MacDevCenter    
 Published on MacDevCenter (http://www.macdevcenter.com/)
 See this if you're having trouble printing code examples


An Unencrypted Look at FileVault

by FJ de Kermadec
12/19/2003

When Apple introduced Panther and its 150 new features, who would have thought that FileVault, an extra-strength security technology, would raise so many questions and lead to so many debates?

Indeed, many reviewers have written about it and many troubleshooting or technical pages have been published. However, there are still many unanswered questions about the technology that powers FileVault, about its effectiveness and safety.

Over the course of this article, I'm going to walk you through FileVault and try to explain how it works, and what it can (and cannot) do for you. In the end, I hope that it will help you answer one important question: "Should I use it?"

The Competition

Related Reading

Mac OS X: The Missing Manual, Panther Edition
By David Pogue

Before talking about the FileVault technology, let's say that there are indeed many ways to encrypt the data you store on a hard drive. Some laptops even provide you with an extra button that takes care of that.

But these features are often extra unneeded buttons that trigger proprietary software that triggers special commands -- in other words, they are not fully integrated into your workflow and can cause many issues.

The strength of FileVault lies in the fact that it is fully integrated into Mac OS X, at the lowest level: the operating system itself takes care of performing the tasks on the fly, without relying upon add-ons.

In fact, the "building blocks" that power the FileVault system have existed in one form or the other since the first release of Mac OS X and, therefore, have been tested by many users. Some of them, such as the disk-image mounting system, have undergone a face lift and have been improved with the Panther release, but one cannot say that Apple uses new and untested systems.

How Does FileVault Work?

When you use the Security preferences pane to turn on FileVault for your account, Mac OS X places the entire contents of your Home folder into a safely encrypted disk image. It then takes care of encrypting and decrypting data on the fly, making the process transparent to most applications, which won't even realize what's going on.

FileVault uses a special disk image format: USDP or SPARSE. These files have a .sparceimage extension. Their specificity is that the resulting volume expands as needed to accommodate more data without requiring you to manually create a new image and copy data back and forth -- or requiring the system to do so.

When you log into your account, Mac OS X mounts the encrypted disk image in place of the regular Home folder. To access it, applications use the same path and, therefore, do not change their behavior.

In fact, the "magic" of FileVault really lies in the way the filesystem mounts the image, making it look and act as if it were a folder, normally located in the hierarchy. A closer look at the vault reveals that it is in fact a volume mounted at the root level of your computer -- like other disk images, in fact.

Whenever you work on a file that is stored inside of this disk image, you will work in a protected encrypted environment where files are never written in an unencrypted form. Given the fact that most applications even store their user-related cache files or auto-saves in your Home folder, you do not have to worry about data leaks as much as you would with other systems that can give a false sense of security.

As soon as you log out, the disk image that was taking the place of your regular Home folder is unmounted, and all of your data is "swallowed" into a single file, the disk image file that contains the virtual volume.

At this point, your data cannot be retrieved. It is of course stored in this file, but secured by 128-bit encryption.

To other users, your home folder has become a single disk image file that is visible, just as your regular home folder would be. However, to access its contents, they would have to know your FileVault password.

Against Which Threats Does FileVault Protect You?

If your laptop is stolen, it's easy for a malicious user to peek inside of your hard drive. Even with extra firmware passwords, they can crack open the case, extract the hard drive, copy it to another computer on which they have administrative access, and scan its contents.

Once your hard drive has been copied to another computer, it's less able to defend itself. In more technical terms, the UNIX permissions scheme that was set up on your Mac does not apply anymore.

This is where FileVault enters the scene. Even though it doesn't prevent hackers from accessing the hard drive and reaching the Home folder, it does make the contents of Home a pile of nonsense, unless they can crack the encryption or guess your password -- more on that later.

Of course, the rest of your hard drive is not encrypted, and malicious users will be able to access it easily. However, no personal information should be stored outside of your Home folder unless 1) you use some strangely written applications that do not respect the Mac OS X architecture or 2) you chose to save sensitive data in a non-protected area manually.

In a nutshell, FileVault prevents others from accessing the data stored in your Home folder while you are not logged in.

Threats Against Which FileVault Cannot Protect You

Some users have turned on FileVault, thinking that it will protect them against hackers or viruses by encrypting their data.

However, it is important to keep in mind that, as soon as you log in, Mac OS X decrypts the data so that you and your applications can access it. Therefore, once you are logged in, a hacker or a virus can steal information as easily as when it is not encrypted.

To protect yourself against these threats, you should use an updated anti-virus application, a good firewall, and secure passwords.

Note that this is not a design flaw. There are other safeguards built into Mac OS X (such as the permissions system) and FileVault was not designed to protect you against hackers and viruses.

Also, FileVault in itself does not protect you against laptop theft. You should still take every possible measure to ensure that your computer is physically safe. When traveling, be alert -- especially at airports, when going through security checks or in waiting lounges. At home or in your office, always use a security cable or lock your computer in a safe.

How Secure Is FileVault?

FileVault is in fact a very secure system, designed for professional users who use their computers for a specific purpose -- and not for everyday general entertainment.

The encrypted disk image it relies on uses the Advanced Encryption Standard (or AES), widely considered to be fast, strong, and secure.

More cryptography information may be found in the excellent O'Reilly book Web Security, Privacy and Commerce, by Simson Garfinkel and Gene Spafford.

Of course, the weakest part of the encryption scheme is the password that you choose. Indeed, it should be a strong one, consisting of as many different characters as possible and as long as possible. The good news is that, in Panther, the Keychain utility includes a built-in "password checker" that can analyze the password that you suggest and criticize it.

Also, for maximum efficiency, you should turn FileVault on before you copy any data back to your computer after the installation. Indeed, this will not only make the process faster but also ensure that no data remains on the hard drive (even if it is not available through the catalog any longer) and could be retrieved in an unencrypted form by a "recycling" utility.

Of course, you should also turn auto-login off. Otherwise, your FileVault would open immediately as soon as the hacker turns the computer on! It sounds silly, but a few users don't always think about this when they get ready to travel. To turn this option off, you can use the Accounts and Security preferences panes, available through the System Preferences application.

Provided that you use a real 128 key, you can pick it from 3.4 x 10^38 different keys. According to Apple, when the system is used at its best, it could take as long as 149 trillion years to crack such a key on a computer able to recover a DES key in a second. Pretty impressive, huh?

Does FileVault Pose any Threat to my Data?

Right after the release of Mac OS X v10.3, a few users noticed that their preferences files were reverted to the default settings after having used the "reclaim space" function. This soon led to horror stories that were published over the Internet by well-intentioned users who, most of the time, never had a chance to use FileVault themselves. Therefore, I feel that I should focus for a moment on how safe FileVault is, or isn't.

I have personally used FileVault on 10.3.0 without experiencing the slightest issue. Of course, this only reflects my own experiences, but chances are that I am not alone!

The above preferences "oops" has been corrected in the 10.3.1 release. Simply make sure that you install (at least) this update before turning FileVault on, and everything should be fine.

When you use FileVault, you should keep in mind that your data needs to be processed on login and on logout for the image-mounting and -unmounting processes to take place normally. Also, the data you are working on is constantly being encrypted and decrypted.

Related Reading

Mac OS X Panther Pocket Guide
By Chuck Toporek

Therefore, FileVault makes your computer a lot more sensitive to force restarts and crashes. If Mac OS X is unable to gracefully finish the data processing it has to do and unmount the image, some of the data may be damaged -- or the image may not mount the next time you log in.

That's why FileVault has been primarily designed for laptop users. In the event of a power failure, the built-in battery automatically kicks in and takes care of powering the computer. Should the battery run low, the computer will enter a low-power mode to protect the data until it is plugged into an outlet.

Therefore, although nothing technically prevents iMac, eMac, or PowerMac users from using FileVault, they should purchase a reliable UPS (uninterruptible power supply) before turning FileVault on.

The Macintosh Products Guide should provide you with some useful information.

You should also be careful about the applications that you use. Avoid haxies or incompatible disk utilities that could cause filesystem damage -- they are more common that one would think.

Of course, you should also back up your data very frequently. I like CD-Rs and DVD-Rs for two reasons -- once they are burned, they are burned and stable-- you cannot really alter them to add or remove files. Also, they are small in size and can be locked in a safe easily. Needless to say, your backup will be in an unencrypted form -- unless you back up the vault itself and not the data it contains, something that I wouldn't really recommend. Therefore, the physical security of your backup is extremely important. The disc might not be secure, but the safe is!

Speaking of backing up your data, you should be aware that FileVault may confuse a few backup utilities by preventing them from accessing specific files when the vault is closed. Also, some applications could think that your home is constantly changing, therefore, baking it up endlessly. You may want to speak with your system administrator or the authors of the backup application to make sure that everything is going well.

The FileVault Q&A

Now that we have seen some of the most important aspects of FileVault, it is time to do a little Q&A to answer the questions I have most frequently seen on support forums.

I have lost my password. Could you unlock it for me?

Sorry but no! Indeed, there are no "backdoors" that would allow someone to access your data by force-opening the vault. Your only chance, if you have an administrator, is that he or she has set up a system-wide "master password" that will open it, along with your own, forgotten, password.

Does FileVault affect performance?

Mac OS X v. 10.3 is an extremely fast and powerful operating system and is more than able to encrypt and decrypt data on the fly -- provided that it is run on supported hardware, of course.

I've conducted tests on a 12" PowerBook G4 and did not notice the slightest performance decrease while typing articles (such as this one), using Keynote, surfing the Web, and sending emails.

Keep in mind that FileVault has been designed for business users who handle sensitive data. In this environment, it is therefore perfectly at home and does not impact the user's workflow in any way.

However, users of audio or video applications such as iMovie or FinalCut Pro may want to either not use FileVault or set up these applications to work outside of the protected area.

Indeed, such software usually handles very large files and performs processor-intensive tasks, the intensity of which is increased by the encryption process.

But don't worry, changing the settings of most of these applications is very easy to do! Here is the information that you will need for iMovie and the FinalCut family.

Some users have also suggested that you put your iTunes library outside of the vault if it is very important.

Once again, this is not a design flaw. FileVault has been designed to secure sensitive information. To secure it, it must use military-strength encryption. And nowadays, on any platform, with any OS, such encryption is resource-intensive.

Can I use FileVault to encrypt specific files or folders that are located outside of my Home folder, or to encrypt only parts of my Home folder?

No. FileVault encrypts your whole Home folder, and I definitely don't recommend that you try to tamper with it. However, rest assured that Apple didn't forget you. The good old encrypted disk images are still here and can provide you with the same level of security as FileVault.

Actually, I the idea of encrypting the whole Home folder since it makes the "interesting" data even harder to find for the hacker. Plus, the encrypted file is much bigger and requires the hacker to run very powerful computers if he even considers conducting a brute-force attack.

Can I/should I use FileVault in conjunction with the "Secure empty trash" feature?

FileVault does not interfere with the "Secure empty trash" feature, and you should be able to use it normally. Using it will provide you with an extra layer of protection by making sure that the data does not remain on the disk after its deletion.

If you use FileVault, it makes sense to always use the "Secure empty trash" feature for any file located outside of the vault. Secure-emptying the trash takes a bit more time, but it is the only way to make sure that a file has physically disappeared from the hard drive.

Do I need a special Mac model to use FileVault?

We saw above that FileVault has been primarily designed for laptop users but, with a few additional precautions, desktop users can unleash its power, too.

Of course, the faster your Mac is, the less you will notice that FileVault is turned on. I performed some "real world" tests on an old G3 iBook (one of the first white ones) with 128Mb of RAM and did not notice any intense slowdown. Therefore, it is safe to say that FileVault can be used on any computer officially supported by Mac OS X.

Who should turn on FileVault?

FileVault is a military-strength security feature that has been designed for businesses and special users in mind. Although it is remarkably sleek, easy to use, and transparent, turning on this feature implies that you slightly change the way you use your computer. Of course, should you handle sensitive data, chances are that these precautions are already part of your daily routine. For such users, FileVault is (dare we say it), the perfect feature, combining safety, effectiveness, and ease of use.

However, although most home users will be able to turn it on and use it, they should keep in mind that they may not need it.

Don't get me wrong: I think that computer security is of the utmost importance and would certainly not tell Mac users not to protect themselves. However, the vast majority of home users should focus on consolidating their other security systems -- anti-virus, firewall, and passwords.

One could argue that it would have been possible to create a less restrictive encryption scheme that would have been easier to use, but I would have to respectfully disagree. Indeed, in order to be fully effective, cryptography has to be strong and fully encrypt data.

Casual users may rely on the Keychain to store encrypted notes; this small application has hidden wonders that are luckily well explained in the Mac Help an in the AppleCare Knowledge Base.

How Should I Turn FileVault on?

Turning on FileVault can be as easy as using the Security preferences pane, available through the System Preferences application. However, to fully unleash its power and to avoid any issues, I recommend that you follow these steps:

Conclusion

FileVault is an extremely powerful, yet sleek and easy to use, feature that will make the lives of all users who handle sensitive data a lot easier. The underlying technologies it uses and Apple's attention to detail make it a stable and secure system. FileVault is a great feature, since so many companies now use Mac OS X.

However, like any such feature, it has not been designed to play with and requires that you pay attention to what you do. Therefore, while it is perfect for the business user or the frequent traveler, it is not something you want to use on your kid's gaming account or on grandma's tangerine iBook to protect her healthy cooking tips database -- unless she also beta tests Mac OS X v.11 for Apple. But that's another story.

FJ de Kermadec is an author, stylist and entrepreneur in Paris, France.


Return to the Mac DevCenter

Copyright © 2009 O'Reilly Media, Inc.