Passphraseless Disk Encryption Options?
Brandon Vincent
Brandon.Vincent at asu.edu
Tue Sep 8 19:22:06 UTC 2015
On Tue, Sep 8, 2015 at 11:51 AM, Igor Mozolevsky <igor at hybrid-lab.co.uk> wrote:
> I think you're missing the point- I suspect Apple's login *is* the decrypt
> process- OS X needs something from the user to give access to the data;
> without the user typing in their password, the data on the disk (as I said)
> is just a source of entropy.
Analysiser,
Backing up what Igor has stated, the underlying principles behind
FileVault 2 is no different than those employed by commercially
available FDE software and open source solutions such as LUKS on
GNU/Linux. When FileVault 2 is enabled on OS X, the system loads
additional EFI code from the unencrypted recovery partition during
startup and then references a file (on the unencrypted recovery
partition) which has the volume master key encrypted with a
intermediary key (essentially each user's password).
When you enable FileVault 2 for the first time, you have to enter the
system password for each user who you want to have the ability to
decrypt the hard drive on startup. After this point, if a user on the
system decides to update their password, OS X seamlessly updates the
intermediary key required to decrypt the key-encryption-key for the
volume.
Essentially, the engineers at Apple have elegantly streamlined the
process to minimize user frustration and interruption. Most open
source FDE is not quite polished similarly.
Brandon Vincent
More information about the freebsd-hackers
mailing list