Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

FileVault Users - Sleep or Shutdown?

richard13

richard13

macrumors 6502a
Original poster
Aug 1, 2008
979
658
Odessa, FL
I have had FileVault enabled for the last few versions of OS X and I like it but I do have a couple concerns that may have been addressed since Apple released FileVault 2.

For instance, as I understand it, FV2 unlocks the entire disk once you have logged in. How protected am I if my Mac goes to sleep or the screensaver kicks in or I'm otherwise "logged out"?

Isn't the disk still mounted and unlocked under these circumstances? Is shutting down the only way the data is really protected?

What do you other FileVault users do? Shutdown all the time? Or trust that sleep/log out is "good enough"?

Thanks!
 
FV is there to secure the drive(s) and data once shutdown or removed from the MBP. You still need to secure your access ie login password regime.
 
Sleep is good enough.

sudo pmset -a destroyfvkeyonstandby 1

Will make it more secure. You will need to enter your admin password.
 
simonsi said:
FV is there to secure the drive(s) and data once shutdown or removed from the MBP. You still need to secure your access ie login password regime.
Click to expand...

Yes, this is a good point. You still need a good login password. But this was kind of implied as FV2 turns off autologin and thus requires a password.

My questions are really more directed at how secure the data/system is in a non-shutdown state. And if others are concerned with this. Apple doesn't really spell this out very well and doesn't seem to offer a way to shutdown your MBP (for example) on the close lid action. I think, in general, most people never think to shutdown their computer and so they may be vulnerable.
 
When the MBP comes out of sleep it will unlock the drive based on the key it holds - the command quoted above destroys this key meaning you will need to reenter the key on coming out of sleep to unlock the drive. Even if in sleep, if the drive is removed it will still need the key entering on whatever machine you connect it to, keeping the data safe.

I have always had a login password so didn't see the change when I enabled FV2...
 
richard13 said:
Yes, this is a good point. You still need a good login password. But this was kind of implied as FV2 turns off autologin and thus requires a password.

My questions are really more directed at how secure the data/system is in a non-shutdown state. And if others are concerned with this. Apple doesn't really spell this out very well and doesn't seem to offer a way to shutdown your MBP (for example) on the close lid action. I think, in general, most people never think to shutdown their computer and so they may be vulnerable.
Click to expand...

Your concern is addressed in my post with the terminal command. Apple has a whole document outlining the specifications of Filevault 2.

https://support.apple.com/en-ca/HT204837

They also have a PDF with the more detailed aspects.


I believe the only attacks on FV2 are DMA in nature. Maybe the NSA can get past it with a server farm ;p
 
  • Like
Reactions: Weaselboy and simonsi
simonsi said:
When the MBP comes out of sleep it will unlock the drive based on the key it holds - the command quoted above destroys this key meaning you will need to reenter the key on coming out of sleep to unlock the drive. Even if in sleep, if the drive is removed it will still need the key entering on whatever machine you connect it to, keeping the data safe.

I have always had a login password so didn't see the change when I enabled FV2...
Click to expand...

Gotcha. I looked up MAN for pmset and came to the same conclusion. I read a post online that someone turned that on but had to enter passwords twice to unlock their system. That seems little silly to me as I'm already giving the system the correct credentials to unlock FV2 already.

Mcmeowmers said:
Your concern is addressed in my post with the terminal command. Apple has a whole document outlining the specifications of Filevault 2.

https://support.apple.com/en-ca/HT204837

They also have a PDF with the more detailed aspects.


I believe the only attacks on FV2 are DMA in nature. Maybe the NSA can get past it with a server farm ;p
Click to expand...

That's the same conclusion I'm coming to. It looks like Apple patched some bugs related to DMA back in Lion days. Hopefully there aren't any current vectors to exploit.
 
richard13 said:
Gotcha. I looked up MAN for pmset and came to the same conclusion. I read a post online that someone turned that on but had to enter passwords twice to unlock their system. That seems little silly to me as I'm already giving the system the correct credentials to unlock FV2 already.



That's the same conclusion I'm coming to. It looks like Apple patched some bugs related to DMA back in Lion days. Hopefully there aren't any current vectors to exploit.
Click to expand...


There's been some suggestions that thunderbolt may give way for a similar attack
 
Mcmeowmers said:
I believe the only attacks on FV2 are DMA in nature. Maybe the NSA can get past it with a server farm ;p
Click to expand...

Correct... there are still some outdated web sites out there saying you can hack FV2, but they all rely on using direct memory access (DMA). That DMA access was blocked in Lion 10.7.2 and is no longer an issue.
 
Last edited:
  • Like
Reactions: Mcmeowmers and KALLT
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back