Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A detailed look at File Vault and data protection System
There's a certain amount of spookiness that goes on regarding Apple's FileVault encryption. As everyone knows, it's very difficult to get into anything that's encrypted without the proper keys. But let's assume for a minute that you already have the key via, say, a court order for a suspect in a law enforcement action. Even with the key, however, there's still a lot of ambiguity about just how well the suspect's data (and in particular, deleted data) may be protected.

I've written a brief titled FileVault Imaging: Apple's Dirty Little Secrets that explains exactly how you can mount a FileVault volume (with the key, of course) to obtain the raw disk image. I will also illustrate how deleted data can be preserved inside a FileVault, and how a free space wipe does nothing to purge deleted data from inside one. The protection offered by an encrypted volume seems to aggravate other security issues, possibly making deleted data less secure.

[robg adds: The referenced brief is not about breaking into FileVault volumes, but about how data is stored and managed within those volumes -- in particular, deleted data. The section on the free space wipe was the most interesting to me -- this feature basically doesn't work as intended if you're using FileVault. I haven't tried to confirm that finding for myself, but the provided example seems fairly clear-cut in its proof.]
  • Currently 1.33 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (6 votes cast)

A detailed look at File Vault and data protection | 7 comments | Create New Account
Click here to return to the 'A detailed look at File Vault and data protection' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
"Erase free space" does work as intended
Authored by: lincd0 on Oct 14, '08 08:13:25AM

It erases free space on the selected volume. If you run it on the root filesystem, it doesn't affect any other mounted filesystem, File Vault or not.

If there is any point to this article, and I'm not sure there is, it seems to be that some users who don't understand what a volume is might think they're erasing free space on their File Vault, when they really aren't.

[ Reply to This | # ]
Authored by: GaelicWizard on Oct 14, '08 08:30:49AM

Actually, almost every time you log out of a FileVault-using user, Mac OS X asks you if you want to compact the encrypted image. If you do this, then the free space is removed from the image and the entire discussion above becomes FUD. Its only if you do NOT do this, *AND* if you mis-understand what a volume is (as mentioned in the first reply to this article) that you might be under the impression that "Erase Free Space..." in Disk Utility is not working as intended.



[ Reply to This | # ]
Authored by: drudus on Oct 14, '08 04:42:08PM

If you read the linked article, it states the compacting feature doesn't cleanly delete all the data. Some deleted files were found after the compacting had occured. It depends on where the data is in the file vault bands.

There seems to be ways around getting the compact feature to run if the mac is powered on too.

It does bring into question how secure file vault actually is. It may also affect other encrypted sparsebundles too.

[ Reply to This | # ]
A detailed look at File Vault and data protection
Authored by: redclawx on Oct 14, '08 08:55:41AM

You could also turn on Secure Empty Trash to make sure that the files themselves are zeroed out. It takes a bit longer to empty the trash out, but if you're worried about other people snooping, or being secure is mandated by your job, this should do the trick.

[ Reply to This | # ]
A detailed look at File Vault and data protection
Authored by: victory on Oct 14, '08 12:34:59PM
For those interested in some of the underlying cryptographic mechanisms used in FileVault, here's the slides from a presentation given a few years ago, on the subject. You can even watch a video of the presentation here.

[ Reply to This | # ]
Authored by: Cobalt Jacket on Oct 15, '08 06:56:22AM
This is in reference to FileVault under Tiger, so I'm not sure how applicable it still is, but this document is the NSA's take on the subject:

[ Reply to This | # ]
Does the snapshot feature of VMware Fusion suffer from the same problem?
Authored by: hamarkus on Oct 15, '08 11:17:08AM

ie, if I delete something in a virtual machine, will it remain recoverable? And, if I revert to an earlier snapshot, is everything created after that snapshot really deleted?

[ Reply to This | # ]