Whole disk encryption. How can the kernel be encrypted?

A standard pitfall of disk encryption on Linux is needing /boot unencrypted. Specifically the bootloader and initrd. Encrypting the entire disk means putting those somewhere else, e.g. on a USB stick.

edit: I have now learned that grub can now decrypt a filesystem containing the kernel at boot so it's only the bootloader that needs to be unencrypted under Linux

I am under the impression that it's "known" that FileVault implements whole disk encryption. I certainly believed this was the case. This is slightly difficult to demonstrate without a bunch of links to external sites. A couple of internal ones:

brute-force-on-whole-disk-encryption and whole-disk-encryption-with-a-windows-only-bootcamp

And an existing question that answers essentially this question is-file-vault-2-whole-disk-encryption-or-whole-partition-encryption

It seems fairly clear that file vault works at partition granularity and that Apple uses a separate boot partition. I can't find any evidence to suggest that file vault can be used on the boot partition.

I don't understand how it can boot so far as to offer a login prompt if the whole disk is encrypted. What am I missing?

For reference, the system I'm interested in is using apfs rather than cs and does not have a T2 chip.


Solution 1:

At the most basic level, Apple controls the firmware and stores the absolute minimum information needed to present the illusion that an OS is running at the pre-boot log in screen when FileVault is enabled.

This is documented quite extensively by Apple:

  • https://support.apple.com/en-us/HT201159 - Product security certifications, validations, and guidance for macOS
  • https://support.apple.com/en-us/HT204837 - Use FileVault to encrypt the startup disk on your Mac
  • https://support.apple.com/en-us/HT208862 - Mac Computers that have the T2 chip

Prior to the T2 chip which serves as a sort of trusted module to authenticate if the OS being booted is properly signed / encrypted and/or not tampered with, this pre-boot information can be stored in NVRAM as well as the EFI / recovery HD which don’t get encrypted with a key that needs a user password/passphrase to unlock the main storage.

When you change the background or users that are allowed to unlock FileVault - this cached data is saved outside the encrypted portion of the disk so we are presented with the icons and graphical log in screen. When I see Apple say the startup disk is encrypted, I take that to mean the Macintosh HD logical volume only which stores all user data and all OS but not the firmware and pre-boot data. (except for the T2 chip enabled hardware which are special cases and not the norm yet)

You can confirm this with either commend below based on whether your OS supports APFS and APFS containers which is the new standard for volumes and encryption or HFS+ and Core Storage containers.

diskutil cs list
diskutil apfs list

The other exciting change that’s in progress relating to the T2 chip on the new MacBook Pro and the iMac Pro is that it can enforce encryption to the internal storage whether or not anyone takes the second step of FileVault encryption. Specifically, it will generate an encryption key and start encrypting all data before the user account is even created. An SSD from any of these will not be readable if taken to another computer whether that computer has a T2 chip or not. The keys needed to decrypt the entire drive are stored solely in the Secure Enclave.

Solution 2:

The boot partition doesn't needs to be on a stick, it can also be on the drive itself (Boot OS X):

pse@Mithos:~$ diskutil list
/dev/disk0 (internal, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *121.3 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:          Apple_CoreStorage Macintosh HD            121.0 GB   disk0s2
   3:                 Apple_Boot Boot OS X               134.2 MB   disk0s3

/dev/disk1 (internal, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *1.0 TB     disk1
   1:                        EFI EFI                     209.7 MB   disk1s1
   2:          Apple_CoreStorage Macintosh HD            999.3 GB   disk1s2
   3:                 Apple_Boot Recovery HD             650.1 MB   disk1s3

/dev/disk2 (internal, virtual):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS Macintosh HD           +1.1 TB     disk2
                                 Logical Volume on disk0s2, disk1s2
                                 559BC36D-E609-490D-8DDA-7C6F344DBB9B
                                 Unlocked Encrypted Fusion Drive