FileVault - Security and Encryption in OS X
"Stolen laptop contained Social Security numbers" "Laptop thieves compromise personal information" "Health Center Laptop Stolen; 6000 Affected"
The scenarios above are all real headlines. The risks associated with a stolen laptop often far outweigh just the real value of the hardware - loss of privacy, regulatory problems, and embarrassment are all real problems which could have been easily avoided with software included with the operating system.
With the release of Panther, Apple introduced a new encryption feature called FileVault. While the potential for this feature is high, there are some downsides that cannot be ignored if you wish to use it. In this paper, MSIS hopes to address both sides of the issue and ultimately answer the question "Is FileVault something that I should use?"
Overview of FileVault
FileVault uses 128 bit encryption to secure a user's home directory with no user interaction required. It stores the user's home directory as an encrypted disk image. When the user successfully logs in, FileVault mounts the disk image in place of the usual home directory. All disk activity in this protected directory is encrypted and decrypted on the fly as needed. At logout, FileVault unmounts the image and the entire directory becomes one disk image file again. Thieves and hackers cannot open the encrypted disk image without knowing the password.
Because FileVault integrates so closely with the operating system and does its work "in place", users do not need to do anything different or special to encrypt their files. Applications do not need to be aware of the encryption because it is all handled by the operating system.
Risks that FileVault can mitigate
FileVault was designed with laptop security in mind. It provides extraordinary protection against offline attacks. Thieves will be able to boot the machine but will not be able to read any of the data in a FileVault protected home directory without also knowing the user's password. Even if they removed the drive and copyed the data to another machine they would still need to know the FileVault password to open the encrypted disc image. 128 bit AES is encryption is quite strong and it is highly unlikely that a thief will break the encryption.
FileVault also provides some protection against online attacks. While online, encrypted home directories will not be vulnerable to viruses or hacking as long the user is not logged in. This may not be a common scenario but may provide some measure of protection for machines that act as servers as well as workstations.
128 bit AES encryption is strong, but is susceptible to brute force password attacks. Because of this, a good strong password (or even passphrase) is recommended. An easy to guess password or a password left casually on a sticky note would provide an easy in for thieves. On the flipside, if a password is lost, there is absolutely no way to recover the data (unless you've set a master password, and haven't lost that password. More on that later). Users must choose passwords that are easy to remember but difficult to guess.
The nature of how FileVault works also leaves it susceptible to attacks while the user is still logged in. It is secure only when the user is not logged in and the disk image is unmounted. This requires a few extra measures to be taken to ensure that passwords are required for access. For example, a screen saver and sleep password should be required to prevent access during short periods of time the users is away from the computer. Automatic login should not be turned on.
Although FileVault prevents unauthorized access of protected data, there are areas of the hard drive that are not protected. Users will need to remain vigilant and use caution when saving or accessing files outside of their home directory. By default Parallels, the Windows virtualization tool, stores its Windows images outside of home directories so that they may be accessed by all users, thus leaving the data within the virtual machine unencrypted and vulnerable.
The potential for data loss is also is a consideration. FileVault is constantly encrypting and decrypting files, and it rolls everything up into a disk image on logout. What then, if your computer crashes before you able to logout? Or if your power goes out? The possibility exists that the disk image can become corrupt and unable to be opened. Regular backups are essential to prevent data loss, but really it is safest if machines are put on a UPS or are a laptop (which can function on battery power) so they are not susceptible to corruption due to power loss.
How to use FileVault
It is ideal to start using FileVault on a newly-imaged machine in order to make sure that all information is encrypted. To start using FileVault:
- Turn on the computer and log in as the user whom you want to protect using FileVault.
- Go the Apple Menu and down to System Preferences.
- Click on Security.
- Click on Set Master Password. This will set a master password that will allow you to unlock any FileVault protected account on the machine. It is HIGHLY recommended that you set this with a password you will not forget. In fact, if you are a system administrator, it is highly recommended that you set this master password for your users. Type in a master password, confirm it, and provide a hint that will make you remember the password.
- Click OK.
- Click on Turn on FileVault... Depending on how big your home directory is, it may take several minutes to complete. Also, you need to have enough hard drive space to make a complete copy of your home directory.
- Check the box next to Require password to wake this computer from sleep or screen saver.
- Check the box next to Disable automatic login.
- Check the box next to Log out after 60 minutes of inactivity. (You may want to change the default time before logout to something shorter).
- Check the box next to Use secure virtual memory.
- Click on Show All at the top of the window to return to the System Preferences pane.
- Click on Energy Saver and make sure that the computer is set to go to sleep.
- Click on Desktop and Screen Saver and make sure that the Screen Saver is activated.
- Close out of the system preferences and reboot the machine.
Summary and Recommendations
FileVault clearly has some advantages in protecting data from thieves. While there are some potential downsides, they are easy enough that with a bit of caution they can be manageable. It is clearly geared toward the laptop user, and MSIS recommends that all laptop users use it with the extra security settings outlined above.
Data theft isn't as great an issue for desktop machines, as they are stolen much less frequently, and the UPS recommendation makes it an expensive option. In most circumstances, FileVault on desktop machines is probably overkill.