FileVault
Encyclopedia
FileVault is a system which encrypts
files on a Macintosh
computer
. It can be found in the Mac OS X v10.4
"Tiger" operating system
and later.
FileVault uses encrypted file systems which are encrypted and decrypted on the fly. A master password (and recovery key in 10.7+) is created as a precaution against a user losing their password. Although early versions were slow and caused a system to temporarily hang
when used with disk-intensive applications, such as sound and video editing, the performance of FileVault has been improved in more recent versions of Mac OS X
.
In Mac OS X v10.4
"Tiger" and below, FileVault stores the encrypted file system as a Sparse Disk Image, which is basically a single large file. In Mac OS X v10.5
"Leopard", FileVault stores the encrypted file system as a new image called a Sparse bundle. Sparse bundles break images into smaller 8MB files called bands, allowing them to be backed up using Leopard's Time Machine
feature (see below for limitations, however). If transferring FileVault data from a previous Mac that uses 10.4 using the built-in utility to move data to a new machine, the data continues to be stored in the old sparse image format, and the user must turn FileVault off and then on again to re-encrypt in the new sparse bundle format.
FileVault 2, introduced in Mac OS X v10.7 "Lion
", encrypts entire disks rather than users' home folders. This also solves the compatibility problems related to backup, as the encryption is transparent to backup software when the operating system is running.
If Migration Assistant has already been used, or if there are user accounts on the target:
~/Documents/private
— they may:
If the OS or an application requires the unencrypted data to be found at its original path, then a symbolic link
can be made, and the image file added to login items, and the password for the image added to the login keychain, but some such things are not for the average user. Rather than give special attention to just parts of a home directory, it may be simpler to allow FileVault encryption of the whole.
Without Mac OS X Server: Time Machine
back up of a FileVault home directory, to a local volume, can occur only whilst the user is logging (or logged) out. From such volumes:
With Mac OS X Server as a Time Machine destination:
As FileVault restricts the ways in which other users' processes can access the user's content, some third party backup solutions can back up the contents of a user's FileVault home directory only if other parts of the computer (including other users' home directories) are excluded.
encryption in NIST-recommended XTS-AESW mode. It encrypts the entire hard drive, unlike FileVault 1 which only encrypted the user's directory.
The use of 128 bit AES rather than 256 bit AES would represent a vulnerability only if a flaw were found in the algorithm that made it easier to attack smaller keys. Currently, a 128 bit key is considered long enough to be immune from brute force attack. When encrypting a disk with FileVault 2, the user is given a 24-character alphanumeric "recovery key", which is stated to be case insensitive. Thus, we have 24 characters, each of which have 36 possibilities. As there are only approximately 2^124 possibilities for such a key, this "recovery key" loses a further 4 bits of key entropy, leaving FileVault 2 with effectively 124 bit keys. While a 124 bit key should also be theoretically secure, it remains to be seen what other flaws may exist that this slight weakness could be combined with to possibly lead to insecure encryption.
FileVault employs the user's login password as the encryption pass phrase. This discourages use of cryptographically strong pass phrases. The average user will not wish to type in a pass phrase with 128 bits of entropy every time they log in to the computer, open a secure system preference, allow privilege escalation of a running program, unlock the screen saver, and so on. If the user chooses to do this, they must type in a long pass phrase every time they do these things. If they choose a weak login password or passphrase, then FileVault 1 or 2 can be broken by brute force. FileVault 2 enables the administrator to designate a number of user accounts authorized to decrypt the system disk. This means that if any one of those users has a weak pass phrase, then the system is only as secure as the weakest pass phrase chosen by any of those users.
FileVault first gen's used the CBC mode of operation (see Disk encryption theory); FileVault 2 uses stronger XTS-AESW mode. Another issue is storage of keys in the Mac OS X "safe sleep" mode. A study published in 2008 found data remanence
in dynamic random access memory
(DRAM), with data retention of seconds to minutes at room temperature and much longer times when memory chips were cooled to low temperature. The study authors were able to use a cold boot attack
to recover cryptographic keys for several popular disk encryption systems, including FileVault, by taking advantage of redundancy in the way keys are stored after they have been expanded for efficient use, such as in key scheduling. The authors recommend that computers be powered down, rather than be left in a "sleep" state, when not in physical control by the owner.
Early versions of FileVault automatically stored the user's passphrase in the system keychain, requiring the user to notice and manually disable this security hole.
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
files on a Macintosh
Macintosh
The Macintosh , or Mac, is a series of several lines of personal computers designed, developed, and marketed by Apple Inc. The first Macintosh was introduced by Apple's then-chairman Steve Jobs on January 24, 1984; it was the first commercially successful personal computer to feature a mouse and a...
computer
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
. It can be found in the Mac OS X v10.4
Mac OS X v10.4
Mac OS X v10.4 Tiger is the fifth major release of Mac OS X, Apple's desktop and server operating system for Macintosh computers. Tiger was released to the public on 29 April 2005 for US$129.95 as the successor to Mac OS X Panther , which had been released 18 months earlier...
"Tiger" operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
and later.
FileVault uses encrypted file systems which are encrypted and decrypted on the fly. A master password (and recovery key in 10.7+) is created as a precaution against a user losing their password. Although early versions were slow and caused a system to temporarily hang
Hang (computing)
In computing, a hang or freeze occurs when either a single computer program, or the whole system ceases to respond to inputs. In the most commonly encountered scenario, a workstation with a graphical user interface, all windows belonging to the frozen program become static, and though the mouse...
when used with disk-intensive applications, such as sound and video editing, the performance of FileVault has been improved in more recent versions of Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
.
In Mac OS X v10.4
Mac OS X v10.4
Mac OS X v10.4 Tiger is the fifth major release of Mac OS X, Apple's desktop and server operating system for Macintosh computers. Tiger was released to the public on 29 April 2005 for US$129.95 as the successor to Mac OS X Panther , which had been released 18 months earlier...
"Tiger" and below, FileVault stores the encrypted file system as a Sparse Disk Image, which is basically a single large file. In Mac OS X v10.5
Mac OS X v10.5
Mac OS X Leopard is the sixth major release of Mac OS X, Apple's desktop and server operating system for Macintosh computers. Leopard was released on 26 October 2007 as the successor of Tiger , and is available in two variants: a desktop version suitable for personal computers, and a...
"Leopard", FileVault stores the encrypted file system as a new image called a Sparse bundle. Sparse bundles break images into smaller 8MB files called bands, allowing them to be backed up using Leopard's Time Machine
Time Machine (Apple software)
Time Machine is a backup utility developed by Apple. It is included with Mac OS X and was introduced with the 10.5 "Leopard" release of Mac OS X. The software is designed to work with the Time Capsule as well as other internal or external drives.-Overview:...
feature (see below for limitations, however). If transferring FileVault data from a previous Mac that uses 10.4 using the built-in utility to move data to a new machine, the data continues to be stored in the old sparse image format, and the user must turn FileVault off and then on again to re-encrypt in the new sparse bundle format.
FileVault 2, introduced in Mac OS X v10.7 "Lion
Lion
The lion is one of the four big cats in the genus Panthera, and a member of the family Felidae. With some males exceeding 250 kg in weight, it is the second-largest living cat after the tiger...
", encrypts entire disks rather than users' home folders. This also solves the compatibility problems related to backup, as the encryption is transparent to backup software when the operating system is running.
Outdated versions of the OS
Migration of FileVault home directories is subject to two limitations:- there must be no prior migration to the target computer
- the target must have no existing user accounts.
If Migration Assistant has already been used, or if there are user accounts on the target:
- prior to migration, FileVault must be disabled at the source.
Disk Utility encryption of images of folders
If the user prefers to encrypt only part of their home directory — for example,~/Documents/private
— they may:
- disable FileVault
- use Disk UtilityDisk UtilityDisk Utility is the name of a utility created by Apple for performing disk-related tasks in Mac OS X. These tasks include:*the creation, conversion, compression and encryption of disk images from a wide range of formats read by Disk Utility to .dmg or—for CD/DVD images—.cdr, which is identical to...
to image and encrypt the folder (sparsebundle, with encryption, is suitable) - after encryption, trash the unencrypted original then use Finder to securely erase whatever is trashed.
If the OS or an application requires the unencrypted data to be found at its original path, then a symbolic link
Symbolic link
In computing, a symbolic link is a special type of file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution. Symbolic links were already present by 1978 in mini-computer operating systems from DEC and Data...
can be made, and the image file added to login items, and the password for the image added to the login keychain, but some such things are not for the average user. Rather than give special attention to just parts of a home directory, it may be simpler to allow FileVault encryption of the whole.
Backups
- These limitations apply to versions of Mac OS X prior to v10.7 only.
Without Mac OS X Server: Time Machine
Time Machine (Apple software)
Time Machine is a backup utility developed by Apple. It is included with Mac OS X and was introduced with the 10.5 "Leopard" release of Mac OS X. The software is designed to work with the Time Capsule as well as other internal or external drives.-Overview:...
back up of a FileVault home directory, to a local volume, can occur only whilst the user is logging (or logged) out. From such volumes:
- Time Machine is limited to restoring the home directory in its entirety
- if anything less than that is to be restored, Finder can be used.
With Mac OS X Server as a Time Machine destination:
- backups of FileVault home directories occur whilst users are logged in.
As FileVault restricts the ways in which other users' processes can access the user's content, some third party backup solutions can back up the contents of a user's FileVault home directory only if other parts of the computer (including other users' home directories) are excluded.
Scope
FileVault is limited to encrypting home directories only in versions of Mac OS X prior to v10.7, and only those directories in their entirety. Starting with Mac OS X v10.7, FileVault only encrypts entire disks.Security
Filevault 2 on 10.7 lion uses 128-bit AESAdvanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
encryption in NIST-recommended XTS-AESW mode. It encrypts the entire hard drive, unlike FileVault 1 which only encrypted the user's directory.
The use of 128 bit AES rather than 256 bit AES would represent a vulnerability only if a flaw were found in the algorithm that made it easier to attack smaller keys. Currently, a 128 bit key is considered long enough to be immune from brute force attack. When encrypting a disk with FileVault 2, the user is given a 24-character alphanumeric "recovery key", which is stated to be case insensitive. Thus, we have 24 characters, each of which have 36 possibilities. As there are only approximately 2^124 possibilities for such a key, this "recovery key" loses a further 4 bits of key entropy, leaving FileVault 2 with effectively 124 bit keys. While a 124 bit key should also be theoretically secure, it remains to be seen what other flaws may exist that this slight weakness could be combined with to possibly lead to insecure encryption.
FileVault employs the user's login password as the encryption pass phrase. This discourages use of cryptographically strong pass phrases. The average user will not wish to type in a pass phrase with 128 bits of entropy every time they log in to the computer, open a secure system preference, allow privilege escalation of a running program, unlock the screen saver, and so on. If the user chooses to do this, they must type in a long pass phrase every time they do these things. If they choose a weak login password or passphrase, then FileVault 1 or 2 can be broken by brute force. FileVault 2 enables the administrator to designate a number of user accounts authorized to decrypt the system disk. This means that if any one of those users has a weak pass phrase, then the system is only as secure as the weakest pass phrase chosen by any of those users.
First generation issues
Several shortcomings were identified in the first generation of FileVault. Its security can be broken by cracking either 1024-bit RSA or 3DES-EDE, both of which are considered weaker than 128-bit AES. Since 3DES-EDE is used only for key wrapping in FileVault-1 (and the amount of plaintext involved is quite small) - it is unlikely that 3DES weaknesses extend beyond purely theoretical.FileVault first gen's used the CBC mode of operation (see Disk encryption theory); FileVault 2 uses stronger XTS-AESW mode. Another issue is storage of keys in the Mac OS X "safe sleep" mode. A study published in 2008 found data remanence
Data remanence
Data remanence is the residual representation of data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that does not remove data previously written...
in dynamic random access memory
Dynamic random access memory
Dynamic random-access memory is a type of random-access memory that stores each bit of data in a separate capacitor within an integrated circuit. The capacitor can be either charged or discharged; these two states are taken to represent the two values of a bit, conventionally called 0 and 1...
(DRAM), with data retention of seconds to minutes at room temperature and much longer times when memory chips were cooled to low temperature. The study authors were able to use a cold boot attack
Cold boot attack
In cryptography, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine from a completely "off" state...
to recover cryptographic keys for several popular disk encryption systems, including FileVault, by taking advantage of redundancy in the way keys are stored after they have been expanded for efficient use, such as in key scheduling. The authors recommend that computers be powered down, rather than be left in a "sleep" state, when not in physical control by the owner.
Early versions of FileVault automatically stored the user's passphrase in the system keychain, requiring the user to notice and manually disable this security hole.