Passphraseless Disk Encryption Options?

Alan Amesbury amesbury at oitsec.umn.edu
Tue Sep 8 20:32:40 UTC 2015 

On Sep 8, 2015, at 15:02 , Perry Hutchison <perryh at pluto.rain.com> wrote:

> I think this is fundamentally impossible* to do, with any real
> security.  It is like stashing a key to your house somewhere in
> the barn:  you think no one else knows where that key is, but
> anyone who figures out what you've done can get in.
> 
> In Apple's scheme, at least the house key is in a lockbox -- the
> login password is the key to the lockbox -- but even there the
> hard drive encryption is ultimately only as strong as the login
> password.
[snip]

I think there's a difference between Apple's FileVault and FileVault 2.  I recall the former booting completely to a login prompt, i.e., the OS was running and everything but home directories were accessible once the boot process was completed.  Logging in caused home directories to become available, probably through using the user's password to decrypt a copy of the disk encryption key (as has already been described).  I thought there was also a recovery partition.  I could very well be wrong about this, though; it's been some time since I saw FileVault.

FileVault 2 appears to encrypt the entire drive, including the OS.  Booting the system to its normal state is not possible without user interaction; you have to enter your password to allow the boot process to decrypt the key that's used to decrypt the rest of the filesystem containing the normal operating environment.  It looks like there's no recovery partition, either, at least under Yosemite (v10.10.x), even though there appears to be one on disk; it doesn't show up as a boot option when the option key is pressed at boot.  The only options given are to boot from the drive normally (which prompts for a password), or boot from the network.

I agree that it seems unlikely to be able to have a system boot without user interaction unless the key is stored in plaintext somewhere that the boot process can retrieve it... which means it's likely accessible to other things, too.


-- 
Alan Amesbury
University Information Security
http://umn.edu/lookup/amesbury

More information about the freebsd-hackers mailing list