Perhaps these rumours of a SSD boot volume are true. Lion will support a boot partition separate from the files and applications. This partition would not be encrypted. And, as a separate partition, it could live anywhere - a separate partition on the same physical disk as the data, or, on a different physical disk (SSD or spinning).
I suspect (suspect only!) that these rumours are wide of the mark, if anything I need fast access to my apps and files, not the OS per se, whcih is probably not the limiting factor when it comes to slowing down my computer. With enough RAM to prevent excessive paging the OS disk load of probably quite small.
I think that someone somewhere got wind of the storing of the password hashes etc for Filefault "off volume", and put 2 and 2 together, when I suspect that they have done something like just put it into the EFI boot sector (or equivalent, I am probably getting my words mixed up here) in the same way the list of volumes to boot from appears. It's just increasing the intelligence of the boot process to allow it to handle encryption, but not moving the whole boot procedure onto a seperate drive.
I am not sure where the initial "unencryption login" checks it's password against. Clearly it can't get at your actual passwd file as it's encrypted....so it must maintain a synchronised list of passwords within the boot partition that presents the unencryption screen. Perhaps the password changing process knows to check the list of users that are allowed to unencrypt and keeps a copie of their password hashes on the boot sector also - that is most likely.
This is a two step process, the MBR is not encrypted and it contains a list of CMS (or other encrypted message), one per each user that is allowed to unencrypt the rest of the disk (usually the hash of the login is kept, so this information is in the clear). When the box boots, the MBR start a small login program that asks for your credentials, it uses this information to locate the right CMS and unencrypt it using the password. The content of the CMS is the key to unencrypt the rest of the volume. If this goes ok, then the boot continues and OS X is loaded. You may have to login again at OS X.
You could always encrypt external drives, by creating an encrypted disk image the size of the disk it was sitting on. This might reduce the steps a user needs to understand in order to make it more accessible, but the functionality is there now, for those that understand it.
File Vault on an SSD is a security pain. Leaves leaked file fragments once the encrypted Home Folder image is closed. And more troublesome, with no OS TRIM support to clean up blocks and pages after the image closes, fragments persist like weeds in a meadow -- all plum looking through a firewire port.
That's not true, nothing is written to the disk without being encrypted first. If what you say is true, the same problem would exist on a spinning disk too. Filevault (pre-Lion) is simply an encrypted disk image, where any data is encrypted before it is actually written to a disk (SSD, HDD, whichever). Any fragments of the FileVault image are encrypted, and thus useless without the key.
You could always encrypt external drives, by creating an encrypted disk image the size of the disk it was sitting on. This might reduce the steps a user needs to understand in order to make it more accessible, but the functionality is there now, for those that understand it.
I actually do that now in a way with my image collection. But instead of one volume I've created multiple encrypted disc images that I can mount individually. I did that so that if an image got corrupted somehow, I only lost that particular one (paranoid). I'd hat to lost 60k of images at once.
I was just wondering that if this new addition might be a more convenient/faster route than disc images.
That's not true, nothing is written to the disk without being encrypted first. If what you say is true, the same problem would exist on a spinning disk too. Filevault (pre-Lion) is simply an encrypted disk image, where any data is encrypted before it is actually written to a disk (SSD, HDD, whichever). Any fragments of the FileVault image are encrypted, and thus useless without the key.
I actually do that now in a way with my image collection. But instead of one volume I've created multiple encrypted disc images that I can mount individually. I did that so that if an image got corrupted somehow, I only lost that particular one (paranoid). I'd hat to lost 60k of images at once.
I was just wondering that if this new addition might be a more convenient/faster route than disc images.
I would hope so, perhaps Disk Utility has an new option - I will play when I get home.
"Keep all the data on your Mac even more secure with XTS-AES 128 data encryption at the disk level. Initial encryption is fast and unobtrusive ? it encrypts everything in the background while you work. FileVault also encrypts for your external drives, and provides the ability to wipe all the data from your Mac instantaneously."
This works similar to iOS. To instantly wipe all your data, it simply deletes the encryption keys. No recovery is available at that point. I downloaded Lion and encrypted my drive. It took 6-7 hours for a 320GB 7200 RPM SATA on an early 2009 17" MBP w/ 2.9HGz Intel Core 2 Duo. I even rebooted a few times in the middle to do some other things. The encryption process intelligently saves state and picks up where it left off across reboots and shutdowns just like PGP, CheckPoint, SecureDoc.
Apologies for a slightly off topic question, but I was hoping one of you could answer a question for me about Lion. I have heard that it is available somewhere on the net , but also that it phones home when being installed. I like to play with Beta software, but I'm not really a developer and don't want to pay $99 buck to get an early preview. Has anyone here tied out Lion from sources other than the Apple download? I apologize if this is bad etiquette to ask here, but my intentions are just to play with Lion directly, and I am willing to deal with some issues on a non-production machine.
The Lion Developer Preview is only available to registered Apple developers. Anyone can pay $99/yr to register as a developer and download the Lion preview.
Quote:
Originally Posted by nunyabinez
Apologies for a slightly off topic question, but I was hoping one of you could answer a question for me about Lion. I have heard that it is available somewhere on the net , but also that it phones home when being installed. I like to play with Beta software, but I'm not really a developer and don't want to pay $99 buck to get an early preview. Has anyone here tied out Lion from sources other than the Apple download? I apologize if this is bad etiquette to ask here, but my intentions are just to play with Lion directly, and I am willing to deal with some issues on a non-production machine.
Apologies for a slightly off topic question, but I was hoping one of you could answer a question for me about Lion. I have heard that it is available somewhere on the net , but also that it phones home when being installed. I like to play with Beta software, but I'm not really a developer and don't want to pay $99 buck to get an early preview. Has anyone here tied out Lion from sources other than the Apple download? I apologize if this is bad etiquette to ask here, but my intentions are just to play with Lion directly, and I am willing to deal with some issues on a non-production machine.
Yeah, I know of some places, publicly linked on what should be a Tech news website that knows better (in the actual articles, not even the comments), but no, I won't share, and I already attempted to blast said website in it's comments section for being such idiots.
Sorry, but if you want it, go pay. I would say that it's Pre-BETA anyway, it's only a preview, and frankly I wouldn't use it every day on any machine, yet.
The Lion Developer Preview is only available to registered Apple developers. Anyone can pay $99/yr to register as a developer and download the Lion preview.
Yep, realize that, but I'm not a developer and don't want to spend $99 for a couple month preview. A quick google search indicates that there are other ways to get the file, but I wanted to make sure that it would install and run if I spent the bandwidth to download it since I had also heard rumors that the software called home to see if you are a developer or not.
I used Office 2011 for months before it was out despite not being a part of the formal Beta and bought it the day it was released. Not trying to get free software, just don't want to pay to try it out.
Yeah, I know of some places, publicly linked on what should be a Tech news website that knows better (in the actual articles, not even the comments), but no, I won't share, and I already attempted to blast said website in it's comments section for being such idiots.
Sorry, but if you want it, go pay. I would say that it's Pre-BETA anyway, it's only a preview, and frankly I wouldn't use it every day on any machine, yet.
Good to know, I assumed with a "Summer" release that it was fairly stable and complete, but it might be better to wait and see. Thanks.
Yep, realize that, but I'm not a developer and don't want to spend $99 for a couple month preview.
You can get the preview of Lion for $99 legally, or for free illegally. Your choice. Unless you think you have a moral right to get it for free, then you will not consider the free 'option' illegal.
This is going to sound totally out of the blue, but one of the things I still miss from System 9 was being able to encrypt just a single file or folder, rather than your entire disk, and being able to log in to your account with your voice rather than a password.
I'm sure FileVault is a hundred times more matured than anything in System 9 ever was, but sometimes I'd really rather just have one file encrypted, not my entire disk.
Create an encrypted disk image in Disk Utility and move the files you want to encrypt to the image. This will encrypt those files for you
Yes, but that would require two volumes, one for the OS and one for the user account(s). If that would be necessary, shouldn't the System Preferences for full disk encryption at least refer to that?
(And I would not call it 'Full Disk Encryption' if it only encrypted the user account(s). And didn't Appleinsider say that in contrast to FileVault, the whole disk gets encrypted, if it now would only be the user accounts, that would not make sense.)
I wonder if they figured out filesystem-level encryption. This was a feature of ZFS but presumably what Apple uses works for current systems without formatting.
The most likely scenario is that it asks for a password at boot to prevent any command-line trickery but there's a possibility they have separated the system and data too. Whatever they are using, at least it'll be better than the current implementation.
You're actually incorrect about file vault and needing to logout. Apple has finally got rid of the fake security of your screensaver or sleep password app, and uses the loginwindow process to let you back in after screensaver runs. Apple has asked many of my friends in security consulting to bang on OS X Lion right now. Also they have one of the top security experts for Unix hired away last year work on Lion.
SSD in 10.7 has trim support, before that most people have intel SSDs which DO NOT support trim in the first place.
I just want to point out that security in 10.7 is serious this time. I have a job where one of my machines is forced to use a special RFID hard disk key to unencrypt the disk, as well as use software whole disk encryption like true crypt. I'm using 10.7 on a test notebook (11" SSD macbook air, and file vault is extremely fast)
Quote:
Originally Posted by PeterO
File Vault on an SSD is a security pain. Leaves leaked file fragments once the encrypted Home Folder image is closed. And more troublesome, with no OS TRIM support to clean up blocks and pages after the image closes, fragments persist like weeds in a meadow -- all plum looking through a firewire port.
Remember sports fans, File Vault locks the door behind you only after you log-out. So, my fellow laptop owners, we're all logging out anytime we're on the move, right?? Great, we're all nodding our heads in unison.
For those insomniacs looking for some nighttime reading and have yet to discover, Apple's "OS X Security Configuration" can help burn the midnight hour.
So how does Time Machine integrate with this? Is the backup not encrypted or does the entire disk get backed up every time a one-character update is made to one file or is it just that every file on the disk is encrypted separately or what?
Also, do you have to log out before Time Machine can run?
I still don't understand why logging out is required in the current version of Filevault. If you can log in and access your Filevault home directory, shouldn't Time Machine also have access while you are logged in?
You're actually incorrect about file vault and needing to logout. Apple has finally got rid of the fake security of your screensaver or sleep password app, and uses the loginwindow process to let you back in after screensaver runs. Apple has asked many of my friends in security consulting to bang on OS X Lion right now. Also they have one of the top security experts for Unix hired away last year work on Lion.
SSD in 10.7 has trim support, before that most people have intel SSDs which DO NOT support trim in the first place.
I just want to point out that security in 10.7 is serious this time. I have a job where one of my machines is forced to use a special RFID hard disk key to unencrypt the disk, as well as use software whole disk encryption like true crypt. I'm using 10.7 on a test notebook (11" SSD macbook air, and file vault is extremely fast)
webmail,
Can you comment on whether FileVault is now well integrated with TimeMachine? Specifically, does it only run at logout? Does it have to backup large blocks of data, or can it do the granular backups like unencrypted drives?
Backup is obviously critical for anyone with a computer, and security is critical for a lot of us with a computer, but making the two coexist has been difficult.
edit: BTW, I really hope everything you said about FileVault and SSDs is true!
Comments
Perhaps these rumours of a SSD boot volume are true. Lion will support a boot partition separate from the files and applications. This partition would not be encrypted. And, as a separate partition, it could live anywhere - a separate partition on the same physical disk as the data, or, on a different physical disk (SSD or spinning).
I suspect (suspect only!) that these rumours are wide of the mark, if anything I need fast access to my apps and files, not the OS per se, whcih is probably not the limiting factor when it comes to slowing down my computer. With enough RAM to prevent excessive paging the OS disk load of probably quite small.
I think that someone somewhere got wind of the storing of the password hashes etc for Filefault "off volume", and put 2 and 2 together, when I suspect that they have done something like just put it into the EFI boot sector (or equivalent, I am probably getting my words mixed up here) in the same way the list of volumes to boot from appears. It's just increasing the intelligence of the boot process to allow it to handle encryption, but not moving the whole boot procedure onto a seperate drive.
I am not sure where the initial "unencryption login" checks it's password against. Clearly it can't get at your actual passwd file as it's encrypted....so it must maintain a synchronised list of passwords within the boot partition that presents the unencryption screen. Perhaps the password changing process knows to check the list of users that are allowed to unencrypt and keeps a copie of their password hashes on the boot sector also - that is most likely.
This is a two step process, the MBR is not encrypted and it contains a list of CMS (or other encrypted message), one per each user that is allowed to unencrypt the rest of the disk (usually the hash of the login is kept, so this information is in the clear). When the box boots, the MBR start a small login program that asks for your credentials, it uses this information to locate the right CMS and unencrypt it using the password. The content of the CMS is the key to unencrypt the rest of the volume. If this goes ok, then the boot continues and OS X is loaded. You may have to login again at OS X.
File Vault on an SSD is a security pain. Leaves leaked file fragments once the encrypted Home Folder image is closed. And more troublesome, with no OS TRIM support to clean up blocks and pages after the image closes, fragments persist like weeds in a meadow -- all plum looking through a firewire port.
That's not true, nothing is written to the disk without being encrypted first. If what you say is true, the same problem would exist on a spinning disk too. Filevault (pre-Lion) is simply an encrypted disk image, where any data is encrypted before it is actually written to a disk (SSD, HDD, whichever). Any fragments of the FileVault image are encrypted, and thus useless without the key.
You could always encrypt external drives, by creating an encrypted disk image the size of the disk it was sitting on. This might reduce the steps a user needs to understand in order to make it more accessible, but the functionality is there now, for those that understand it.
I actually do that now in a way with my image collection. But instead of one volume I've created multiple encrypted disc images that I can mount individually. I did that so that if an image got corrupted somehow, I only lost that particular one (paranoid). I'd hat to lost 60k of images at once.
I was just wondering that if this new addition might be a more convenient/faster route than disc images.
That's not true, nothing is written to the disk without being encrypted first. If what you say is true, the same problem would exist on a spinning disk too. Filevault (pre-Lion) is simply an encrypted disk image, where any data is encrypted before it is actually written to a disk (SSD, HDD, whichever). Any fragments of the FileVault image are encrypted, and thus useless without the key.
Also it appears Lion will have TRIM support.
I actually do that now in a way with my image collection. But instead of one volume I've created multiple encrypted disc images that I can mount individually. I did that so that if an image got corrupted somehow, I only lost that particular one (paranoid). I'd hat to lost 60k of images at once.
I was just wondering that if this new addition might be a more convenient/faster route than disc images.
I would hope so, perhaps Disk Utility has an new option - I will play when I get home.
http://www.apple.com/macosx/lion/
"Keep all the data on your Mac even more secure with XTS-AES 128 data encryption at the disk level. Initial encryption is fast and unobtrusive ? it encrypts everything in the background while you work. FileVault also encrypts for your external drives, and provides the ability to wipe all the data from your Mac instantaneously."
This works similar to iOS. To instantly wipe all your data, it simply deletes the encryption keys. No recovery is available at that point. I downloaded Lion and encrypted my drive. It took 6-7 hours for a 320GB 7200 RPM SATA on an early 2009 17" MBP w/ 2.9HGz Intel Core 2 Duo. I even rebooted a few times in the middle to do some other things. The encryption process intelligently saves state and picks up where it left off across reboots and shutdowns just like PGP, CheckPoint, SecureDoc.
Apologies for a slightly off topic question, but I was hoping one of you could answer a question for me about Lion. I have heard that it is available somewhere on the net
Apologies for a slightly off topic question, but I was hoping one of you could answer a question for me about Lion. I have heard that it is available somewhere on the net
Yeah, I know of some places, publicly linked on what should be a Tech news website that knows better (in the actual articles, not even the comments), but no, I won't share, and I already attempted to blast said website in it's comments section for being such idiots.
Sorry, but if you want it, go pay. I would say that it's Pre-BETA anyway, it's only a preview, and frankly I wouldn't use it every day on any machine, yet.
The Lion Developer Preview is only available to registered Apple developers. Anyone can pay $99/yr to register as a developer and download the Lion preview.
Yep, realize that, but I'm not a developer and don't want to spend $99 for a couple month preview. A quick google search indicates that there are other ways to get the file, but I wanted to make sure that it would install and run if I spent the bandwidth to download it since I had also heard rumors that the software called home to see if you are a developer or not.
I used Office 2011 for months before it was out despite not being a part of the formal Beta and bought it the day it was released. Not trying to get free software, just don't want to pay to try it out.
Yeah, I know of some places, publicly linked on what should be a Tech news website that knows better (in the actual articles, not even the comments), but no, I won't share, and I already attempted to blast said website in it's comments section for being such idiots.
Sorry, but if you want it, go pay. I would say that it's Pre-BETA anyway, it's only a preview, and frankly I wouldn't use it every day on any machine, yet.
Good to know, I assumed with a "Summer" release that it was fairly stable and complete, but it might be better to wait and see. Thanks.
Yep, realize that, but I'm not a developer and don't want to spend $99 for a couple month preview.
You can get the preview of Lion for $99 legally, or for free illegally. Your choice. Unless you think you have a moral right to get it for free, then you will not consider the free 'option' illegal.
This is going to sound totally out of the blue, but one of the things I still miss from System 9 was being able to encrypt just a single file or folder, rather than your entire disk, and being able to log in to your account with your voice rather than a password.
I'm sure FileVault is a hundred times more matured than anything in System 9 ever was, but sometimes I'd really rather just have one file encrypted, not my entire disk.
Create an encrypted disk image in Disk Utility and move the files you want to encrypt to the image. This will encrypt those files for you
Yes, but that would require two volumes, one for the OS and one for the user account(s). If that would be necessary, shouldn't the System Preferences for full disk encryption at least refer to that?
(And I would not call it 'Full Disk Encryption' if it only encrypted the user account(s). And didn't Appleinsider say that in contrast to FileVault, the whole disk gets encrypted, if it now would only be the user accounts, that would not make sense.)
I wonder if they figured out filesystem-level encryption. This was a feature of ZFS but presumably what Apple uses works for current systems without formatting.
The most likely scenario is that it asks for a password at boot to prevent any command-line trickery but there's a possibility they have separated the system and data too. Whatever they are using, at least it'll be better than the current implementation.
You're actually incorrect about file vault and needing to logout. Apple has finally got rid of the fake security of your screensaver or sleep password app, and uses the loginwindow process to let you back in after screensaver runs. Apple has asked many of my friends in security consulting to bang on OS X Lion right now. Also they have one of the top security experts for Unix hired away last year work on Lion.
SSD in 10.7 has trim support, before that most people have intel SSDs which DO NOT support trim in the first place.
I just want to point out that security in 10.7 is serious this time. I have a job where one of my machines is forced to use a special RFID hard disk key to unencrypt the disk, as well as use software whole disk encryption like true crypt. I'm using 10.7 on a test notebook (11" SSD macbook air, and file vault is extremely fast)
File Vault on an SSD is a security pain. Leaves leaked file fragments once the encrypted Home Folder image is closed. And more troublesome, with no OS TRIM support to clean up blocks and pages after the image closes, fragments persist like weeds in a meadow -- all plum looking through a firewire port.
Remember sports fans, File Vault locks the door behind you only after you log-out. So, my fellow laptop owners, we're all logging out anytime we're on the move, right?? Great, we're all nodding our heads in unison.
For those insomniacs looking for some nighttime reading and have yet to discover, Apple's "OS X Security Configuration" can help burn the midnight hour.
http://www.apple.com/support/security/guides/
So how does Time Machine integrate with this? Is the backup not encrypted or does the entire disk get backed up every time a one-character update is made to one file or is it just that every file on the disk is encrypted separately or what?
Also, do you have to log out before Time Machine can run?
I still don't understand why logging out is required in the current version of Filevault. If you can log in and access your Filevault home directory, shouldn't Time Machine also have access while you are logged in?
PeterO:
You're actually incorrect about file vault and needing to logout. Apple has finally got rid of the fake security of your screensaver or sleep password app, and uses the loginwindow process to let you back in after screensaver runs. Apple has asked many of my friends in security consulting to bang on OS X Lion right now. Also they have one of the top security experts for Unix hired away last year work on Lion.
SSD in 10.7 has trim support, before that most people have intel SSDs which DO NOT support trim in the first place.
I just want to point out that security in 10.7 is serious this time. I have a job where one of my machines is forced to use a special RFID hard disk key to unencrypt the disk, as well as use software whole disk encryption like true crypt. I'm using 10.7 on a test notebook (11" SSD macbook air, and file vault is extremely fast)
webmail,
Can you comment on whether FileVault is now well integrated with TimeMachine? Specifically, does it only run at logout? Does it have to backup large blocks of data, or can it do the granular backups like unencrypted drives?
Backup is obviously critical for anyone with a computer, and security is critical for a lot of us with a computer, but making the two coexist has been difficult.
edit: BTW, I really hope everything you said about FileVault and SSDs is true!