oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

An Unencrypted Look at FileVault

by FJ de Kermadec

When Apple introduced Panther and its 150 new features, who would have thought that FileVault, an extra-strength security technology, would raise so many questions and lead to so many debates?

Indeed, many reviewers have written about it and many troubleshooting or technical pages have been published. However, there are still many unanswered questions about the technology that powers FileVault, about its effectiveness and safety.

Over the course of this article, I'm going to walk you through FileVault and try to explain how it works, and what it can (and cannot) do for you. In the end, I hope that it will help you answer one important question: "Should I use it?"

The Competition

Related Reading

Mac OS X: The Missing Manual, Panther Edition
By David Pogue

Before talking about the FileVault technology, let's say that there are indeed many ways to encrypt the data you store on a hard drive. Some laptops even provide you with an extra button that takes care of that.

But these features are often extra unneeded buttons that trigger proprietary software that triggers special commands -- in other words, they are not fully integrated into your workflow and can cause many issues.

The strength of FileVault lies in the fact that it is fully integrated into Mac OS X, at the lowest level: the operating system itself takes care of performing the tasks on the fly, without relying upon add-ons.

In fact, the "building blocks" that power the FileVault system have existed in one form or the other since the first release of Mac OS X and, therefore, have been tested by many users. Some of them, such as the disk-image mounting system, have undergone a face lift and have been improved with the Panther release, but one cannot say that Apple uses new and untested systems.

How Does FileVault Work?

When you use the Security preferences pane to turn on FileVault for your account, Mac OS X places the entire contents of your Home folder into a safely encrypted disk image. It then takes care of encrypting and decrypting data on the fly, making the process transparent to most applications, which won't even realize what's going on.

FileVault uses a special disk image format: USDP or SPARSE. These files have a .sparceimage extension. Their specificity is that the resulting volume expands as needed to accommodate more data without requiring you to manually create a new image and copy data back and forth -- or requiring the system to do so.

When you log into your account, Mac OS X mounts the encrypted disk image in place of the regular Home folder. To access it, applications use the same path and, therefore, do not change their behavior.

In fact, the "magic" of FileVault really lies in the way the filesystem mounts the image, making it look and act as if it were a folder, normally located in the hierarchy. A closer look at the vault reveals that it is in fact a volume mounted at the root level of your computer -- like other disk images, in fact.

Whenever you work on a file that is stored inside of this disk image, you will work in a protected encrypted environment where files are never written in an unencrypted form. Given the fact that most applications even store their user-related cache files or auto-saves in your Home folder, you do not have to worry about data leaks as much as you would with other systems that can give a false sense of security.

As soon as you log out, the disk image that was taking the place of your regular Home folder is unmounted, and all of your data is "swallowed" into a single file, the disk image file that contains the virtual volume.

At this point, your data cannot be retrieved. It is of course stored in this file, but secured by 128-bit encryption.

To other users, your home folder has become a single disk image file that is visible, just as your regular home folder would be. However, to access its contents, they would have to know your FileVault password.

Against Which Threats Does FileVault Protect You?

If your laptop is stolen, it's easy for a malicious user to peek inside of your hard drive. Even with extra firmware passwords, they can crack open the case, extract the hard drive, copy it to another computer on which they have administrative access, and scan its contents.

Once your hard drive has been copied to another computer, it's less able to defend itself. In more technical terms, the UNIX permissions scheme that was set up on your Mac does not apply anymore.

This is where FileVault enters the scene. Even though it doesn't prevent hackers from accessing the hard drive and reaching the Home folder, it does make the contents of Home a pile of nonsense, unless they can crack the encryption or guess your password -- more on that later.

Of course, the rest of your hard drive is not encrypted, and malicious users will be able to access it easily. However, no personal information should be stored outside of your Home folder unless 1) you use some strangely written applications that do not respect the Mac OS X architecture or 2) you chose to save sensitive data in a non-protected area manually.

In a nutshell, FileVault prevents others from accessing the data stored in your Home folder while you are not logged in.

Threats Against Which FileVault Cannot Protect You

Some users have turned on FileVault, thinking that it will protect them against hackers or viruses by encrypting their data.

However, it is important to keep in mind that, as soon as you log in, Mac OS X decrypts the data so that you and your applications can access it. Therefore, once you are logged in, a hacker or a virus can steal information as easily as when it is not encrypted.

To protect yourself against these threats, you should use an updated anti-virus application, a good firewall, and secure passwords.

Note that this is not a design flaw. There are other safeguards built into Mac OS X (such as the permissions system) and FileVault was not designed to protect you against hackers and viruses.

Also, FileVault in itself does not protect you against laptop theft. You should still take every possible measure to ensure that your computer is physically safe. When traveling, be alert -- especially at airports, when going through security checks or in waiting lounges. At home or in your office, always use a security cable or lock your computer in a safe.

How Secure Is FileVault?

FileVault is in fact a very secure system, designed for professional users who use their computers for a specific purpose -- and not for everyday general entertainment.

The encrypted disk image it relies on uses the Advanced Encryption Standard (or AES), widely considered to be fast, strong, and secure.

More cryptography information may be found in the excellent O'Reilly book Web Security, Privacy and Commerce, by Simson Garfinkel and Gene Spafford.

Of course, the weakest part of the encryption scheme is the password that you choose. Indeed, it should be a strong one, consisting of as many different characters as possible and as long as possible. The good news is that, in Panther, the Keychain utility includes a built-in "password checker" that can analyze the password that you suggest and criticize it.

Also, for maximum efficiency, you should turn FileVault on before you copy any data back to your computer after the installation. Indeed, this will not only make the process faster but also ensure that no data remains on the hard drive (even if it is not available through the catalog any longer) and could be retrieved in an unencrypted form by a "recycling" utility.

Of course, you should also turn auto-login off. Otherwise, your FileVault would open immediately as soon as the hacker turns the computer on! It sounds silly, but a few users don't always think about this when they get ready to travel. To turn this option off, you can use the Accounts and Security preferences panes, available through the System Preferences application.

Provided that you use a real 128 key, you can pick it from 3.4 x 10^38 different keys. According to Apple, when the system is used at its best, it could take as long as 149 trillion years to crack such a key on a computer able to recover a DES key in a second. Pretty impressive, huh?

Pages: 1, 2

Next Pagearrow