How secure is Apples disk encryption FileVault 2 when someone has physical or network access while the computer in sleep mode or is running a screen saver? Are there ways to circumvent FileVault 2 when the computer is not turned off?
5 Answers
Just a quick addition to the previous answers; if you are still worried someone would get the hold of your encryption key from RAM during standby, one could enable a power management feature of OS X called "DestroyFVKeyOnStandby", as mentioned here (same link as Richard Belisle), page 37.
From man pmset
:
destroyfvkeyonstandby - Destroy File Vault Key when going to standby mode.
By default File vault keys are retained even when system goes to standby.
If the keys are destroyed, user will be prompted to enter the password while
coming out of standby mode.(value: 1 - Destroy, 0 - Retain)
The full command would be sudo pmset -a destroyfvkeyonstandby 1
.
This would enable destruction of the FileVault key during standby for all -a
power modes. That is UPS -u
, battery -b
and charger -c
(wall power).
- 171
- 1
- 2
-
1Note that according to http://support.apple.com/kb/ht4392, standby mode is different than sleep and only occurs under certain limited conditions. You may need to use `sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25` to get the full benefit of this setting. This will, however, lead to slower sleep/wake times. Also it will reportedly sometimes cause a kernel panic on wake. See also http://apple.stackexchange.com/questions/39294/what-user-behavior-is-necessary-to-make-filevault-2-maximally-secure – augurar Jan 02 '14 at 23:37
-
Actually, `hibernatemode 3` (the default for laptops) should work fine. There is a delay before standby (default 3 hours) which can also be changed using `pmset` (see [the man page](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/pmset.1.html)). – augurar Jan 03 '14 at 00:14
Yes, OS X is still vulnerable to the Cold Boot Attack, because the encryption keys are kept in memory while the machine is powered on (i.e., from you enter your password on boot until your machine is completely powered off). This is a problem for all software full-disk encryption tools, and not specifically related to FileVault 2.
Depending on the version of OS X that you are running, your machine may or may not be vulnerable to DMA attacks with tools like inception. Versions >= 10.7.2 disables FireWire DMA when the machine is locked.
- 131
- 6
-
So basically you simply need to get to the lock screen to ensure that your computer is safe from attacks? – Pacerier Dec 24 '17 at 16:25
-
@Pacerier: According to augurar's comments on other answers, you will have to take steps to clear the memory upon lock screen in order to protect against a "cold boot" attack. Lock screen should be sufficient against "DMA" attacks from OS X 10.7.2+ though. – nishanthshanmugham Sep 22 '21 at 12:14
Apparently FileVault 2 is secure against a DMA Attack if the screen isn't unlocked, since 10.7.2 (so make sure you're running Lion). My guess is that on sleep the keys are encrypted with your password, rather than just left in memory.
I'm assuming that it also means it is protected against a Cold Boot Attack too.
The only sources I could find on it is this blog post.
- 391
- 1
- 3
-
3It is not protected against a cold boot unless you take steps to clear the memory on sleep. – augurar Jan 03 '14 at 00:46
In older versions of Mac OS X, an attacker with physical access to the machine could plug in via Firewire (or Thunderbolt) and use DMA attacks to gain access to memory. This would let the attacker slurp out your password and thus defeat FileVault 2's protection. However, this vulnerability was fixed in Mac OS X 10.7.2.
Later versions of Mac OS X have largely eliminated this vulnerability. The attack is still possible if a user is logged in and the machine is unlocked. However, when the screen lock kicks in, the OS enables extra protections that prevent this attack.
References:
- "OS X Lion disables DMA when the user is logged out/screen is locked. Attacking will only work while the user is logged in, or if user switching is enabled. The user switching trick only works for versions before 10.7.2, where the vulnerability is patched." http://www.breaknenter.org/projects/inception/
Also, setting a firmware (pre-boot) password may help.
- 98,420
- 30
- 267
- 572
I found an article with the general security analysis of FileVault: http://eprint.iacr.org/2012/374.pdf
It references other security research that answers my question.
- 643
- 1
- 6
- 12