Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Encryption of hibernation sleepimage

Hey,


Tried searching but could not find a definitive answer. Encryption of "Safe Sleep" file? is the closest I could get but it was last updated in 12/2011.


When a Mac goes into hibernation (or safe sleep) the Operating System (OS) pauses all activity, dumps the contents of memory (RAM) to disk in /var/vm/sleepimage file and then powers off the Mac. During wake up, /var/vm/sleepimage is read by the firmware and the Mac is restored to the saved state before power off.


Is the file /var/vm/sleepimage encrypted? Would it be possible for an attacker to remove the hard disk from a Mac which is hibernating, mount it on a different machine and read unencrypted contents of the sleepimage file? Since sleepimage holds the contents of RAM, it can potentially contain passwords, or other exploitable information. I did a "strings" search on the file and did get a many lines of plain english text.


Any pointers?


Appreciate your response, Thank you!


Thanks,

Ameen.

MacBook Pro with Retina display, OS X Yosemite (10.10.2)

Posted on Feb 24, 2015 2:03 AM

Reply
5 replies

Feb 24, 2015 6:20 AM in response to Al Ameen

There is a good chance the sleepimage is encrypted, as Mac OS X has been encrypting the swapfile(s) for years, and a sleep image is a related kind of file.


HOWEVER, if you have FileVault enabled, then by default the file is encrypted as it is just another file on the filesystem. If they can get to the sleepimage on a FileVault encrypted file system, then they have access to a all your other files as well.

Feb 24, 2015 9:55 AM in response to Al Ameen

This seems an unlikely scenario. For information to be available in the sleepimage file it would need to be present in ram when the last ram-dump was made, which means you'd have to have something that contained your password open and accessible when you put your computer to sleep. An attacker wouldn't need to pull your drive and put it in a new machine; s/he would just need to wake your machine up.


Regardless, if you're worried about this, turn off safe sleep. It doesn't have much use, unless you have a laptop and want to keep working right up to the last moment of battery life (it was useful years ago, when battery life was half what it is today and you could actually switch out your battery with a fresh one). You can turn it off using pmset in Terminal.

Encryption of hibernation sleepimage

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.