Analysis of FileVault 2 (Apple’s full disk encryption)

August 6th, 2012 at 14:45 UTC by Omar Choudary

With the launch of Mac OS X 10.7 (Lion), Apple has introduced a volume encryption mechanism known as FileVault 2.

During the past year Joachim Metz, Felix Grobert and I have been analysing this encryption mechanism. We have identified most of the components in FileVault 2’s architecture and we have also built an open source tool that can read volumes encrypted with FileVault 2. This tool can be useful to forensic investigators (who know the encryption password or recovery token) that need to recover some files from an encrypted volume but cannot trust or load the MAC OS that was used to encrypt the data. We have also made an analysis of the security of FileVault 2.

A few weeks ago we have made public this paper on eprint describing our work. The tool to recover data from encrypted volumes is available here.

Entry filed under: Academic papers, Authentication, Cryptology, Useful software

4 comments Add your own

  • 1. finid  |  August 16th, 2012 at 17:30 UTC

    Have you tried something similar for reading a volume encrypted in Linux?

  • 2. Owen  |  August 17th, 2012 at 07:35 UTC

    From the paper:

    > We are not sure of the real advantage introduced by encrypting the
    > EncryptedRoot.plist file. This file contains the keys in an encrypted
    > blob (therefore security measures have already been taken), but the
    > key to decrypt the file is available as plain text in the header of the
    > CoreStorage volume (so any attacker can do that; for a dictionary
    > attack, as detailed earlier, an attacker only needs to decrypt this
    > file once).

    The purpose of encrypting this file is obvious given that its name is EncryptedRoot.plist.wipekey — clearly it is encrypted with the “wipekey” from the header such that overwriting the sector(s) containing that wipekey will cryptographically wipe the volume (assuming true overwrites are possible on the media, and that attackers have not previously had access to the media to copy the key).

  • 3. Nick P  |  August 23rd, 2012 at 18:29 UTC

    “assuming true overwrites are possible on the media, and that attackers have not previously had access to the media to copy the key”

    Not a safe assumption. Besides, the best way to erase an encrypted volume is to forget the key. That trick let’s you erase TB of data in under a second. ;)

  • 4. muondude  |  October 18th, 2012 at 05:36 UTC

    Have you performed a similar analysis on the McAfee Endpoint Encryption for Mac?

Leave a Comment


Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


August 2012
« Jul   Sep »