0

Secenario

Consider the case of a MacBook Pro with FileVault active. The computer is on and I'm properly logged on.

I frequently need to access sensitive data located in text files on an encrypted volume. The encrypted volume is created when I mount a particular file that lives on the main hard disk. The encryption program that mounts the file and makes the data available as a volume is called VeraCrypt.

When I leave my computer for brief periods, I lock my screen (Ctrl-Cmd-Q) but the computer is still on.

Question

If someone were to break in and steal my computer and run off with it while it were in that state, would he be able to read the contents of my VeraCrypt volume?

Assumptions

Assume that none of the volume's files are open at the time of the theft. But the volume is mounted. Assume system file sharing is turned off and firewall is turned on. Assume no one else knows my system password.

Assume that the thief doesn't have NSA-level hacking expertise; He doesn't even know what he's looking for (e.g. the volume name or what it contains). He's just a run-of-the-mill criminal who saw a crime of opportunity to grab a laptop, but he's open to snagging any content of value on the computer itself if he can find any.

Analysis

One thing I could do is dismount the Veracrypt virtual drive every time I leave the computer alone. It's protected with a strong password that no one could guess. But dismounting and remounting that drive forces me to shutdown and subsequently restart and reinitialize a number of other processes that are specific to the work I do. It takes some time. My preference would be to leave that drive mounted during the brief time I'm away, but only if the lock screen provides sufficient security to protect the data.

I did read Data security while MacBook is on lock screen but this focuses more on FileVault, which as I understand it, offers minimal protective value when the computer is powered on.

Instead, I'm more interested in preventing read-access of a VeraCrypt volume. I'm not concerned about the data being deleted, overwritten, or otherwise corrupted by a bad actor -- just read. I don't care about the hypothetical thief reading anything else on the system's main hard drive; My question is strictly about the readability of the encrypted volume when the OS is locked.

Festus Martingale
  • 133
  • 5
  • Your assumptions about it being an average thief break the entire point of your question. Obviously your average thief isn't going to be able to read the RAM and extract the key or exploit the login screen open, so none of your other details matter. If they try to boot into another OS, or move the drive to another system, the VC volume will not be mounted anymore and the data will be safe. – user Jun 03 '21 at 18:04
  • 1
    Just because someone is an average thief doesn't mean they're unable to use a pre-made exploit. Major websites have been compromised by teenagers with little to no technical knowledge using script kits and premade tools. By "average thief," I mean he has no access to the bleeding edge, unpublished exploits that are available to those in top-tier hacker communities or government agencies. I'm assuming in this example he has the skill and motivation to, for example, plug in a USB cable and attempt to run a common exploit against the lock screen, if such a thing is even possible. – Festus Martingale Jun 03 '21 at 20:00
  • @FestusMartingale From what I know about MacOS, it protects against at least basic physical attacks (DMA attacks and the like), so plugging in a pre-made DMA-capable device shouldn't result in any compromise. However, a sophisticated attacker will be able to get through. – forest Jun 23 '21 at 00:56

0 Answers0