FileVault or Vile Fault?

ByMike Moffit

Starting in OS X 10.7 Lion Apple introduced a new version of FileVault, referred to as FileVault 2.

FileVault 2 is Apple’s answer to a longstanding complaint that the Mac users lacked the option of operating securely from a workspace that includes full disk encryption. Previous versions of FileVault, going back to OS 10.4, worked by encrypting the User directory on a user by user basis, which was fine, but did not protect files stored outside of these directories…in the Application or System folders for example.

As a result, this left some potentially problematic security vulnerabilities for individuals and companies that needed the absolute highest level of data protection.

FileVault 2 addressed this issue by encrypting the entire system volume including all Users, Applications and System files. This, of course, also means that FileVault becomes an all-or-nothing proposition for users who share the same computer. If one elects to operate using FileVault 2, all must.

The problem alluded to in the above title for this Tech Tails article becomes evident when some not-so-uncommon issues crop up that are less difficult to deal with on unencrypted disks, but can result in catastrophic losses on FileVaulted volumes if you are not properly prepared.

The first is the the loss of an administrative password for a login account. For non-encrypted volumes without a firmware password in place, there are workarounds that allow you to reset a user’s password (although not their keychain!). This usually means they can get access to their files again, but may need to re-enter passwords for email and other accounts.

On a FileVault 2 protected volume this is not an option, and well it should not be. The whole point of a secure volume is that the security should not be easy to circumvent. In order to login and decrypt the volume, at least one of the user accounts must have a known password. No password? Bye-bye data. All of it. Or maybe not…

Apple realized that people DO forget passwords, so they did leave in one backdoor for exactly this situation; however you need to know about it to use it. The “backdoor” I refer to is called the Recovery Key. This key is generated at the time FileVault 2 is turned on for a volume. It looks something like this: GTE3-HWEZ-76FG-45WD-WKS4-PX13. Apple encourages you to document this key and store it in a safe place (hint: not in a file on your encrypted volume!)

In fact, this key is so important that they even offer to let you store it with them (Apple) for future use, assuming you can answer the three security questions you provide answers for. If you enter the wrong user login password for a FileVault 2 volume 3 times, you will be asked for the Recovery Key. To access this Recovery Key from Apple at a later date, you will need to call AppleCare, provide your computer’s serial number AND answer the three questions you provided answers for when first encrypting the FileVault 2 volume.

That’s not so bad…assuming you keep track of your Recovery Key. Right? Well there is another situation we run into pretty often in the Service Department, and that is the case where a drive is suffering from bad physical sectors or corruption to the partition structure. For unencrypted drives, we can sometimes work around these flaws and recover most of the data on a drive. However, depending on where this damage occurs on a FileVault 2 protected drive, it may prevent the volume from being mounted and decrypted at all. And because the data stored on the disk is all encrypted we cannot pick and choose just the good stuff.

This potential shortcoming should give folks pause, but it is not necessarily a reason not to use FileVault 2, if your situation demands it. What it does underscore is the need to have a good TimeMachine Backup. And TimeMachine Backups, as we all know, can be stored either encrypted or NOT encrypted…even if they are made from a FileVault 2 protected volume.

So the moral of the story is that FileVault 2 is a powerful tool. Think carefully about what its use means, and the implications for your data should something go wrong. Document your Recovery Key, and consider storing a copy with Apple.  And certainly, without exception, make sure you have a TimeMachine backup of your drive stored somewhere securely, just in case.

(Editor’s note: to reiterate one of Jeremy’s points, FileVault encryption is very secure. If you lose access to your data for one of the reasons he describes, the chances of recovery are basically zero. If you have only a few files you need to secure, you can create an encrypted sparse disk image in Disk Utility and keep sensitive files there. Be careful; there is no backdoor savior in this scenario!!)

Similar Posts

  • Hello all,

    The “snow event” is over, and now we dig out. Thanks to the glut of data available nowadays, I have seen some really crazy images from this storm. I really enjoy the immediacy it brings, but sometimes I don’t get it. People will stop running from an avalanche to post on Facebook, it seems…perhaps wasting time better spent doing something helpful.

    We didn’t get hit too badly up here, so we mostly enjoyed the foot of dry, crisp, light fluffy powder. I’m sure the skiing this weekend was fantastic.

    I had promised an article about securing your public Wi-Fi browsing life, and thought I had done enough research since I wanted to focus on doing it with Terminal. There are some new ways to do this using available software as well, and there are advantages and disadvantages to each method. I need to take more time to make sure I give you the straight dope, so look for it in an upcoming issue.

    Have a good week, and thanks for reading.

    Liam
    “*liam@smalldog.com*”:mailto:liam@smalldog.com

  • TT SPECIAL | Double the Storage, Double the Fun

    If you have ever tried to partition your USB flash drive before, then this product by Quirky is perfect for you.

    Essentially, what Quirky has done is squished two 4GB flash drives into one product. This lets you have both your personal and business content in one convenient location while keeping them separate and secure.

    For this week only, you can save $5 plus it ships for FREE!

  • Find My iStuff

    Built in to iOS 5+ and OS 10.7 and later is the ability to use iCloud. iCloud lets you back up and sync contacts, email, photos, and a host of other data. Not everyone __needs__ all of these features, but everyone is advised to take advantage of the security features, “Find my iPhone” and “Find my Mac.”

    You can easily track your iPhone, iPad, iPod touch, or Mac from another one of your devices or from “*icloud.com*”:http://www.icloud.com if the device or computer is lost or stolen. In addition to tracking, you can wipe its data remotely, lock it, or play a sound to help find it in case it has been kicked under the couch.

    To use these features, the device needs to be connected to the internet. iPhones are obviously connected via a cellular network, and any cellular-enabled iPad would be as well. However, Wi-Fi-only iPads and Macs would need a Wi-Fi signal or hard-wired connection to be able to reach the iCloud servers. Apple suggests that users enable a Guest account and disable autologin for greater security, since if your Mac is lost or stolen, there is a better chance that somebody can start using immediately since no password is needed (and thus, it will connect to the internet).

    iPod touches and iPads that do not have cellular service get more complicated. Neither of these have the ability to enable or access a guest account. If you have your device password-protected, then there is no way for the device to have the chance to connect to the internet. It’s a tough choice at present. Maybe a future refinement will allow people to use this great feature without compromising their security in the process.

    To enable Find my Mac:

    * Click the Apple logo in the top left hand corner
    * Select system Preferences
    * Select iCloud
    * Click the check box Find My Mac at the bottom

    To enable the Guest account:

    * Click the Apple logo on the top left hand corner
    * Click Users & Groups
    * Unlock preferences by click the padlock in the bottom right hand corner
    * Click the Guest account on the left hand side then click the check “Allow guests to log in this computer”

    To enable Find my iPhone in iOS:

    * Go to settings
    * Select iCloud form the list on the left hand side
    * Make sure Find My iPhone is selected and switched to on

  • VPN with SSH

    Last week our protagonist was in a coffee bar on public wi-fi surrounded by criminal hackers. They were closing in and things were…

  • TT SPECIAL | Wake Up To Your Own Music Library

    iHome is well known for their myriad of iOS-related docks and speaker systems. The iP90 is exactly what you’ve come to expect from iHome — the perfect accessory for your iOS device.

    Save $30 on either the black or silver models of the iP90!

  • TT SPECIAL | A Modernized MacBook For The Modern MacUser

    It was a sad day when Apple decided to stop production on their MacBook line. It was an iconic, durable, and fairly priced machine.

    Luckily for you, we have a limited stock of used white MacBooks for sale. To get with the times, we are including a 4GB RAM and 500GB hard drive upgrades. We have also included a FREE Brenthaven Trek sleeve to keep your MacBook protected while in transit.

    Keep in mind these are used computers, which means you are getting a great machine at an even better price, but they may show signs of gentle wear. Grab yours this week before they’re all gone!