How Secure is FileVault?

No, that utility is only for resetting an admin account password, not a FileVault master password.

It's so secure that if anything goes wrong, as it can, you'll never see your files again yourself.

Sort of like the time of the first forward pass in football. Coach said, "There are three things that can happen when you throw a pass, and two of them are bad."

indeed, thanks for the chuckle... needed that! 🙂

But, said the man at the 80th floor after jumping off the top of the 110 floor skyscraper, "so far, so good."

file vault = vile fault (heard elsewhere)

😀😁

The location of the Master Password info is not a secret - it is stored on a special keychain in the main HD Library:

HD>Library>Keychains>FileVaultMaster.keychain

You don't need root privileges to look into that file, but it is useless to do so - the Master Password information stored there is itself very securely encrypted, and a login password or root password will not decrypt it. You could Trash that keychain file, and the system would then let you set up a new Master Password and create a new FileVaultMaster.keychain file. BUT - that wouldn't help you either! Such a new Master Password does not work on pre-existing FileVault accounts, only on accounts that had FileVault turned on after the creation of the new Master Password.

I believe that File Vault is very secure, but there is one aspect no-one has yet mentioned - you should also make sure that "Use secure virtual memory" is checked in the Security pane of System Preferences. If you don't, and OS X starts using swap files while you're in FV (which is what happens if there isn't enough free RAM) then your data is scattered over your HD unencrypted. Checking that option means that any swap files are encrypted the same way as any other component of your Home folder.

Apparently FileVault can be easily decrypted with this, called VileFault:

http://code.google.com/p/vilefault/

I've googled that, and VileFault in general.

Apparently there is a hole in 10.7.3 that allows the password for older FV accounts (where the FV has been logged into since upgrade) to be read in plain text by other admin Users on a computer with startup privileges, who can access a certain system log file. It's NOT a general weakness in FV for people who haven't upgraded to OS 10.7.3

Also, VileFault claims to be able to decrypt OS X .dmg files. Considering that one of their two methods is a brute force "dictionary attack", and the other involves enabling .dmg files to be read by other platforms where the password is known, it doesn't sound like a general hole in security.

So I would question "easily".

@christoper, I don't see the option you refer to under System Preferences. Is it possible the feature was dropped in 10.8? Thanks.

'Secure virtual memory' is now the default - see this article:

http://support.apple.com/kb/PH11128?viewlocale=en_US&locale=en_US

FileVault doesn't seem to be secure at all if someone is willing to erase or reformat the volume and then run a recovery app.

Anyone serious about accessing your data would surely try this, once they were unable to provide the FV password.

I've been thinking of using FV on several external drives as well as my internal.

A few hours ago I took an external drive that had previously been wiped and erased it in Disk Utility.

I encrypted it in Finder and entered a password.

I ejected and unplugged the drive, then re-mounted it.

I entered my password to unlock it.

Then I copied a 280 GB video to it.

I ejected and re-mounted the volume, ignoring the password request.

In DU I erased the drive.

I ran two recovery apps for about 15 minutes each, both quickly found the video, and one was able to play it back perfectly while still scanning for deleted files. The other can't preview recovered files larger than 20 MB, so I stopped it. But the file size was correct, so I'm sure the entire video was recovered.

Maybe FileVault should be called FailVault.

OS X 10.11.3