 7 of 46
    Quote:
    Originally Posted by noirdesir View Post


    How can you boot of an encrypted disk and enter your login password only at, eh, login? If the whole disk is encrypted how can the computer boot without been given the password?



    This is what I'm wondering too. The article didn't really convey the impression that disk encryption was actually tested, so I wouldn't take any comments about 'password at logon' as meaning OS logon. I assume that it works the same as PGP WDE, in which a decryption prompt appears pre-logon. It would be great if someone could clarify this point, though.



    Otherwise it just gets too messy (i.e. multiple boot volumes), or the decryption key has to be stored somewhere the OS can access it (insecure).
  • Reply 8 of 46
    noirdesirnoirdesir Posts: 1,027member
    Quote:
    Originally Posted by Kevin McMurtrie View Post


    I'd rather have each file backed up and restored in encrypted form. As long as I'm logged in, it should look as it does today.



    Last time I tried, TM didn't work with encrypted sparsebundle images.



    It does work, google it. You need to jump through a couple of hoops though, ie, create the encrypted image first manually, create an entry for the key in your keychain:

    http://thepracticeofcode.com/post/74...ackups-on-snow
  • Reply 9 of 46
    Quote:
    Originally Posted by noirdesir View Post


    Yes, but that would require two volumes, one for the OS and one for the user account(s). If that would be necessary, shouldn't the System Preferences for full disk encryption at least refer to that?

    (And I would not call it 'Full Disk Encryption' if it only encrypted the user account(s). And didn't Appleinsider say that in contrast to FileVault, the whole disk gets encrypted, if it now would only be the user accounts, that would not make sense.)



    There are two options for full disk encryption. The encryption/check is done at the EFI, or the MBR is not encrypted. Both are called "full disk encryption" even when the later has a small part that is unencrypted.

    Do not know how this was implemented at Lion.
  • Reply 10 of 46
    welshdogwelshdog Posts: 1,897member
    irrecoverably lost

    irrecoverably lost

    irrecoverably lost

    irrecoverably lost

    irrecoverably lost

    irrecoverably lost

    irrecoverably lost



    That's all I can hear in my head right now.
  • Reply 11 of 46
    bertpbertp Posts: 274member
    I like what has been described so far. But, the questions about TM integration with this feature must be answered. I would like see a preference checkbox somewhere regarding encrypting the TM drive. The user should not have to take additional actions beyond checking that checkbox.



    {deleted}



    Finally, IMO, it makes sense to wait until after Mac OS X 10.7.0 is released into the field, and to read up on reviews and reader experiences first. Then, perhaps try it out with a subsequent point release.
  • Reply 12 of 46
    maltzmaltz Posts: 453member
    Quote:
    Originally Posted by WelshDog View Post


    irrecoverably lost

    irrecoverably lost

    irrecoverably lost

    irrecoverably lost

    irrecoverably lost

    irrecoverably lost

    irrecoverably lost



    That's all I can hear in my head right now.



    Isn't that kind of the point of encryption? So that data will be irrecoverable if you don't have the key?
  • Reply 13 of 46
    docno42docno42 Posts: 3,755member
    Quote:
    Originally Posted by WelshDog View Post


    irrecoverably lost



    That's all I can hear in my head right now.



    You don't backup?



    If so, full disk encryption is the least of your worries
  • Reply 14 of 46
    Perhaps these rumours of a SSD boot volume are true. Lion will support a boot partition separate from the files and applications. This partition would not be encrypted. And, as a separate partition, it could live anywhere - a separate partition on the same physical disk as the data, or, on a different physical disk (SSD or spinning).
  • Reply 15 of 46
    peteropetero Posts: 94member
    File Vault on an SSD is a security pain. Leaves leaked file fragments once the encrypted Home Folder image is closed. And more troublesome, with no OS TRIM support to clean up blocks and pages after the image closes, fragments persist like weeds in a meadow -- all plum looking through a firewire port.





    Remember sports fans, File Vault locks the door behind you only after you log-out. So, my fellow laptop owners, we're all logging out anytime we're on the move, right?? Great, we're all nodding our heads in unison.





    For those insomniacs looking for some nighttime reading and have yet to discover, Apple's "OS X Security Configuration" can help burn the midnight hour.



    http://www.apple.com/support/security/guides/
  • Reply 16 of 46
    quillzquillz Posts: 209member
    This is going to sound totally out of the blue, but one of the things I still miss from System 9 was being able to encrypt just a single file or folder, rather than your entire disk, and being able to log in to your account with your voice rather than a password.



    I'm sure FileVault is a hundred times more matured than anything in System 9 ever was, but sometimes I'd really rather just have one file encrypted, not my entire disk.
  • Reply 17 of 46
    stuffestuffe Posts: 394member
    Quote:
    Originally Posted by noirdesir View Post


    How can you boot of an encrypted disk and enter your login password only at, eh, login? If the whole disk is encrypted how can the computer boot without been given the password?



    You login twice, in effect, once to unlock the encryption and to allow the boot process to begin, the other to actually log in. The user/password combination is pulled from the OS so there is no need to maintain seperate details, but it's that simple. When you first boot, you get to a login screen that looks almost identical to the normal login window, the difference is there is a localisation button which is set to US by default (annoyingly), but other than that it looks like normal login, only on my Air is boots to this screen in literally < 2 seconds. Once you etner the password here the process contonies as it always has done, and you will remain blissfully unware of the encryption from this point on.



    Time machine won't know anything is encryyped, it will just back up as normal. I don't know if the backups will also be encrypted, but I think that my Time Machine backup to an airdisk of an AE router are kept in a sparesbundle these days, so probably no reason why not.



    The interesting bit which I have not heard much about yet is block level backups for TM. I believe that Versions stores block-level differences between file versions, and if this is expanded to TM it could cause some serious space shrinkage and speed improvements for TM backups.
  • Reply 18 of 46
    stuffestuffe Posts: 394member
    Quote:
    Originally Posted by macfan246 View Post


    This is what I'm wondering too. The article didn't really convey the impression that disk encryption was actually tested, so I wouldn't take any comments about 'password at logon' as meaning OS logon. I assume that it works the same as PGP WDE, in which a decryption prompt appears pre-logon. It would be great if someone could clarify this point, though.



    Otherwise it just gets too messy (i.e. multiple boot volumes), or the decryption key has to be stored somewhere the OS can access it (insecure).



    I am not sure where the initial "unencryption login" checks it's password against. Clearly it can't get at your actual passwd file as it's encrypted....so it must maintain a synchronised list of passwords within the boot partition that presents the unencryption screen. Perhaps the password changing process knows to check the list of users that are allowed to unencrypt and keeps a copie of their password hashes on the boot sector also - that is most likely.
  • Reply 19 of 46
    stuffestuffe Posts: 394member
    Quote:
    Originally Posted by BertP View Post


    I like what has been described so far. But, the questions about TM integration with this feature must be answered. I would like see a preference checkbox somewhere regarding encrypting the TM drive. The user should not have to take additional actions beyond checking that checkbox.



    {deleted}



    Finally, IMO, it makes sense to wait until after Mac OS X 10.7.0 is released into the field, and to read up on reviews and reader experiences first. Then, perhaps try it out with a subsequent point release.



    I set up a new TM backup recently, and will be doing same on my Lion partition soon to test this. 10.6 currently backups up into sparsebundles at present now anyway, for new backups, and I expect that you will (if not now, before 10.7 goes live) be able to choose the encryption status of your backups when you initiate them. It would make sense to match the current system setting, but given that you can turn on encryption at any point in the OS, and I am not sure if you can suddenly choose to encrypt an unencrypted sparesebundle at any time other than creation, that could cause an issue where the backup remains unencrypted once the main OS becomes encrypted.
  • Reply 20 of 46
    stuffestuffe Posts: 394member
    Quote:
    Originally Posted by PeterO View Post


    File Vault on an SSD is a security pain. Leaves leaked file fragments once the encrypted Home Folder image is closed. And more troublesome, with no OS TRIM support to clean up blocks and pages after the image closes, fragments persist like weeds in a meadow -- all plum looking through a firewire port.





    Remember sports fans, File Vault locks the door behind you only after you log-out. So, my fellow laptop owners, we're all logging out anytime we're on the move, right?? Great, we're all nodding our heads in unison.





    For those insomniacs looking for some nighttime reading and have yet to discover, Apple's "OS X Security Configuration" can help burn the midnight hour.



    http://www.apple.com/support/security/guides/



    Filevault in Lion shares only the name. It's a different process entirely that has everything encrypted. Of course, when you have unencrypted your data (whether at boot with Lion, or Login with Leopard) then naturally your data is unencrypted and available by the user there is simply no way around this unless you encrypt each of your files with a different password. That's the nature of actually using a machine, you can have it secured when you turn it off for if it gets stolen etc, but when it use, well you know, it's there to use...much like you cannot encrypt your screen so only you can see it. Good user practice is all that's required, password on screensaver, locking your screen or putting into sleep with password on wake etc when you walk away from it etc etc.
Sign In or Register to comment.