Impregnable security with FileVault 2 in Mavericks

What’s the deal with FileVault?  What do you know about it?

Maybe you’ve heard purblind geeks claim that FileVault is impervious to NSA spying.  Or maybe you heard about FileVault from your tech savant friend who seems to know about the latest trends days before it breaks to the major news outlets.

FileVault is a really good thing and can prevent sensitive data on your computer from being disclosed to unauthorized thieves. If your Macbook was locked when it was lost or stolen then you’re making it extremely difficult for anyone to get your data.  That’s because FileVault 2 uses Full Disk Encryption (FDE) to secure the entire drive (including the Startup Volume) It accomplishes this via XTS-AES 128bit encryption which is just flowery  for “kick ass protection”.

Think of it this way: it takes about the same amount of energy to break FileVault 2 as it does to boil all the water contained in every ocean on earth.

Furthermore, it’s always a propitious sign when the cerebral guys at the National Institute of Standards and Technology (NIST) have your back.  In Special Publication 800-38E, NIST explicitly endorsed XTS-AES.

And the best part of FileVault 2 is that it won’t burden your system; it shouldn’t slow it down by any noticeable amount.

According to a XBech test launched  by OSX Daily, FileVault 2’s performance is unprecedented.  It doesn’t matter if you’re using a Solid State Drive (SSD), traditional drive or a Core i3, i5 or i7 processor, the encryption is largely transparent to user experience.

Things to think about first

On the flip-side there are several considerations we need to address.

First, Full Disk Encryption is only as strong as your password.  The password is the thing that prevents you from unwittingly abetting a criminal in data theft.

A strong password is essential.  That’s why I suggest using something like Diceware to bolster password complexity.

Diceware is a way to assemble secure passphrases into words from a random list.  You roll dice to construct the password and compare results against a word list in your language.  The advantage is that the words are are easy to spell and therefore memorable but unique enough that it’s harder to breach via brute-force.

But sometimes password complexity isn’t enough and this brings me to my second consideration.

Mountain View, California based security firm Passware Inc. published a paper claiming it cracked FileVault in about 40 minutes using live-memory analysis via a FireWire connection.  This attack is particularly insidious because password complexity is irrelevant.

The lesson here is that even a full disk encrypted computer secured with FileVault, TrueCrypt or some other encryption tool, isn’t immune from attack because vestiges of the encryption key are still hanging out in memory.

With computer forensics experts can extract the key and use it to unlock your drive.

Therefore, I suggest you completely shut down your Mac when you’re not using it.

Whenever you’re working with confidential information don’t hibernate or sleep the computer.  Instead, totally turn the Mac off so that any information in RAM gets flushed and effectively obviates the threat.

Setting up FileVault 2 in Mavericks

Jere’s how to setup FileVault 2 in Mac OS X Mavericks:

Kick open your System Preferences and type Security & Privacy in the search bar.

Mac OS X Mavericks Security and Privacy

Click the FileVault tab and choose Turn on FileVault…

Mac OS X Mavericks Turn on Filevault 2

FileVault lists all the users accounts currently configured on your Mac.

Pick Enable User… next to each user you wish to grant access to your encrypted disk.

Mac OS X Mavericks Manage FileVault 2 accounts

You’ll see a 24 character “bail out” key which you should save offline in a safe place.  This key will be the only way you can get back into your computer if you forget your password.

Mac OS X Mavericks FileVault 2 Recovery Key

You can store the key with Apple if you want; however, if that makes you feel a little uneasy (like it does for me) choose Do not store the recovery key with Apple and click Continue.Mac OS X Mavericks FileVault 2 Store Recovery Key

Mavericks politely asks you to reboot the box.

After the computer starts up, you’ll login and the encryption should begin.

Mac OS X Mavericks FileVault 2 Restart

FileVault should automatically resume and start encrypting your stuff.

It took about 20 minutes to encrypt my new 128GB SSD drive.  If you’re is bigger or has more content it could take up to an hour so plan for that.

One thing to note is that you can put your computer to sleep or even turn off your computer while its encrypting. Mavericks is smart enough to put the encryption process in abeyance; the next time you login it’ll finish up where it left off.

Mac OS X Mavericks FileVault 2 Encrypting

That’s all there is to it!

Oh, one more thing…

File Vault automatically forces your computer to require a password after sleeping or launching the screen saver. However, if you want to be extra secure, you should enable Require an Administrator Password To Access System Preferences with Lock icons.  That way if you step away from your unlocked Mac and someone steps in behind you and tries to mess with your System Preferences they’ll be aghast when they discover they can’t do anything without the Admin pass.

You can enable this in the General tab under Security & Privacy.

About

Connect with Vonnie on Twitter

Posted in Mac OS X 10.9 Mavericks Tagged with: , , ,
  • WeTheSheeple101

    Disappointing that Passware published the vulnerability in sleep mode way back in 2012 and this still has not been corrected to date! Are you sure about this?

    • HerpDerp

      It was corrected back in 2011, and the RAM is soldered in to modern macbooks so DMA was the only potential attack vector.
      https://support.apple.com/kb/HT5002

      • use this command in terminal. This will destroy the key if system goes to sleep.
        sudo pmset -a destroyfvkeyonstandby 1