Comments on: Analysis of FileVault 2 (Apple’s full disk encryption) http://www.lightbluetouchpaper.org/2012/08/06/analysis-of-filevault-2-apples-full-disk-encryption/ Security Research, Computer Laboratory, University of Cambridge Wed, 19 Jun 2013 22:09:39 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: muondude http://www.lightbluetouchpaper.org/2012/08/06/analysis-of-filevault-2-apples-full-disk-encryption/comment-page-1/#comment-353681 muondude Thu, 18 Oct 2012 05:36:13 +0000 http://www.lightbluetouchpaper.org/?p=4305#comment-353681 Have you performed a similar analysis on the McAfee Endpoint Encryption for Mac? Have you performed a similar analysis on the McAfee Endpoint Encryption for Mac?

]]> By: Nick P http://www.lightbluetouchpaper.org/2012/08/06/analysis-of-filevault-2-apples-full-disk-encryption/comment-page-1/#comment-331354 Nick P Thu, 23 Aug 2012 18:29:29 +0000 http://www.lightbluetouchpaper.org/?p=4305#comment-331354 "assuming true overwrites are possible on the media, and that attackers have not previously had access to the media to copy the key" Not a safe assumption. Besides, the best way to erase an encrypted volume is to forget the key. That trick let's you erase TB of data in under a second. ;) “assuming true overwrites are possible on the media, and that attackers have not previously had access to the media to copy the key”

Not a safe assumption. Besides, the best way to erase an encrypted volume is to forget the key. That trick let’s you erase TB of data in under a second. ;)

]]> By: Owen http://www.lightbluetouchpaper.org/2012/08/06/analysis-of-filevault-2-apples-full-disk-encryption/comment-page-1/#comment-329233 Owen Fri, 17 Aug 2012 07:35:24 +0000 http://www.lightbluetouchpaper.org/?p=4305#comment-329233 From the paper: > We are not sure of the real advantage introduced by encrypting the > EncryptedRoot.plist file. This file contains the keys in an encrypted > blob (therefore security measures have already been taken), but the > key to decrypt the file is available as plain text in the header of the > CoreStorage volume (so any attacker can do that; for a dictionary > attack, as detailed earlier, an attacker only needs to decrypt this > file once). The purpose of encrypting this file is obvious given that its name is EncryptedRoot.plist.wipekey -- clearly it is encrypted with the "wipekey" from the header such that overwriting the sector(s) containing that wipekey will cryptographically wipe the volume (assuming true overwrites are possible on the media, and that attackers have not previously had access to the media to copy the key). From the paper:

> We are not sure of the real advantage introduced by encrypting the
> EncryptedRoot.plist file. This file contains the keys in an encrypted
> blob (therefore security measures have already been taken), but the
> key to decrypt the file is available as plain text in the header of the
> CoreStorage volume (so any attacker can do that; for a dictionary
> attack, as detailed earlier, an attacker only needs to decrypt this
> file once).

The purpose of encrypting this file is obvious given that its name is EncryptedRoot.plist.wipekey — clearly it is encrypted with the “wipekey” from the header such that overwriting the sector(s) containing that wipekey will cryptographically wipe the volume (assuming true overwrites are possible on the media, and that attackers have not previously had access to the media to copy the key).

]]> By: finid http://www.lightbluetouchpaper.org/2012/08/06/analysis-of-filevault-2-apples-full-disk-encryption/comment-page-1/#comment-329078 finid Thu, 16 Aug 2012 17:30:06 +0000 http://www.lightbluetouchpaper.org/?p=4305#comment-329078 Have you tried something similar for reading a volume encrypted in Linux? Have you tried something similar for reading a volume encrypted in Linux?

]]>