FileVault

FileVault is a system that protects files on a Macintosh computer. It can be found in the Mac OS X v10.3 ("Panther") operating system and later.

FileVault uses encrypted file systems that are mounted and unmounted when the user logs into or out of the system. The user's home directory is encrypted using the Advanced Encryption Standard (AES) algorithm with a key derived from the user's login password. A master password should be set as a precaution against a user losing his or her password. Content is automatically encrypted and decrypted on the fly. Although early versions were slow and caused system to temporarily hang when used with disk-intensive applications, such as sound and video editing, the performance of FileVault has been improved in more recent versions of Mac OS X.

In Mac OS X v10.4 (Tiger), FileVault stores the encrypted file system as a Sparse Disk Images, which is basically a single large file. In Mac OS X v10.5 (Leopard), FileVault stores the encrypted file system as a new image called a Sparse bundle. [http://macosx.com/article/live-filevaultsparse-bundle-backups-in-leopard.html 1] . Sparse bundles break images into smaller 8MB files called bands, allowing them to be backed up using Leopard's Time Machine feature (see below for limitations, however). If transferring your FileVault data from a previous Mac that uses 10.4 using the built-in utility to move data to a new machine, the data uses the old sparse image format, and you must turn FileVault off and then on again to re-encrypt in the new sparse bundle format.

Criticism

When using FileVault, it is not possible to select which parts of the disk to encrypt. Only entire home directories can be encrypted. For example, using FileVault, the user cannot encrypt the whole disk as can be done with 3rd-party Mac disk encryption software such as PGP Whole Disk Encryption. Similarly, specific files or folders cannot be encrypted using FileVault, although its underlying encrypted disk image technology can be used for this purpose via Apple's Disk Utility Application, included in the standard installation of OS X.

Several shortcomings have been identified in FileVault's use of cryptography, such as the use of the CBC mode of operation which can lead to watermarking attacks, reliance on 1024-bit RSA and 3DES-EDE which have an effective key size below that of 128-bit AES, and unsafe storage of keys in the Mac OS X "safe sleep" mode.cite paper |author=Jacob Appelbaum, Ralf-Philipp Weinmann |date=2006-12-29 |title=Unlocking FileVault: An Analysis of Apple's disk encryption |url=http://crypto.nsa.org/vilefault/23C3-VileFault.pdf |format=PDF |accessdate=2007-03-31 ]

FileVault-protected accounts can be migrated from an older Mac to a newer one with some limitations and only as long the new machine has no existing user accounts -- otherwise, FileVault needs to be turned off during the migration, or the OS first needs to be reinstalled on the newer Mac. [ [http://docs.info.apple.com/article.html?artnum=25773#faq7 Mac OS X 10.3, 10.4: Transferring data with Setup Assistant / Migration Assistant FAQ ] ]

A study published in 2008 found data remanence in dynamic random access memory (DRAM), with data retention of seconds to minutes at room temperature and much longer times when memory chips were cooled to low temperature. The study authors were able to use a cold boot attack to recover cryptographic keys for several popular disk encryption systems, including FileVault, by taking advantage of redundancy in the way keys are stored after they have been expanded for efficient use, such as in key scheduling. The authors recommend that computers be powered down, rather than be left in a "sleep" state, when not in physical control by the owner. [cite paper|title=Lest We Remember: Cold Boot Attacks on Encryption Keys|author=J. Alex Halderman, et al.|date=February 2008|url=http://citp.princeton.edu.nyud.net/pub/coldboot.pdf]

Not all features of the Time Machine backup facility work when it is used in conjunction with FileVault in Mac OS 10.5. For example, a single file cannot be restored from the archive using the Time Machine interface; only restoring the entire FileVault is possible. Single files can however be restored manually using the Finder.

On 31 July, 2008, Brian Krebs posts on his Washington Post blog, that Charles Edge, an American researcher from Georgia, found a security hole in FileVault and had to withdraw from a speech about it at the Black Hat Security conference. [ [http://voices.washingtonpost.com/securityfix/2008/07/black_hat_talk_on_apple_encryp_1.html] ]

ee also

*Apple Keychain

References

External links