-
All replies
-
Helpful answers
-
Jan 25, 2016 6:32 AM in response to riobaby Boyd Porter,If someone has physical control of a computer, then all bets are off regarding security. However, if you have a strong login password, it becomes more difficult to login by guessing.
Have a nice day.
-
Jan 25, 2016 6:34 AM in response to riobaby Király,Password recovery is not possible. Password reset is possible if certain steps were taken by the user in advance to make password reset possible. But no, physical access itself does not make FileVault password recovery possible. More info here: Use FileVault to encrypt the startup disk on your Mac - Apple Support
-
Jan 25, 2016 8:40 AM in response to riobaby Cmoore01,Having "fought" some fileVault issues in the past, and done some extensive research, I do not know of any way to "recover" a FileVault password, without knowing an admin password. (OS X Mavericks: If you forget your login password and FileVault is on).
There may some confusion regarding file vault passwords at startup, and the ability to "reset" at login, which does require physical possesion (https://derflounder.wordpress.com/2015/05/27/stopping-your-mac-from-booting-to-t he-filevault-2-reset-password-wizard/ and https://derflounder.wordpress.com/2015/01/17/yosemites-filevault-2-pre-boot-reco very-options/ ) (Basically, read through Der Flounders blogs on FileVault, a very good resource).
Another article is this: http://www.howtogeek.com/209672/anyone-with-access-to-your-mac-can-bypass-your-p assword-unless-you-do-this/
Modern versions of FileVault encryption provides whole-disk encryption of your Mac. This means it’s not possible for an attacker to use the resetpassword utility from recovery mode. If you try using this tool after enabling FileVault, you’ll discover you can’t. The utility won’t function, as it just can’t see the Mac system drive or any users on it. Your files are encrypted until you type your password, so there’s no resetting it.
So basically, physical possession allows someone the ability to attempt, but usually, without some way of getting past the login screen with an admin password, this is as secure as you can get.
We use FileVault here at work, with a commercial product for mobile windows devices. The commercial product can "manage" Macs, but we choose not to, using a Institutional key instead, and the native FileVault. Been rock solid.
-
Jan 25, 2016 12:15 PM in response to riobaby BobHarris,Is it possible the person who wrote the memo is thinking of the FileVault 1 (a container file approach), that basically sucked as an implementation.
With FileVault 1, ONLY the user's home folder was encrypted in an encrypted disk image file, and the rest of the file system was wide open.
FileVault 2 is a whole disk encryption except for just enough boot code to ask for your password.
I would ask the IT person to "Prove It"
Or is the IT person confusing TruCrypt with OS X FileVault? TruCrypt, since being abandoned by the developers, has shown some weaknesses. Since TruCrypt was cross platform, it is possible some IT person, that does not really use Macs, might be confused. Again, I would ask for Proof.
Otherwise it is difficult for anyone to prove a negative. If the IT person has proof positive, then have them provide it.