What user behavior is necessary to make Filevault 2 maximally secure?

macos security filevault encryption

Situation: Filevault 2 passwords can be stolen

Passware has released the Passware Kit Forensic 11.3 which is able to steal the FileVault 2 password from the RAM by performing a DMA Attack via the FireWire port.

They state that their software:

  • recovers Mac User Login passwords and FileVault keys from computer memory and
  • decrypts TrueCrypt and FileVault volumes in minutes.

Various suggestions have been made trying to describe how to protect a Mac with Filevault 2 from such an attack:

sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25

This will remove the full volume encryption key from RAM when the system is put into sleep mode and forces the system to immediately write RAM to disk and remove power from memory upon sleep.

Question:

What user behavior is necessary and what steps does one have to take for maximum protection with FileVault 2 on the Mac?


Your question contains the most important thing needed to secure a computer against a motivated attack to compromise a FileVault 2 protected Mac volume.

  1. Don't connect FireWire to a device you don't or can't trust while you are logged in to an account that has file vault keys active.
  2. Pick good single use passwords to reduce the chance of other compromises degrading the security of your FileVault password.
  3. Update to 10.7.3 and verify sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25 power management settings that force hibernate mode to secure your keys from compromise when the device would normally "sleep"

I do follow Rich Trouton to keep up to date on his blog for nice commentary on securing macs. The mix of up to date topics seasoned with experience as a real world system administrator make his writing very valuable to me.

The crux of the issue is your parsing What user behavior is necessary to have security. I always like to think of security as a mindset and ongoing attempt to plan, implement, measure and adapt. Security isn't something you buy or something you "set up" and training users to actually not divulge the passcode they have used to store their unlock phrase is the weakest part of FileVault's security layer. Not reusing that passcode - having a system where you get your users to understand why their keychain password needs to be unique and secure is far, far harder and takes far longer than just setting up a plan for implementing file vault initially. Best of luck in your quest for security!


Could someone steal your machine? Besides preventing electronic access, you'd need to keep it under lock & key.

Seriously, at each step, you get the most improvement by covering the then weakest point; once your software defenses are better than the physical ones, better software defenses add no (or barely any) improvement.

Related

Mount Shared Drive via AFP in Terminal
Trying to set boot-args with nvram gets "general error" on Sierra
How to mount disk by UUID or LABEL in OS X El Capitan?
Updating modifier key mappings through defaults command tool
Are the rationals a closed or open set in $\mathbb{R}$?
Why doesn't L'Hôpital's rule work in this case?
Why should we care about groups at all?
undergraduate math vs graduate math
Why do differentiation rules work? What's the intuition behind them? (Not asking for proofs)
Why does topology rarely come up outside of topology?
What are some theorems that currently only have computer-assisted proofs?
Why are algebraic structures preserved under intersection but not union?