Are there any public audits of the disk level encryption in Mac OS X Lion?
As a rule, one should never trust closed source cryptography software, but encrypting external drives and Time Machine backups has become quite convenient in Mac OS X Lion. Is that specific code available anyplace? Or has anyone audited it seriously?
Solution 1:
According to a public talk by Rich Trouton, FileVault 2 is not FIPS 140-2 validated, but "Apple's new Common Crypto implementation is just starting to undergo FIPS evaluation"
The code itself for Common Crypto is available at http://www.opensource.apple.com/ and has been all the way back to 10.4 (where I got tired of checking revisions - it probably goes back even further, but what matters is the code shipped in Lion which is available for all three lion releases 10.7, 10.7.1 and 10.7.2)
Solution 2:
It looks like the FIPS validation is proceeding, with iOS 5's CommonCrypto being validated first and then Lion's.
http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html
Entries 1672 - 1677 at the NIST link above are for CommonCrypto in iOS 5 for the various iDevices. It also appears that Apple is revalidating the now-deprecated Common Data Security Architecture (CDSA) cryptographic framework for Lion as of 11/17/2011 (entry 1872 in the link above.)