10 Replies Latest reply: Dec 5, 2013 12:07 PM by Topher Kessler
jayv. Level 4 Level 4 (1,230 points)

Hi All,

 

I am trying to figure out if there is a difference between FileVault 2 whole disk encryption and formatting a drive through Disk Utility using "Mac OS Extended (Journaled, Encrypted). Documentation shows that FileVault 2 uses XTS-AES 128 bit encryption but i can not find any such documentation for Disk Utility.

 

Also, is FileVault still vulnerable to this attack: http://nakedsecurity.sophos.com/2012/02/02/filevault-encryption-broken/ ?

 

And the final question, is storing an encrypted disk image inside another encrypted disk image twice as secure? Would someone have to crack open the first and then spend the same amount of time and effort on the second image or is the second image vulnerable as soon as the first image is broken?

 

Thank you,

 

Jay


Mac Pro, OS X Mountain Lion (10.8.3), 12-Core 3.06, 64GB RAM, SSD & 12TB
  • 1. Re: Disk Utility VS FileVault + a few encryption questions
    Linc Davis Level 10 Level 10 (118,485 points)

    I am trying to figure out if there is a difference between FileVault 2 whole disk encryption and formatting a drive through Disk Utility using "Mac OS Extended (Journaled, Encrypted).

     

    A FileVault is a bootable encrypted volume. The encryption method is the same.

     

    Also, is FileVault still vulnerable to this attack

     

    Protecting yourself against Firewire DMA attacks

  • 2. Re: Disk Utility VS FileVault + a few encryption questions
    jayv. Level 4 Level 4 (1,230 points)

    Thanks Linc,

    Do you have a link to a site or documentation on that?

    That article is from over a year ago, has Apple not addressed the vulnerability in later updates or Mountain Lion?

  • 3. Re: Disk Utility VS FileVault + a few encryption questions
    Linc Davis Level 10 Level 10 (118,485 points)

    I haven't done a recent web search on DMA attacks, but I haven't heard of any recent developments.

  • 4. Re: Disk Utility VS FileVault + a few encryption questions
    Topher Kessler Level 6 Level 6 (9,340 points)

    Both encryption approaches use the same CoreStorage volume management technology and XTS-AES 128-bit encryption. The difference is setting up FileVault provides the system with a login window that will unlock the disk with your login password, and then pass these credentials on to the operating system's login window, as opposed to simply setting up the password and requring you to supply it through Apple's disk management interface tools once the OS is loaded.

     

    The FireWire DMA attacks were enabled in part because of a flaw in OS X that allowed DMA access when the screen was locked (ie, when a password was required to log back into the system), but Apple updated this (I believe with OS X 10.7.4, but am not sure).

     

    Beyond this, the system should only be vulnerable to DMA attacks when logged in.

     

    However, you can further protect yourself by enabling a firmware password on your system, by rebooting with Command-R held to get to the OS X tools, and then using the firmware password utility in the Utilities menu to set the password. This will lock down the hardware on your system, and in addition to preventing booting to external drives and to special boot modes (Safe Mode, Single User mode, etc.), will block DMA access.

  • 5. Re: Disk Utility VS FileVault + a few encryption questions
    jayv. Level 4 Level 4 (1,230 points)

    Thank you for the replies guys, much appreciated.

     

    In researching disk encryption in OS X i found a few things that concern me and raised more questions that i hope you may have answers to. I'll start a new post for this.

  • 6. Re: Disk Utility VS FileVault + a few encryption questions
    Linc Davis Level 10 Level 10 (118,485 points)

    Just so you're aware, the information in the article I linked to is current, and it includes the step you have to take to protect against a DMA attack on FileVault.

  • 7. Re: Disk Utility VS FileVault + a few encryption questions
    jayv. Level 4 Level 4 (1,230 points)

    I read the link to Apple's 10.7.2 update again and found this:

    Kernel

    Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: A person with physical access may be able to access the user's password

    Description: A logic error in the kernel's DMA protection permitted firewire DMA at loginwindow, boot, and shutdown, although not at screen lock. This update addresses the issue by preventing firewire DMA at all states where the user is not logged in.

    CVE-ID

    CVE-2011-3215 : Passware, Inc.

    I missed that before, probably read the document too fast. So that attack is not a concern anymore good to know for sure

  • 8. Re: Disk Utility VS FileVault + a few encryption questions
    Topher Kessler Level 6 Level 6 (9,340 points)

    It technically could be done if another similar bug surfaces, but hopefully one doesnt in the future. However, if you are concerned then a firmware password should also apply a lock to DMA access and add another layer of protection against this type of attack.

  • 9. Re: Disk Utility VS FileVault + a few encryption questions
    GlennMelton Level 1 Level 1 (0 points)

    Is there any way, while formatting a volume with Disk Utility as Journaled, Encrypted, to display the FileVault code that is normally displayed when starting the encryption process from the FileFault menu?

  • 10. Re: Disk Utility VS FileVault + a few encryption questions
    Topher Kessler Level 6 Level 6 (9,340 points)

    The system will only generate a recovery key for FileVault volumes (boot volumes). If you format a secondary partition as an encrypted volume, then it will not include a recovery key. The password you set for the volume will be your only method of unlocking it. The keys are technically there and associated with the password you use, but just are not revealed to you as is done with FileVault.