Does FileVault 2 encrypt keys in sleep mode?
I have an early 2015 13" MacBook Pro running OS X 10.11.2 and I'm considering enabling FileVault 2. I realize that the disk is always encrypted, even when the machine is in use and only parts of it are decrypted, but the decryption keys are stored in RAM (I believe) when the machine is on. When I close the lid and the machine goes to some sort of sleep state, is it possible for an attacker with physical access to the device to obtain the decryption key granted that they don't know my user login password? User login password is set to be required immediately after waking from sleep. I got the idea that in newer versions of OS X FileVault keys are encrypted with user login keys, but I couldn't get any confirmation on this. I want to avoid enabling destroyfvkeyonstandby
if possible as fast and reliable wake-from-sleep is important to me.
I don't believe any extra encryption is specified for the keys and also want to disagree with the statement "only parts of it are decrypted" as the entire volume is either unlocked or locked. For the filesystem to be mounted - all of it is unlocked.
So, you could enable destroyfvkeyonstandby
being sure to also disable power nap since that causes restarts if the machine wakes up too many times to find that the filesystem is encrypted while it tries to run.
- https://derflounder.wordpress.com/2014/02/12/power-nap-power-management-settings-and-filevault-2
For me, the risk that somehow the RAM will be captured from a sleeping Mac isn't worth the delay every wake of having to unlock the volume. My suspicions are that Apple has implemented the unlock in a way to make it highly secure whether the Mac is sleeping or not so that even if the contents of the drive are captured, you still need the proper password to unlock the volume the next time it is locked.
The only way to keep your Mac safe while you are away is to power it down. Period. Even then, leaving your Mac unattended may not be a good idea, but at least your data is safe, just in case the Mac got stolen.
FV2 does a great job protecting your data, but unless your Mac is powered down, there are potential ways for an attacker to compromise it and get hold of your data. Since you never know how sophisticated an attacker may be, the only way to get peace of mind is to turn it off.
I travel a lot with a MacBook Air and always power it down when I'm not using it.