FileVault

FileVault is a OS X build-in method for on the fly encryption and decryption of your internal hard disk. OS X Lion and Mountain Lion are using FileVault 2, with version 2 it is possible to encrypt the entire disk and not only the users home folder. FileVault uses the XTS-AES 128 encryption and because of CPU optimizations there is almost no noticeable performance issue with the on the fly encryption and decryption process.

Booting from an encrypted system disk is not possible. So apple needed to think of something to authenticate the user and start decrypting the system disk before accessing it. Apple designed it to boot from the recovery partition and present the login window. When a user enters the right credentials the decryption key is accessed, with the decryption key the system volume is decrypted.

FileVault can be enabled by going to the Security and Privacy pane in the system preferences. When enabling FileVault on systems with multiple local users it is possible to allow every user to unlock the computer. During the setup you will get a recovery key, this key can be used if all the user passwords are lost. The recovery key should be stored somewhere safe!

Knipsel

You can also choose to store the recovery key with Apple. To do this you need to choose three questions and provide three answers. After storing the recovery key the systems needs to restart. When the system is restarted the encryption process begins. During the encryption process the mac can be used normally. With the following command the process can be watched in the terminal:

diskutil cs list

In the output you can see after “Size (Converted):” how many GB have been encrypted so far.

diskutiloutput

When the process is finished the result will be “-none-“. The process can also be monitored in the FileVault menu:

encryption

When booting your system and you have forgotten your password you can enter your recovery key after three bad passwords. With the recovery key the system disk is decrypted and after the boot it is possible to set a new password. When the recovery key is stored with Apple you need to call AppleCare. Here you give the macs serial number and answer the three security questions. When the recovery key is lost and it is not stored with Apple there is no way to recover the data on the disk.

Keychains

I want to tell you briefly about the keychain system in OS X. Keychains are used to store sensitive critical data. You can think of:

  • Resource passwords (only if allowed to save)
  • Wireless passwords
  • Kerberos items
  • Certificates
  • Keys
  • Website forms
  • Secure notes

Only the account password is not stored in the keychains.

The keychains are files encrypted with the Triple DES algorithm and located in different locations.

  • /Users/%username%/Library/Keychain/login.keychain

The login.keychain is automatically created for every user and is unlocked when the user successfully logs in. This keychain contains user specific items.

  • /Library/keychain/System.keychain

Non user specific items are stored in the System.keychain. Here you can find wireless passwords, network passwords and Kerberos items. Only administrators can make changes in this keychain.

  • /Library/Keychain/FileVaultMaster.Keychain

This keychain can only be opened with the File Vault master password. I will make a future blog post about File Vault where this is explained.

  • /System/Library/Keychains

This is also a keychain where only administrators can make changes. It is used to store root certificates.

With the Keychain Access application found in /Applications/Utilities you can open and edit the keychain. You can add, delete and modify entries. It is also possible to repair keychains. The keychain Access application opens with the user’s login.keychain as a default. Here you see different entries and you can resolve passwords. If you want to show a password you will be prompted for the user account password.

As mentioned earlier the login.keychain password is the same as the user account password. When a user changes his password the login.keychain password is also changed but if the password is reset by an administrator the login.keychain password is not changed. When the user logs in after a reset by an administrator there will be the following prompt:

Knipsel

The user can choose to update the keychain password but fore this the user needs to remember his forgotten password. So normally the user needs to create a new keychain. This new keychain is then created with the new user password. Because there is a new keychain the saved password etc. from the old locked keychain are not present anymore.

The old keychain is saved in the user’s  ~/Library/Keychains folder. It can still be unlocked with the Keychain Access application when the user remembers the old password. If OS X can’t open the keychain and it is corrupted you can repair it with the Keychain Access application. In the Keychain Access menu you can choose Keychain First Aid. Here you need to enter a username and password, select the repair option and click on the Start button.

Nice little extra: If you travel a lot and want to take notes etc. securely with you, you can safe them in a keychain file. With the Triple DES encryption the keychain file is securely encrypted and you can only open the keychain again with the password you used to create the keychain.