Disk encryption software is a computer security software that protects the confidentiality of data stored on computer media (e.g., a hard disk , floppy disk , or USB device ) by using disk encryption .
31-451: FileVault is a disk encryption program in Mac OS X 10.3 Panther (2003) and later. It performs on-the-fly encryption with volumes on Mac computers. FileVault was introduced with Mac OS X 10.3 Panther , and could only be applied to a user's home directory, not the startup volume. The operating system uses an encrypted sparse disk image (a large single file) to present a volume for
62-475: A round constant , and round-specific data derived from the cipher key called a round key . A key schedule is an algorithm that calculates all the round keys from the key. Knudsen and Mathiassen (2004) give some experimental evidence that indicate that the key schedule plays a part in providing strength against linear and differential cryptanalysis . For toy Feistel ciphers , it was observed that those with complex and well-designed key schedules can reach
93-422: A FileVault encrypted home directory, but is under the user's maintenance. Encrypting only a part of a user's home directory might be problematic when applications need access to the encrypted files, which will not be available until the user mounts the encrypted image. This can be mitigated to a certain extent by making symbolic links for these specific files. Without Mac OS X Server, Time Machine will back up
124-422: A FileVault home directory only while the user is logged out. In such cases, Time Machine is limited to backing up the home directory in its entirety. Using Mac OS X Server as a Time Machine destination, backups of FileVault home directories occur while users are logged in. Because FileVault restricts the ways in which other users' processes can access the user's content, some third party backup solutions can back up
155-428: A file intentionally. However, a partition or device hosted volume will look no different from a partition or device that has been wiped with a common disk wiping tool such as Darik's Boot and Nuke . One can plausibly claim that such a device or partition has been wiped to clear personal data. Portable or "traveller mode" means the encryption software can be run without installation to the system hard drive. In this mode,
186-402: A lost device cannot penetrate actual data, or even know what files might be present. The disk's data is protected using symmetric cryptography with the key randomly generated when a disk's encryption is first established. This key is itself encrypted in some way using a password or pass-phrase known (ideally) only to the user. Thereafter, in order to access the disk's data, the user must supply
217-444: A single file or group of files, and which requires the user to decide which specific files should be encrypted. Disk encryption usually includes all aspects of the disk, including directories, so that an adversary cannot determine content, name or size of any file. It is well suited to portable devices such as laptop computers and thumb drives which are particularly susceptible to being lost or stolen. If used properly, someone finding
248-466: A talk at the 23rd Chaos Communication Congress titled Unlocking FileVault: An Analysis of Apple's Encrypted Disk Storage System , Jacob Appelbaum & Ralf-Philipp Weinmann released VileFault which decrypts encrypted Mac OS X disk image files. A free space wipe using Disk Utility left a large portion of previously deleted file remnants intact. Similarly, FileVault compact operations only wiped small parts of previously deleted data. FileVault uses
279-520: A volume to be used for startup is erased and encrypted before clean installation of OS X 10.7.4 Lion or 10.8 Mountain Lion: Apple describes this type of approach as Disk Password—based DEK . Disk encryption software Compared to access controls commonly enforced by an operating system (OS), encryption passively protects data confidentiality even when the OS is not active, for example, if data
310-758: Is encoded with all letters and numbers 1 through 9, and read from /dev/random , and therefore relies on the security of the PRNG used in macOS. During a cryptanalysis in 2012, this mechanism was found safe. Changing the recovery key is not possible without re-encrypting the File Vault volume. Users who use FileVault 2 in OS X 10.9 and above can validate their key correctly works after encryption by running sudo fdesetup validaterecovery in Terminal after encryption has finished. The key must be in form xxxx-xxxx-xxxx-xxxx-xxxx-xxxx and will return true if correct. If
341-526: Is physically written to the disk. Conversely, it decrypts data immediately after being read but before it is presented to a program. Properly done, programs are unaware of these cryptographic operations. Some disk encryption software (e.g., TrueCrypt or BestCrypt ) provide features that generally cannot be accomplished with disk hardware encryption : the ability to mount "container" files as encrypted logical disks with their own file system ; and encrypted logical "inner" volumes which are secretly hidden within
SECTION 10
#1732791195347372-416: Is read directly from the hardware or by a different OS. In addition, crypto-shredding suppresses the need to erase the data at the end of the disk's lifecycle. Disk encryption generally refers to wholesale encryption that operates on an entire volume mostly transparently to the user, the system, and applications. This is generally distinguished from file-level encryption that operates by user invocation on
403-464: Is storage of keys in the macOS "safe sleep" mode. A study published in 2008 found data remanence in dynamic random-access memory (DRAM), with data retention of seconds to minutes at room temperature and much longer times when memory chips were cooled to low temperature. The study authors were able to use a cold boot attack to recover cryptographic keys for several popular disk encryption systems, including FileVault, by taking advantage of redundancy in
434-505: The AES instruction set , such as the Intel Core i , and OS X 10.10.3 Yosemite . Performance deterioration will be larger for CPUs without this instruction set, such as older Core CPUs. When FileVault 2 is enabled while the system is running, the system creates and displays a recovery key for the computer, and optionally offers the user to store the key with Apple. The 120 bit recovery key
465-407: The cipher. This means that it is impossible to prove that any file or partition is an encrypted volume (rather than random data) without having the password to mount it. This characteristic also makes it impossible to determine if a volume contains another hidden volume. A file hosted volume (as opposed to partitions) may look out of place in some cases since it will be entirely random data placed in
496-434: The computer. If a user password is forgotten, the master password or recovery key may be used to decrypt the files instead. FileVault recovery key is different from a Mac recovery key, which is a 28-character code used to reset your password or regain access to your Apple ID . Migration of FileVault home directories is subject to two limitations: If Migration Assistant has already been used or if there are user accounts on
527-425: The container volume. The content of the hidden volume is encrypted and resides in the free space of the file system of the outer volume—space which would otherwise be filled with random values if the hidden volume did not exist. When the outer container is brought online through the disk encryption software, whether the inner or outer volume is mounted depends on the password provided. If the "normal" password/key of
558-463: The contents of a user's FileVault home directory only if other parts of the computer (including other users' home directories) are excluded. Several shortcomings were identified in legacy FileVault. Its security can be broken by cracking either 1024-bit RSA or 3DES-EDE . Legacy FileVault used the CBC mode of operation (see disk encryption theory ); FileVault 2 uses stronger XTS-AES mode. Another issue
589-500: The discontinued TrueCrypt project), BestCrypt (proprietary trialware), offer levels of plausible deniability , which might be useful if a user is compelled to reveal the password of an encrypted volume. Hidden volumes are a steganographic feature that allows a second, "hidden", volume to reside within the apparent free space of a visible "container" volume (sometimes known as "outer" volume). The hidden volume has its own separate file system, password, and encryption key distinct from
620-399: The free areas of the "host" disk. Volumes, be they stored in a file or a device/partition, may intentionally not contain any discernible "signatures" or unencrypted headers. As cipher algorithms are designed to be indistinguishable from a pseudorandom permutation without knowing the key , the presence of data on the encrypted volume is also undetectable unless there are known weaknesses in
651-443: The free space of the more obvious "outer" volumes. Such strategies provide plausible deniability . Well-known examples of disk encryption software include, BitLocker for Windows; FileVault for Apple OS/X; LUKS a standard free software mainly for Linux and TrueCrypt , a non-commercial freeware application, for Windows, OS/X and Linux. Some disk encryption systems, such as VeraCrypt , CipherShed (active open source forks of
SECTION 20
#1732791195347682-457: The home directory, abandoning the disk image approach. For this approach to disk encryption , authorised users' information is loaded from a separate non-encrypted boot volume (partition/slice type Apple_Boot). The original version of FileVault was added in Mac OS X Panther to encrypt a user's home directory. When FileVault is enabled the system invites the user to create a master password for
713-428: The home directory. Mac OS X 10.5 Leopard and Mac OS X 10.6 Snow Leopard use more modern sparse bundle disk images which spread the data over 8 MB files (called bands ) within a bundle. Apple refers to this original iteration of FileVault as "legacy FileVault". OS X 10.7 Lion and newer versions offer FileVault 2 , which is a significant redesign. This encrypts the entire OS X startup volume and typically includes
744-419: The outer volume proves valid, the outer volume is mounted; if the password/key of the hidden volume proves valid, then (and only then) can the existence of the hidden volume even be detected, and it is mounted; otherwise if the password/key does not successfully decrypt either the inner or outer volume descriptors, then neither is mounted. Once a hidden volume has been created inside the visible container volume,
775-419: The password to make the key available to the software. This must be done sometime after each operating system start-up before the encrypted data can be used. Done in software, encryption typically operates at a level between all applications and most system programs and the low-level device drivers by "transparently" (from a user's point of view) encrypting data after it is produced by a program but before it
806-456: The software typically installs a temporary driver from the portable media. Since it is installing a driver (albeit temporarily), administrative privileges are still required. Some disk encryption software allows encrypted volumes to be resized. Not many systems implement this fully and resort to using " sparse files " to achieve this. Encrypted volumes contain "header" (or "CDB") data, which may be backed up. Overwriting these data will destroy
837-575: The target: If transferring FileVault data from a previous Mac that uses 10.4 using the built-in utility to move data to a new machine, the data continues to be stored in the old sparse image format, and the user must turn FileVault off and then on again to re-encrypt in the new sparse bundle format. Instead of using FileVault to encrypt a user's home directory, using Disk Utility a user can create an encrypted disk image themselves and store any subset of their home directory in there (for example, ~/Documents/private ). This encrypted image behaves similar to
868-446: The user will store important-looking information (but which the user does not actually mind revealing) on the outer volume, whereas more sensitive information is stored within the hidden volume. If the user is forced to reveal a password, the user can reveal the password to the outer volume, without disclosing the existence of the hidden volume. The hidden volume will not be compromised, if the user takes certain precautions in overwriting
899-481: The user's login password as the encryption pass phrase. It uses the XTS-AES mode of AES with 128 bit blocks and a 256 bit key to encrypt the disk, as recommended by NIST . Only unlock-enabled users can start or unlock the drive. Once unlocked, other users may also use the computer until it is shut down. The I/O performance penalty for using FileVault 2 was found to be in the order of around 3% when using CPUs with
930-451: The volume, so the ability to back them up is useful. Restoring the backup copy of these data may reset the volume's password to what it was when the backup was taken. Key scheduling In cryptography , the so-called product ciphers are a certain kind of cipher, where the (de-)ciphering of data is typically done as an iteration of rounds . The setup for each round is generally the same, except for round-specific fixed values called
961-426: The way keys are stored after they have been expanded for efficient use, such as in key scheduling . The authors recommend that computers be powered down, rather than be left in a "sleep" state, when not in physical control by the owner. Early versions of FileVault automatically stored the user's passphrase in the system keychain, requiring the user to notice and manually disable this security hole. In 2006, following