14 Replies Latest reply: Nov 22, 2012 2:44 AM by christopher rigby1
Mac OS 9000 Level 2 Level 2 (270 points)

If I use FileVault, and someone gets my computer, can they get into my files by using the Reset Password utility on the Mac OS X installation DVD?


iMac6,1 (Late 2006 iMac Intel), 3 GB RAM, 2.33 GHz Processor, 2 TB internal HD, Mac OS X (10.5.8), Minor GUI mods, a lot of stuff connected with FireWire or USB
  • Kappy Level 10 Level 10 (259,980 points)

    No, that utility is only for resetting an admin account password, not a FileVault master password.

  • BDAqua Level 10 Level 10 (120,910 points)

    It's so secure that if anything goes wrong, as it can, you'll never see your files again yourself.

  • Kappy Level 10 Level 10 (259,980 points)

    Sort of like the time of the first forward pass in football. Coach said, "There are three things that can happen when you throw a pass, and two of them are bad."

  • BDAqua Level 10 Level 10 (120,910 points)

    indeed, thanks for the chuckle... needed that!

  • WZZZ Level 6 Level 6 (12,775 points)

    But, said the man at the 80th floor after jumping off the top of the 110 floor skyscraper, "so far, so good."

     

    file vault = vile fault (heard elsewhere)

  • BDAqua Level 10 Level 10 (120,910 points)

     

  • Mac OS 9000 Level 2 Level 2 (270 points)

    Yes, but once you have the root password, can't you get the FileVault master password from the keychain or from a file stored somewhere?

    Kappy wrote:

     

    No, that utility is only for resetting an admin account password, not a FileVault master password.

  • jsd2 Level 5 Level 5 (6,200 points)

    The location of the Master Password info is not a secret - it is stored on a special keychain in the main HD Library:

     

    HD>Library>Keychains>FileVaultMaster.keychain

     

    You don't need root privileges to look into that  file, but it is useless to do so - the Master Password information stored there is itself very securely encrypted, and a login password or root password will not decrypt it.  You could Trash that keychain file, and the system would then let you set up a new Master Password and create a new FileVaultMaster.keychain file. BUT - that wouldn't help you either!  Such a new Master Password does not work on pre-existing FileVault accounts, only on accounts that had FileVault turned on after the creation of the new Master Password.

  • Mac OS 9000 Level 2 Level 2 (270 points)

    This is interesting... but the OS must be accessing the master password file somehow. It just seems like it would be hackable if it's just being encrypted the same way every time. Or someone could modify the system to make it open the FileVault for them? Well, it already seems very tough to do any of that. I guess it can be considered very unlikely that it would be hacked unless some real professionals are after the data.

    jsd2 wrote:

     

    The location of the Master Password info is not a secret - it is stored on a special keychain in the main HD Library:

     

    HD>Library>Keychains>FileVaultMaster.keychain

     

    You don't need root privileges to look into that  file, but it is useless to do so - the Master Password information stored there is itself very securely encrypted, and a login password or root password will not decrypt it.  You could Trash that keychain file, and the system would then let you set up a new Master Password and create a new FileVaultMaster.keychain file. BUT - that wouldn't help you either!  Such a new Master Password does not work on pre-existing FileVault accounts, only on accounts that had FileVault turned on after the creation of the new Master Password.

  • christopher rigby1 Level 4 Level 4 (2,100 points)

    I believe that File Vault is very secure, but there is one aspect no-one has yet mentioned - you should also make sure that "Use secure virtual memory" is checked in the Security pane of System Preferences. If you don't, and OS X starts using swap files while you're in FV (which is what happens if there isn't enough free RAM) then your data is scattered over your HD unencrypted. Checking that option means that any swap files are encrypted the same way as any other component of your Home folder.

  • Rudolfensis Level 1 Level 1 (45 points)

    Apparently FileVault can be easily decrypted with this, called VileFault:

     

    http://code.google.com/p/vilefault/

  • christopher rigby1 Level 4 Level 4 (2,100 points)

    I've googled that, and VileFault in general.

     

    Apparently there is a hole in 10.7.3 that allows the password for older FV accounts (where the FV has been logged into since upgrade) to be read in plain text by other admin Users on a computer with startup privileges, who can access a certain system log file. It's NOT a general weakness in FV for people who haven't upgraded to OS 10.7.3

     

    Also, VileFault claims to be able to decrypt OS X .dmg files. Considering that one of their two methods is a brute force "dictionary attack", and the other involves enabling .dmg files to be read by other platforms where the password is known, it doesn't sound like a general hole in security.

     

    So I would question "easily".

  • bitmason Level 1 Level 1 (0 points)

    @christoper, I don't see the option you refer to under System Preferences.  Is it possible the feature was dropped in 10.8?  Thanks.

  • christopher rigby1 Level 4 Level 4 (2,100 points)

    'Secure virtual memory' is now the default - see this article:

     

    http://support.apple.com/kb/PH11128?viewlocale=en_US&locale=en_US