Lion Drive Encryption

[basher]

For those of you working with the Lion DP and GM release(s), is it possible to change the password of an encrypted drive?

Anything tricky to watch out for with drive encryption? Hopefully the issue of having to log out like in FileVault has been changed.

Thanks!

 

[CyBeRino]

For those of you working with the Lion DP and GM release(s), is it possible to change the password of an encrypted drive?

I believe so.

From what I can gather, the drive is encrypted with a single key. This key is stored on the drive, protected in what amounts to (but probably isn't) a keychain. At boot, you'll get a 'login window' (not really, but it looks exactly like it) that takes your password, fetches the key and allows the drive's data to be decrypted. (One 'keychain' per user.) Booting continues normally (but the real login window is skipped.)

So far as I can tell, the same applies to encrypted non-boot disks. You can change the password on those from Disk Utility. Changing the key with which the drive was encrypted would require decrypting and re-encrypting the entire thing, so obviously something else is going on here and I believe it to be what I described above.

Anything tricky to watch out for with drive encryption? Hopefully the issue of having to log out like in FileVault has been changed.

Thanks!

Not really. It Just Works, now. Much, much better than FileVault 1.

 

[haravikk]

Anything tricky to watch out for with drive encryption? Hopefully the issue of having to log out like in FileVault has been changed.

The only caveat seems to be that live encryption only works on the startup volume, so any other volume(s) you want to encrypt will be wiped first, which seems pretty silly, especially when machines with SSDs are more and more commonly separating OS and files onto SSD and regular drives respectively.

Has anyone tested a machine with OS on an SSD and user folder(s) on regular hard-drives, what happens with the encryption, does the user folder volume need to be done separately?

 

[basher]

I believe so.

...
Changing the key with which the drive was encrypted would require decrypting and re-encrypting the entire thing, so obviously something else is going on here and I believe it to be what I described above.
...

At first this sounds like a big deal, but since what I've read about the encryption being performed on the fly in the end it's a non-issue.

Looking forward to FileVault2 to see how bad I can screw up my drives.

 

[haravikk]

At first this sounds like a big deal, but since what I've read about the encryption being performed on the fly in the end it's a non-issue.

Again, only on your startup volume, at the moment.

In theory you should never need to change the disk's encryption key as it should be entirely random, the only case under which you'd need to is if you believe that any of the passwords that provide access to that key (users able to decrypt the drive) are compromised.

The key encrypting the drive is basically shoved in at the start somewhere, with all other data encrypted using it. However the stored version of the key is itself encrypted with your user password, so you need to login before the disk can be decrypted.

Of all the features in Lion, this is one of the ones I'm most interested by, as while Truecrypt is fine for additional volumes, built in support like FileVault 2 will be much more suitable for the system and user folder volume(s).

 

[MikhailT]

It is likely that the encryption key is stored somewhere in the recovery partition, which is why the startup volume doesn't need to be wiped first. The other drives probably needs to be wiped in order to change the partition table to include a small recovery partition to include that key.

 

[CyBeRino]

It is likely that the encryption key is stored somewhere in the recovery partition, which is why the startup volume doesn't need to be wiped first. The other drives probably needs to be wiped in order to change the partition table to include a small recovery partition to include that key.

I doubt that. This would mean that someone deleting their recovery partition would also delete the key to their data. This is decidedly more problematic than them deleting the method for booting the drive, which they might otherwise do.

 

[FunkyMonkCP]

The only reason I want Lion is really for the full drive encryption. I am not a fan of PGP because it is so pricey and updates can break it. I am currently encrypting my HD, taken 8 hours so far. Hope everything works smoothly after it.

I am wondering how restoring time machine backups from an external drive that is encrypted works. Does the Lion installer have support for decrypting file vault protected volumes? What if I pop out this hard drive and put it in an external enclosure and want to browse it on another Mac that has Lion, will Lion prompt me for a password for the hard drive? I hope there is deep file vault integration. Guess I'll take my chances and find out.

 

[MikhailT]

I doubt that. This would mean that someone deleting their recovery partition would also delete the key to their data. This is decidedly more problematic than them deleting the method for booting the drive, which they might otherwise do.

We don’t know much until somebody does the work to research this throughly. I’d love to learn more about this.

I don’t see how this is a problematic, during the upgrade or install, nobody is going to be aware of the recovery partition and that’s how it should be.

Also, Apple will offer to store the encryption key for you on their servers, so if you delete it by accidentally, you can restore it from your AppleID.

There has to be a decrypted partition for the OS to boot from and to locate a key to decrypt the data on the fly. Otherwise, it wouldn’t be a full disk encryption.

The only other place I could think of is it is stored someplace in the EFI.

 

[CyBeRino]

We don’t know much until somebody does the work to research this throughly. I’d love to learn more about this.

I don’t see how this is a problematic, during the upgrade or install, nobody is going to be aware of the recovery partition and that’s how it should be.

Also, Apple will offer to store the encryption key for you on their servers, so if you delete it by accidentally, you can restore it from your AppleID.

There has to be a decrypted partition for the OS to boot from and to locate a key to decrypt the data on the fly. Otherwise, it wouldn’t be a full disk encryption.

The only other place I could think of is it is stored someplace in the EFI.

I am looking into it. All I've found so far is the elements for the login UI on the recovery partition. So it uses the recovery partition to present you with the fake login window (thus the reason you need it to even use filevault.) But I have not found where it stores the user info yet. On the recovery hd are only UI elements for guest and unknown users.

 

[AnneStuarto238]

Encrypting 320GB-USB-HDD with TM-backup is painfully slow(8-9h), but consume little CPU-usage.

 

[DandsM]

How do I turn on drive encryption?

 

[jmmo20]

so is this on the fly file encryption or does it use sparse bundles or images to store the files?

also what happens with time machine? does it create an encrypted bundle for each user?

Can I choose to encrypt a drive such a pendrive?

 

[CyBeRino]

so is this on the fly file encryption or does it use sparse bundles or images to store the files?

It encrypts the entire file system. Specifically, it encrypts the Core Storage volume the File System happens to be in.

also what happens with time machine? does it create an encrypted bundle for each user?

Time machine works in exactly the same way it does without FileVault. If storing sensitive data, tell TM to encrypt your back-ups.

Can I choose to encrypt a drive such a pendrive?

Yes, at the moment where you erase it as a fresh HFS volume, you can choose for it to be encrypted. So far there does not appear to be a way to encrypt other volumes than the root volume and your time machine volume on-the-fly.

 

[diamond.g]

It encrypts the entire file system. Specifically, it encrypts the Core Storage volume the File System happens to be in.



Time machine works in exactly the same way it does without FileVault. If storing sensitive data, tell TM to encrypt your back-ups.



Yes, at the moment where you erase it as a fresh HFS volume, you can choose for it to be encrypted. So far there does not appear to be a way to encrypt other volumes than the root volume and your time machine volume on-the-fly.

How do you tell Time Machine to encrypt the backup?

 

[CyBeRino]

How do you tell Time Machine to encrypt the backup?

In system preferences, where you select the drive, there's a check box to encrypt backups. If possible, it'll do it in-place, otherwise it'll tell you it can't (and why), and will prompt to reformat the drive.

 

[jmmo20]

In system preferences, where you select the drive, there's a check box to encrypt backups. If possible, it'll do it in-place, otherwise it'll tell you it can't (and why), and will prompt to reformat the drive.

ok but how does that work technically? does it create a sparsebundle or similar that spans the whole drive? or are the files each encrypted individually?

what happens when you attach the drive to a different computer? do you see the list of the files but are unable to open them, or see instead a huge encrypted file?

i'm concerned due to the fact that my TM drive is a drobo. The drobo reports a "fake" drive size to the OS (16 terabytes) when it facts I currently have 3 terabytes. it does this so that you can add more drives without needing to re-format. currently my drobo has a sparsebundle for each networked mac on my home network.. I guess OSX Lion could encrypt that bundle instead of the whole drobo volume.

 

[diamond.g]

In system preferences, where you select the drive, there's a check box to encrypt backups. If possible, it'll do it in-place, otherwise it'll tell you it can't (and why), and will prompt to reformat the drive.

Nice! Thanks!

 

[CyBeRino]

ok but how does that work technically? does it create a sparsebundle or similar that spans the whole drive? or are the files each encrypted individually?

what happens when you attach the drive to a different computer? do you see the list of the files but are unable to open them, or see instead a huge encrypted file?

What happens when you encrypt a drive is the affected partitions are converted to a Core Storage Logical Volume. I don't know exactly what the plan for Core Storage is, but it appears to amount to a Volume Manager as we all know them from large-scale enterprise storage.

This logical volume is what is encrypted. So to even get to the part where you're seeing an HFS+ volume, you have to decrypt the logical volume. To reiterate: so far as I can tell now, the encryption is actually a layer below your file system.

So what happens when you attach the drive to another computer? That depends. If it supports encrypted volumes (i.e., 10.7 and above), it'll ask for a password. If it doesn't, it won't recognise it.

i'm concerned due to the fact that my TM drive is a drobo. The drobo reports a "fake" drive size to the OS (16 terabytes) when it facts I currently have 3 terabytes. it does this so that you can add more drives without needing to re-format. currently my drobo has a sparsebundle for each networked mac on my home network.. I guess OSX Lion could encrypt that bundle instead of the whole drobo volume.

I don't know how this works with drobo because I don't have one which in turn is because I don't trust them for exactly that reason: they **** with your data in unknown ways, they cheat the system into thinking there's more storage than there is, etc., none of which is necessary.

 

[jmmo20]

What happens when you encrypt a drive is the affected partitions are converted to a Core Storage Logical Volume. I don't know exactly what the plan for Core Storage is, but it appears to amount to a Volume Manager as we all know them from large-scale enterprise storage.

This logical volume is what is encrypted. So to even get to the part where you're seeing an HFS+ volume, you have to decrypt the logical volume. To reiterate: so far as I can tell now, the encryption is actually a layer below your file system.

So what happens when you attach the drive to another computer? That depends. If it supports encrypted volumes (i.e., 10.7 and above), it'll ask for a password. If it doesn't, it won't recognise it.



I don't know how this works with drobo because I don't have one which in turn is because I don't trust them for exactly that reason: they **** with your data in unknown ways, they cheat the system into thinking there's more storage than there is, etc.

ok thanks that's a pretty cool implementation of encryption. I wonder if iOS does the same: when you reset your data apparently all it does is remove the encryption key from the keychain and force a new volume to be created over the old encrypted (and now unreadable) data.

I guess i'll find out about time machine encryption over AFP when I get Lion installed

 

[CyBeRino]

ok thanks that's a pretty cool implementation of encryption. I wonder if iOS does the same: when you reset your data apparently all it does is remove the encryption key from the keychain and force a new volume to be created over the old encrypted (and now unreadable) data.

iOS (as of the iPhone 3GS) takes it a step further: everything is encrypted and the device itself knows how to decrypt it. So indeed: wiping the 3GS (and up) is very fast because all that needs to be done is wipe the key. The original iPhone and iPhone 3G didn't do this, thus wiping those is a process that takes about an hour depending on flash size.

Macs aren't set up for this, so when you use FileVault 2, it needs something that isn't encrypted so as to be able to boot the computer. This is why you need the Recovery HD to use FileVault.