Disk Utility VS FileVault + a few encryption questions

Question

Level 4

1,303 points

Disk Utility VS FileVault + a few encryption questions

Hi All,

I am trying to figure out if there is a difference between FileVault 2 whole disk encryption and formatting a drive through Disk Utility using "Mac OS Extended (Journaled, Encrypted). Documentation shows that FileVault 2 uses XTS-AES 128 bit encryption but i can not find any such documentation for Disk Utility.

Also, is FileVault still vulnerable to this attack: http://nakedsecurity.sophos.com/2012/02/02/filevault-encryption-broken/ ?

And the final question, is storing an encrypted disk image inside another encrypted disk image twice as secure? Would someone have to crack open the first and then spend the same amount of time and effort on the second image or is the second image vulnerable as soon as the first image is broken?

Thank you,

Jay

Mac Pro, OS X Mountain Lion (10.8.3), 12-Core 3.06, 64GB RAM, SSD & 12TB

Posted on Jun 22, 2013 10:53 PM

Reply

Answer 1

Best reply

Linc Davis

Level 10

209,541 points

Jun 22, 2013 11:32 PM in response to jayv.

I am trying to figure out if there is a difference between FileVault 2 whole disk encryption and formatting a drive through Disk Utility using "Mac OS Extended (Journaled, Encrypted).

A FileVault is a bootable encrypted volume. The encryption method is the same.

Also, is FileVault still vulnerable to this attack

Protecting yourself against Firewire DMA attacks

Reply

Answer 2

jayv. Author

Level 4

1,303 points

Jun 23, 2013 12:46 AM in response to Linc Davis

Thanks Linc,

Do you have a link to a site or documentation on that?

That article is from over a year ago, has Apple not addressed the vulnerability in later updates or Mountain Lion?

Reply

Answer 3

Linc Davis

Level 10

209,541 points

Jun 23, 2013 7:00 AM in response to jayv.

I haven't done a recent web search on DMA attacks, but I haven't heard of any recent developments.

Reply

Answer 4

Jun 23, 2013 7:13 AM in response to jayv.

Both encryption approaches use the same CoreStorage volume management technology and XTS-AES 128-bit encryption. The difference is setting up FileVault provides the system with a login window that will unlock the disk with your login password, and then pass these credentials on to the operating system's login window, as opposed to simply setting up the password and requring you to supply it through Apple's disk management interface tools once the OS is loaded.

The FireWire DMA attacks were enabled in part because of a flaw in OS X that allowed DMA access when the screen was locked (ie, when a password was required to log back into the system), but Apple updated this (I believe with OS X 10.7.4, but am not sure).

Beyond this, the system should only be vulnerable to DMA attacks when logged in.

However, you can further protect yourself by enabling a firmware password on your system, by rebooting with Command-R held to get to the OS X tools, and then using the firmware password utility in the Utilities menu to set the password. This will lock down the hardware on your system, and in addition to preventing booting to external drives and to special boot modes (Safe Mode, Single User mode, etc.), will block DMA access.

Reply

Answer 5

jayv. Author

Level 4

1,303 points

Jun 23, 2013 4:57 PM in response to Topher Kessler

Thank you for the replies guys, much appreciated.

In researching disk encryption in OS X i found a few things that concern me and raised more questions that i hope you may have answers to. I'll start a new post for this.

Reply

Answer 6

Linc Davis

Level 10

209,541 points

Jun 23, 2013 5:31 PM in response to jayv.

Just so you're aware, the information in the article I linked to is current, and it includes the step you have to take to protect against a DMA attack on FileVault.

Reply

Answer 7

jayv. Author

Level 4

1,303 points

Jun 23, 2013 7:41 PM in response to Linc Davis

I read the link to Apple's 10.7.2 update again and found this:

Kernel

Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

Impact: A person with physical access may be able to access the user's password

Description: A logic error in the kernel's DMA protection permitted firewire DMA at loginwindow, boot, and shutdown, although not at screen lock. This update addresses the issue by preventing firewire DMA at all states where the user is not logged in.

CVE-ID

CVE-2011-3215 : Passware, Inc.

I missed that before, probably read the document too fast. So that attack is not a concern anymore good to know for sure 🙂

Reply

Answer 8

Jun 23, 2013 7:47 PM in response to jayv.

It technically could be done if another similar bug surfaces, but hopefully one doesnt in the future. 🙂 However, if you are concerned then a firmware password should also apply a lock to DMA access and add another layer of protection against this type of attack.

Reply

Answer 9

Dec 5, 2013 6:47 AM in response to jayv.

Is there any way, while formatting a volume with Disk Utility as Journaled, Encrypted, to display the FileVault code that is normally displayed when starting the encryption process from the FileFault menu?

Reply

Answer 10

Dec 5, 2013 12:07 PM in response to GlennMelton

The system will only generate a recovery key for FileVault volumes (boot volumes). If you format a secondary partition as an encrypted volume, then it will not include a recovery key. The password you set for the volume will be your only method of unlocking it. The keys are technically there and associated with the password you use, but just are not revealed to you as is done with FileVault.

Reply