Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: A FileVault/wake from sleep password issue System 10.4
Beware sleeping your Mac from a FileVault account! I have a FileVault-enabled non-admin on my PowerBook G4, and I have it set to require a password to wake the computer from sleep or screensaver.

If I close or sleep my PB under this account (or choose Lock Screen from the Keychain menu), then wake it, the system asks for password authentication. However, if I then type the name and password of an admin account (instead of the FileVault account), voila! I get full access to the encrypted account and all FileVault contents.

The screensaver authentication is apparently significantly different (and less secure) than the loginwindow authentication.

[robg adds: I haven't tested this one, so if someone who uses FileVault could confirm it, please post your results in the comments.]
    •    
  • Currently 2.40 / 5
  You rated: 3 / 5 (5 votes cast)
 
[11,802 views]  

10.4: A FileVault/wake from sleep password issue | 13 comments | Create New Account
Click here to return to the '10.4: A FileVault/wake from sleep password issue' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: A FileVault/wake from sleep password issue
Authored by: BMarsh on Jul 10, '06 08:21:15AM

While it may not be what this user expected... this is exactly the behaviour I would expect. (not everyone should have admin access, only those trusted, most accounts can be non-admin, and won't even notice the difference, admins can also force password changes on other accounts, although this wouldn't likely give access to the filevault data))

the workaround:
if they want more "security" they need to logout rather then have screensaver activate (there are ways to force this)

now the explanation:
when the user logs in, the password allows the decryption of the filevault. Sleep or Activation of the screen saver has the user remain in the currently logged in user (with all currently running programs etc...) so the user filevault which is really a disk image) is already opened. the filevault remains "open" until the user logs out (either through logout command, restart or shutdown)

why would apple allow other admins to unlock the screensaver?
to allow a machine to be unlocked, then have programs gracefully quit (necessary files saved etc...), before a logout, restart or shutdown of the system. Examples I can think of, students or workers forgetting to properly logout before leaving after a class or shift.



[ Reply to This | # ]
10.4: A FileVault/wake from sleep password issue
Authored by: SOX on Jul 10, '06 09:26:17AM

I don't use filevault but I would assume that the vault password is in a keychain which is unlocked by the user password. Perhaps I'm mistaken? Does file vault ask for an additional passcode besides the login?

If so then any admin can access the fiel vault without knowing the vault password simply by forcing a login as the user which will then unlock the keychain.

Thus this is more than simply being a screen saver issue. The only thing the screen saver provides is a way to do this very easily in a way that can't be easily detected.



[ Reply to This | # ]
10.4: A FileVault/wake from sleep password issue
Authored by: allanmarcus on Jul 10, '06 11:52:07AM

no, you don't understand how file vault works.

FV is an encrypted disk image of the user's home directory. There some certificate management as well. When the user logs in, the password is used to decrypt and mount the disk image, which is seemlessly used as the user's home dir. When the screen saver is activated and mouse is moved, the authentication dialog comes up and the user or an admin can authenticate. The disk image was already mounted, so that's how the admin can see it.

If the user logs out, the disk image is unmounted. The ONLY way to mount it is to have either the user's password (stored in the keychain) or the master FV password). Even if the admin changes the user's login password, the FV password is NOT changed. In fact, the user's keychain password is also not changed unless the user changed the login password and the password are in sync.

Bottom line, the FV is pretty well locked down except against a user that locks the screen and gives physical access to an admin. The solution to this, as stated elsewhere, is to have the user log out.



[ Reply to This | # ]
10.4: A FileVault/wake from sleep password issue
Authored by: SOX on Jul 10, '06 05:03:23PM

yes but how does it decrypt it? I would bet it does not use the users passwrod to encrypt it since then you could not (easily) change a users password. I bet it uses the keychain. in whihc case everything I said is correct. that is the act of loggin in foirced by root would decrypt it.



[ Reply to This | # ]
You're correct, except not
Authored by: dethbunny on Jul 10, '06 11:31:08PM
You're correct in that the FileVault image is not encrypted with the user's password. It's encrypted with a private key that is stored in the keychain. The keychain, however, is encrypted with the user's password. [very slightly simplified]

That's why changing the account password through any method other than the Accounts prefpane results in numerous dialogs asking for the "password for the keychain 'login.'" A user cannot unlock a keychain unless the password is known, even if blessed with Admin powers. That's also why the Master Password is so important for FileVault - without that, any time the account password is forgotten all data becomes totally inaccessible.

Keychain and FileVault are actually very secure if strong passwords are used.

[ Reply to This | # ]
You're correct, except not
Authored by: SOX on Jul 11, '06 09:53:07AM

I don't think you are correct. When I change my password on my computer or sometimes after I do a system software update, when I run a program than wants keychain access it pops up and says my keycahin password has changed do you want to update the key chain. I don't need to enter my password to do that (after what would I enter, my old one or my new one?). I just click okay. instant keychain access.

thus root should be able to do this.



[ Reply to This | # ]
10.4: A FileVault/wake from sleep password issue
Authored by: noworryz on Jul 10, '06 09:41:02AM
This is, in fact, true with all encrypted disk images. Once you mount an encrypted image, all users have access to it. A workaround is to create additional encrypted images for your private data, without storing the pass phrase in your keychain, to mount them only when you need them, and to ensure they are unmounted before allowing another user on the machine.

[ Reply to This | # ]
10.4: A FileVault/wake from sleep password issue
Authored by: simX on Jul 10, '06 12:22:29PM

*sigh* This is not a hint. This is NORMAL behavior.

The login window is different from security authentication, yes. In all security authentication dialogs that come up, the name/password for ANY administrator user can be used. This is logical, because if you are logged in under a normal non-admin account, you need ADMINISTRATOR privileges to do things, and your own login/password combo can't be used for those purposes.

In a sense, the wake from sleep/screensaver dialog is a special case because it allows a NON-administrator user to unlock it (as well as all admins) -- that is, only the combo for the account that is currently blocked. If you're not that user or an admin, you can click the "Change User..." button to get back to the login window. It wouldn't matter if Mac OS X blocked admins from being able to unlock this panel, because they can get access to root privileges (through authentication), which allows them to do anything, including accessing your account. And, by the way, FileVault home folders usually have a backdoor password available to administrators, so that if you forget your password, there's another one that can still unlock your files. It's highly recommended that you use this.

This issue appears on MacFixIt every 6 months or so, and each time it gets taken down because this is OBVIOUS DESIGN. Please delete this hint from MacOSXHints -- it does not belong here.



[ Reply to This | # ]
Not really true
Authored by: buz on Jul 11, '06 03:34:53AM

Your comment is not entirely correct in my opinion. The point here is that *after* a FileVault disc image in opened, who can access it?

In my opinion knowing the admin password should not automatically grant you access to the encrypted homes. What would it be the point of securing your home directory when it is just a matter of resetting the admin password to access your home?

To me encrypting your home means that not only you secure your data fron network related problems, but most important fron the physical access to your computer.

What security would be to start up your computer fron an ipod and access all your data.

The point here is whether it is correct or not that after a user logs in and opens his FileVault image, would that image be granted to anyone having admin password?

Note: the FileVault option is supposed to protect you data, and if you forget your password there is no (easy) way to recove your files.



[ Reply to This | # ]
10.4: A FileVault/wake from sleep password issue
Authored by: dan55304 on Jul 11, '06 06:37:02AM
This issue appears on MacFixIt every 6 months or so, and each time it gets taken down because this is OBVIOUS DESIGN. Please delete this hint from MacOSXHints -- it does not belong here.
Nonsense. While this may not be a typical hint, the resulting comments provide lots of "hints" how this "feature" works and is valuable information to Hints readers.

We don't need to be condescending to those providing useful information to the community. This just breeds fear to post a hint because of the backlash of a few.

[ Reply to This | # ]
10.4: A FileVault/wake from sleep password issue
Authored by: martyl on Jul 14, '06 08:28:24PM

My main issue with this is that since the Security control panel has a checkbox that says "Require password to wake this computer from sleep or screensaver", it implies a certain degree of protection, more than could be defeated by a 3-year old. If you're an advanced user who knows the subleties of this behavior, that's great. But it's far from obvious or intuitive to the "average" user, who legitimately expects that encrypting an account with FileVault, then seeing it ask for a password means that their data is somewhat more secure than the equivalent of popping a doorknob lock with a paperclip.

---
Marty Lindower



[ Reply to This | # ]
10.4: A FileVault/wake from sleep password issue
Authored by: bryanchang on Jul 10, '06 10:06:17PM

By the way, you can edit the /etc/authorization file to change the behavior or login window.

In the system.login.screensaver section just change the rule so that only the owner can unlock the screen.



[ Reply to This | # ]
Switch User
Authored by: macgruder on Jul 11, '06 12:29:14PM

The screensaver authentication is 'toy' protection. From a small child and so forth. Just force quit the screensaver. [apologies if this is no longer the case for Tiger].

The best way imo to protect your stuff is just to fast user switch whenever you go away from your computer.



[ Reply to This | # ]