Loner T
Level 7 (24,855 points)
Safari

Q: Lion Filevault and Target Disk Mode

I have looked at https://discussions.apple.com/message/20777995#20777995 which is close, but leaves a gap in explaining my observations and use-case.

 

MBP 2010 on ML 10.7.5 with a bad Graphics card (let us call this the "B"ad machine) and FV encryption turned on.

 

Second MBP 2010 running 10.9.2 and functional.

 

1. Put the "B" machine in Target Disk Mode.

2. Plug-in Firewire cable between B and G machines.

3. Click on the G machine's FW volume.

4. Prompt by Authopen for local Administrator credentials. Enter admin credentials on the G machine for the G machine administrator.

5. Go to Disk Utility on G machine, and create a DMG of the encrypted volume.

6. Open the DMG on G machine, and voila, I can see contents of the encrypted disk locally and I can see files, that I should not be able to see.

 

Did the DU imaging just break FV encryption or is there a bug somewhere? I would expect the opening of DMG to prompt me for a password to allow the contents of the encrypted disk to be visible.

Posted on Apr 11, 2014 11:29 AM

Close
Loner T

Q: Lion Filevault and Target Disk Mode

  • All replies
  • Helpful answers

  • by Trane Francks,Helpful

    Trane Francks Trane Francks Apr 12, 2014 6:02 PM in response to Loner T
    Level 2 (230 points)
    Apr 12, 2014 6:02 PM in response to Loner T

    The obvious question is: Are the user ID and password the same for  accounts on both systems? If so, that might explain the behaviour; otherwise, what you describe should not be possible. It's my understanding that FV-encrypted drives should not at all be accessible in Target Mode.

  • by Loner T,

    Loner T Loner T Apr 13, 2014 6:47 PM in response to Trane Francks
    Level 7 (24,855 points)
    Safari
    Apr 13, 2014 6:47 PM in response to Trane Francks

    The UserID and passwords are unrelated  to each other. My suspicion initially was that somehow UIDs matched, but that is not the case, but I will check again and verify.

     

    From http://support.apple.com/kb/HT1661

     

    • If you will be transferring FileVault-protected home directories (Mac OS X v10.3 or later only), log in as the FileVault-protected user and temporarily turn off FileVault. After transferring home directory contents to the target computer, enable FileVault protection again if you like.

     

    In my use case, FV was never turned off on the B computer, but the G computer was able to gain access.

     

    If I can lay my hands on the B computer, I will repeat these steps again.

     

    The FV and Turn off links are archived but are

     

    http://support.apple.com/kb/PH7024

    http://support.apple.com/kb/PH7033

     

    Perhaps this is an issue with FV version on Lion.

  • by Trane Francks,

    Trane Francks Trane Francks Apr 13, 2014 7:50 PM in response to Loner T
    Level 2 (230 points)
    Apr 13, 2014 7:50 PM in response to Loner T

    I'll note that the Apple reference of transferring FV-protected directories only applies to FileVault on Snow Leopard and earlier. It's possible to keep using legacy FileVault on Lion, which means that only individual user folders may be encrypted. This could give you a false positive on reading the "encrypted" volume (it might not actually be encrypted). When FV1 is used on Lion, non-encrypted user folders can be read as normal. Only when FV2 is used is the entire disk encrypted.

  • by Loner T,

    Loner T Loner T Apr 14, 2014 5:42 AM in response to Trane Francks
    Level 7 (24,855 points)
    Safari
    Apr 14, 2014 5:42 AM in response to Trane Francks

    Originally, I had tried removing the disk from the B MBP and put it in G MBP to avoid such issues, but the G MBP after the replacement came up with a message that the disk was encrypted.

  • by Loner T,

    Loner T Loner T Apr 14, 2014 8:36 AM in response to Loner T
    Level 7 (24,855 points)
    Safari
    Apr 14, 2014 8:36 AM in response to Loner T

    I now have access to the B machine. Here is what the internal HD of the B machine.

     

    Encrypted-MacintoshHD.png

     

    Encrypted-MacintoshHD-inDU.png

  • by Trane Francks,Helpful

    Trane Francks Trane Francks Apr 14, 2014 1:56 PM in response to Loner T
    Level 2 (230 points)
    Apr 14, 2014 1:56 PM in response to Loner T

    Based on all you've written thus far, this would seem to be a rather serious bug. If you can reproduce it, you should report it to Apple (they don't read these forums).

  • by Loner T,

    Loner T Loner T Apr 14, 2014 3:15 PM in response to Trane Francks
    Level 7 (24,855 points)
    Safari
    Apr 14, 2014 3:15 PM in response to Trane Francks

    Thanks Trane. I can now reproduce it at will. I can delete the DMG and recreate it without any issues.

     

    I will report it to Apple. Thanks, once again for the discussion.

  • by Trane Francks,

    Trane Francks Trane Francks Apr 14, 2014 3:23 PM in response to Loner T
    Level 2 (230 points)
    Apr 14, 2014 3:23 PM in response to Loner T

    Cheers!

  • by Loner T,

    Loner T Loner T Apr 14, 2014 3:41 PM in response to Loner T
    Level 7 (24,855 points)
    Safari
    Apr 14, 2014 3:41 PM in response to Loner T

    Bug Report 16613813 has been filed with Apple.

     

    I can also connect the B machine to a Late 2013 10.9.2 Retina 15 MBP and repeat the procedure.