Computer Security, Operating Systems, Privacy, Technology, Tutorials

Guide To Encrypting & Securing Mac OS X With FileVault 2

September 26, 2017

Introduction

This inclusive guide seeks to teach macOS users how to encrypt and secure their computers using FileVault 2. Also, this tutorial explains the common ways attackers use to attempt to defeat and bypass FileVault 2 encryption. Furthermore, the article explains how adversaries will succeed and fail. We will go through the advantages of deploying FileVault 2 and what the encryption can’t protect you from.

Furthermore, the article explains how adversaries will succeed and fail. We will go through the advantages of deploying FileVault 2 and what the encryption can’t protect you from.

Enabling FileVault 2 is relatively simple, but there important guidelines that the OS X user must implement in order to ensure maximum efficiency of FileVault 2 encryption. Therefore, turning on FileVault 2 alone isn’t sufficient. There are various hardening tips, OS setting modifications, and habits that must be embraced and applied to make the FileVault 2 attacker’s job extremely difficult. This guide will cover all of this.

There are various hardening tips, OS setting modifications, and habits that must be embraced and applied to make the FileVault 2 attacker’s job extremely difficult. This guide will cover all of this.

Benefits Of This Encryption/Security Guide

I can guarantee you that if you follow everything in this guide, your Mac computer will experience a significant improvement in both security and privacy.

Whoever your adversary may be will become increasingly frustrated if he ever manages to gain physical access to your machine. There will be a bucket of tears shed by the attacker for the time and money spent trying to overwhelm the OTFE encryption fulfilled by FileVault 2 to volumes on OS X systems.

FYI, FileVault 2 deploys the AES-XTS mode of AES alongside 128-bit blocks and a 256-bit key which encrypts the disk. This is recommended by the National Institute of Standards and Technology. (NIST)

The adversary whoever he may be will not be able to break the encryption provided that you adhere to all the advice I have supplied in this tutorial.

Table Of Contents

This article is separated into several key sections:

  • Four Common Ways An Attacker Can Try To Unlock And Bypass FileVault 2 Encryption
  • How The Attacker Will Attempt, Succeed, And Fail To Unlock/Bypass FileVault 2 Encryption
  • Enabling FileVault 2 Full Disk Encryption (With Hardening Modifications)
  • How FileVault 2 Protects Against Attackers With Physical Access To Your Mac Computer
  • Using DestroyFVKeyOnStandBy to demolish the encryption key when proceeding into standby mode.
  • What OS X And FileVault 2 Can’t Protect The Mac User From
  • Using A Firmware Password On OS X For Security
  • Implications & Conclusion

Four Common Ways An Attacker Can Try To Unlock And Bypass FileVault 2 Encryption

There are four common ways an attacker can try to unlock and bypass FileVault 2 encryption:

  • 256-bit XTS-AES Key
  • User Password From Account With Admin Privileges
  • Recovery Key
  • Institutional Recovery Key

How The Attacker Will Attempt, Succeed, And Fail To Unlock/Bypass FileVault 2 Encryption On Target’s Computer

Attacker Obtaining The 256-bit XTS-AES Key

To recover the 256-bit XTS-AES key, an attacker has to dump the content of the OS X system’s RAM into a file. Unfeasible since the adversary wishes that the user is logged into his/her account which would mean that the access to the hard disk is available. Not always possible.

Attacker Obtaining Recovery Key

In terms of the recovery key: The attacker could acquire a warrant, look for it at the user’s premises (If he/she is dumb enough to store a physical copy in the first place). The warrant is futile when the user did not store the recovery key in his/her iCloud account. (Who honestly would store it in their iCloud account?)

In reality, the adversary has no chance in recovering a recovery key even if he has tremendous resources like a supercomputer.

Attacker Obtaining User Password

To retrieve the user password, the well-funded attacker would run a brute-force tool that is commercially available for purchase by digital forensic companies.

With the brute-force tool, the adversary will attempt to extract the imperative information regarding the encrypted volume and save the file. Adversary proceeds to run the brute-force utility on the saved file with the dictionary wordlist carefully chosen. If the brute-force attack is successful, the attacker obtains the password to unlock the OS X system that contains the encrypted volume.

Clearly, the adversary cannot always win. This is especially true when the Mac user has a long and complex password consisting of mixed case/numbers/symbols that are randomly selected. The attacker is essentially defeated since he does not have 10 centuries and probably lacks a quantum computer. The adversary that has a NVIDIA GTX 1080 GPU on his computer will run a brute force attack approximately trying 10,000 passwords per second. This is mediocre. But if the adversary has 4 GTX 1080 GPUs on a single computer, the brute-force speed will be 40,000. Without a GPU accelerator, the CPU speed will range from 18 to 50 passwords per second.

We know that brute-force will always win at the end given enough time, but even one century is a long time to wait.

Weaken Attackers’ Ability To Unlock Encrypted Volume By Limiting The Number Of OS User Accounts On Computer

Do not enable additional user accounts which can be used and exploited to unlock the encrypted FileVault 2 volume. Do not create more than one user account on the OS X computer. An adversary with tremendous forensic capabilities will have a better chance of recovering one of the interested passwords. Hence, avoid deploying more than one FileVault 2 Password.

Enabling FileVault 2 Full Disk Encryption (With Hardening Modifications)

Turning on FileVault2 is simple.

  1. Click () menu > System Preferences > Security & Privacy.
  2. Click on the FileVault tab.
  3. Click on the Lock button and enter your admin username and password.
  4. Click on the Turn On FileVault button.

Weaken Attackers’ Ability To Unlock Encrypted Volume By Limiting The Number Of OS User Accounts On Computer

Do not enable additional user accounts which can be used and exploited to unlock the encrypted FileVault 2 volume.

Do not create more than one user account on the OS X computer.

An adversary with tremendous forensic capabilities will have a better chance of recovering one of the interested passwords. Hence, avoid deploying more than one FileVault 2 Password.

Create a Recovery Key

Create a local recovery key.

Never store a FileVault 2 recovery key with Apple.

Also, never allow your iCloud account to unlock your disk and reset your password.

If you make a stupid mistake and store the key with Apple or grant your iCloud account privileges, your adversary will ultimately win.

Retain a copy of the letters and number of the key and store it somewhere safe. Do not store the copy on your premises. If you store the physical copy on your premises, an adversary can forcibly enter and locate the copy.

When the FileVault 2 setup is done, your OS X computer will restart and ask you to log in with your account password.

The password unlocks your system’s disk. No account is allowed to log in automatically.

Do check that automatic login is off as this is absolutely essential.

To do this:

  • Click () menu > System Preferences > Users & Groups.

While you’re checking, also display the login window as “Name and password”, untick “Show Input menu in login window”/”Show password hints”/”Show fast user switching menu”/”Use VoiceOver in the login window.”

Do not share the password with anyone else. Anyone that knows your password can turn against you whether willingly or unwillingly.

Everyone is an adversary. No one can be trusted.

Human error is the greatest vulnerability that is typically exploited by adversaries.

When the computer starts, the OS X startup disk’s encryption happens in the background when you use the Mac.

All new files that you decide to create are automatically encrypted.

Changing FileVault 2 Recovery Key

If you want to change the FileVault 2 recovery key because you suspect it has been compromised by an attacker, you may turn off FileVault 2 in the Security & Privacy preferences. Turn it back on again to produce a new key and deactivate all older keys.

Make Sure That Your Macintosh HD Disk Is Selected As The Startup Disk When Your Computer Starts

It’s important to ensure that your Mac boots up the Macintosh HD drive when it is turned on and not any other drive.

Also, make sure to click the lock icon to prevent further changes after selecting “Macintosh HD” as the drive to start up your computer.

Limit The Amount Of Startup Disks On Your Mac

It’s a good idea to not have another startup disk other than your “Macintosh HD.”

If there are additional startup disks on your computer, the attacker could attempt to boot into one of them. Hence, another start disk could be another attack vector.

You have to limit the attacker’s ability to penetrate your FileVault 2 whole disk encryption.

Change The Login Keychain Password To Be Different From Your User Account Password

The keychain on OS X is exceptionally important. It is a locked and encrypted container that stores sensitive information like account names and passwords for websites.

Any kind of malware and adversary will absolutely enjoy stealing all of that information in the container.

By default, the keychain on macOS is automatically unlocked when the user logs in. By changing the keychain password to be different from your user account password, the keychain will not automatically be unlocked during login.

Many attacks launched by adversaries require that the keychain is initially unlocked. Hence, it is imperative to change the keychain password to be different from your user account password.

The Keychain Access application can be found by going to:

  • Macintosh HD > Applications > Utilities > Keychain Access.

Or if you’re lazy, go into your search bar that is located next to the clock on the upper corner right and type: “Keychain

Right click on the login keychain and select: Change Password for Keychain “login”…

Make sure to enter a strong password consisting of mixed case/numbers/symbols that are randomly selected.

Make sure the new password is entirely different from your user account login password. Don’t write the password down. Memorize it.

Always Remember To Lock Your Login Keychain Especially When You Are Going To Put The System To Sleep

When you are not using the keychain, always lock it.

Don’t just remember to lock your login keychain, but actually do it.

When you are in the Keychain Access application, click on the lock icon to lock the login keychain:

How FileVault 2 Protects Against Attackers With Physical Access To Your Mac Computer

Firewire/DMA Attacks

FileVault 2 is secure against Firewire/DMA attacks on locked and sleeping Mac OS X computers, since version 10.7.2. Versions 10.7.2 and higher disables FireWire DMA when the system is locked. As the OS X screen lock is activated, the Mac operating system itself enables additional protections/security restrictions to prevent Firewire/Thunderbolt DMA attacks to obtain access to memory.

You can say goodbye to commonly used and accessible tools like Inception!

Also, a memory analysis tool like winlockpwn is easily overwhelmed. If you don’t know what winlockpwn does, it is used to exploit firewire’s direct memory access on Windows. Basically, the OS permits firewire machines to directly read and write memory without having to connect to the processor.

Keep in mind that a DMA attack is still achievable when the user is logged, and the system is unlocked. If the DMA attack is successful, FileVault 2’s encryption is easily defeated and the password at grave risk.

Another possible attack exists when user switching is enabled. However, the user switching method merely works for OS X versions prior to 10.7.2. Therefore, skilled adversaries know that RAM capturing tools ought to be carried out on a running OS X computer with FileVault 2 container unlocked, and a user presently logged in.

Secondary Precautionary Measure: Prevent Attacker With Physical Access To FileVault 2 Encrypted OS X Computer From Taking Your Encryption Key In StandBy Mode

If you are still concerned that an attacker can grab your encryption key from RAM during standby, you may make use of a power management feature in OS X named “DestroyFVKeyOnStandby“.

DestroyFVKeyOnStandBy” essentially demolishes the FileVault encryption key when proceeding into standby mode.

Altering Sleep Options Using The “pmset” Command.

There are two sleep options available for adjusting:

Option Value Description
destroyfvkeyonstandby 1 Eliminates the full volume encryption key from memory when the computer is put to sleep and is reliant on the value of hibernate mode.
hibernatemode 25 Compels the computer to instantly write memory to disk and also eliminates power from memory upon sleep mode.

The command to type into Terminal as the root user is: sudo pmset -a destroyfvkeyonstandby 1

The above command will permit the demolition of the FileVault key in standby mode for every -a power mode. (Charger -c, Battery -b, and UPS -u.)

You may also choose to type into Terminal as the root user: sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25

What OS X And FileVault 2 Can’t Protect The Mac User From

Cold Boot Attacks

OS X and FileVault 2 cannot defend against Cold Boot attacks. This is because the encryption keys are stored in memory when the machine is powered on. For instance, the moment you entered your password on boot. This security issue isn’t limited to FileVault 2 full-disk encryption, but to all other software full-disk encryption tools. Thus, there isn’t a publicly acknowledged defensive software against Cold Boot attacks.

For security and privacy purposes, power off the computer entirely when you don’t plan on using it.

Guidelines For Encrypting And Securing Mac OS X System

Using A Firmware Password On OS X For Security

Purpose In Enabling A Firmware Password On OS X

Systems that run OS X can deploy a password for locking OS firmware settings and thwarting inadvertent alterations on firmware situated in a particular system.

The firmware password is recommended for thwarting motivated adversaries from booting from a different system volume, internal or external storage device other than the initial startup disk you’ve chosen.

Notably, utilizing a firmware password thwarts deployment of catch keys to change the cascade of the boot process. Hence, a firmware password obstructs users who don’t possess the password from booting up from any disk other than your chosen startup disk which also prevents the capability to deploy the bulk of startup key combinations.

Furthermore, the firmware password is deployed to impede Direct Memory Access (DMA) through interfaces like FireWire. Remember that Target Disk Mode insists on DMA which a firmware password additionally forestalls its utilization on a system. If an adversary tries to mount a volume from an alternative computer that deploys Target Disk Mode, the firmware password has to be entered prior to mounting the volume from the target’s computer.

How To Set A Firmware Password On An OS X System
  1. Boot into the macOS built-in recovery system by holding down Command (⌘)-R immediately after turning on your Mac via the power button.
  2. The macOS Recovery utilities window will appear. From the menu bar, click on Utilities > Firmware Password Utility.
  3. Click “Turn On Firmware Password.”
  4. Enter a firmware password that is strong and complex. Use a combination of words, symbols, and letters. Click “Set Password.” Memorize this password.
  5. You may now exit the Firmware Password Utility. Restart Your Mac by clicking on the () menu > Restart.

How To Know If Firmware Password Is Working As Intended On OS X

The OS X system will request for the firmware password when the user tries to start up from a storage device other than the one chosen in Startup Disk preferences or when booting up from macOS Recovery.

You’ll see something like this:

Implications & Conclusion

Properly Encrypted Data Can Defeat Any Adversary

When the data on the disk is properly encrypted, such data cannot be accessed by any adversary. However, that alone isn’t enough.

We also need to establish the following:

  • The encryption is strong
  • Password is strong
  • Password is not stored somewhere where the adversary is able to access

When the aforementioned are embraced and implemented, all adversaries regardless how well-funded and skilled they are can be defeated.

Of course, some additional modifications to OS settings are required:

  • Disabling automatic login
  • Creating a different password for the login keychain on Mac
  • Remembering to lock the login keychain
  • Never store the recovery key in your iCloud account with Apple

All of these implementations and modifications will easily frustrate anyone that is interested in gaining access to the data on your Mac.

The only way attackers can “bypass the full-disk encryption” is to subvert your computer by installing malware which is uncommon.

You Might Also Like

Back to top
%d bloggers like this: