Re: [Fed-Talk] Two Questions about FileVault
Re: [Fed-Talk] Two Questions about FileVault
- Subject: Re: [Fed-Talk] Two Questions about FileVault
- From: William Cerniuk <email@hidden>
- Date: Tue, 12 May 2015 11:30:52 -0400
The interesting thing about Mac OS X in the beginning is that the volume it created as on a normal HFS + volume as a disk image. Back then, you could connect a Mac OS X boot disk to a Mac OS 9 machine and the disk image could be copied… it was a file or a ‘soft partition’ that was booted into by Mac OS X.
While I have not written many disk drivers lately (long time since Syquest days), I wonder if some of the technique is intact and in this case the disk image that is created (or similar) is a sparse disk image that expands over the physical disk encryption as space is needed.
Probably much has changed but it sounds like the same approach as before based upon the symptoms.
That is a bit of a nasty surprise when turning a disk from non-encrypted to encrypted and thinking that you are now “safe” when in fact, maybe not.
--
R/Wm.
Ph: 703.594.7616
AppleID: email@hidden
> On 12-May-2015, at 10:52, Trouton, Rich R <email@hidden> wrote:
>
> I talked with Paul offlist about this and the issue appears to be this:
>
> 1. You can wipe a previously non-encrypted drive with a single-pass erase and set it to be encrypted using Disk Utility
> 2. You can recover previously-written data from the drive following encryption.
>
> Anything that gets written to the drive after the erase-and-encrypt is encrypted. It's the before-erasure data which is recoverable.
>
> One way to address it may be to run a single zero-pass erase with the encrypt option. That should make sure that the disk is completely overwritten with encrypted zeroed data and also make the previously stored data inaccessible. That said, consult your agency's guidelines for media sanitization for guidance.
>
> Thanks,
> Rich
>
> On May 12, 2015, at 8:18 AM, William Cerniuk <email@hidden> wrote:
>
>> So confused as to the Disk Utility difference. It produces a disk image that is encrypted. This is for may purposes the same as what occurs in full disk drive encryption. (One OS's partition is another OS's file)
>>
>> Is the "bytes on a drive" that you noted different?
>>
>> --
>> R/Wm.
>>
>> 703.594.7616
>>
>>
>>
>>
>>> On May 11, 2015, at 15:23, Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS] <email@hidden> wrote:
>>>
>>> Hey Hank,
>>>
>>> FV1 didn’t operate like that. FV1 created an encrypted sparse bundle to hold the user’s home directory. It didn’t encrypt anything outside that and it wasn’t at the volume level. FV2 is volume encryption, specifically described as full disk encryption, though I now know their engineers don’t like to call it that because its inaccurate. They prefer full drive encryption because only a logical volume is encrypted, not the full disk.
>>> Paul
>>> --
>>> Paul Campbell | Senior Macintosh Systems Administrator
>>> ASRC Federal Research and Technology Solutions
>>> NASA Ames Research Center
>>> Moffett Field, CA 94035
>>> email@hidden
>>> W: 650.604.4014 | F: 650.604.3323
>>>
>>> ASRC Federal | Customer-Focused. Operationally Excellent.
>>>
>>>> On May 11, 2015, at 11:53 AM, Henry B (Hank) Hotz, CISSP <email@hidden> wrote:
>>>>
>>>>
>>>>> On May 11, 2015, at 10:09 AM, Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS] <email@hidden> wrote:
>>>>>
>>>>> Just to follow up in general thread:
>>>>>
>>>>> For question one, the kernel is performing the encryption below the level of Activity Monitor being able to attribute it to a specific process. So you can see the disk activity, but no process accumulates the read/writes. fs_usage can attribute the activity.
>>>>
>>>> Not quite sure what the question is. You want Activity Monitor to show something that fs_usage does show? (If so, sounds like a feature request?)
>>>>
>>>>> For question two, Disk Utility does not perform full drive encryption like System Preferences > Security & Privacy > FileVault, Time Machine disk encryption, or Finder Control Click > Encrypt. It only encrypts bytes-on-drive as they are written. I reported it to Apple as a bug, but they say its functioning as expected and closed my ticket.
>>>>
>>>> That’s the difference between FileVault 1 and FileVault 2, so I’d say that really is as expected.
>>>>
>>>>> Paul
>>>>> --
>>>>> Paul Campbell | Senior Macintosh Systems Administrator
>>>>> ASRC Federal Research and Technology Solutions
>>>>> NASA Ames Research Center
>>>>> Moffett Field, CA 94035
>>>>> email@hidden
>>>>> W: 650.604.4014 | F: 650.604.3323
>>>>>
>>>>> ASRC Federal | Customer-Focused. Operationally Excellent.
>>>>>
>>>>>
>>>>>
>>>>> From: <Campbell>, Paul Campbell <email@hidden>
>>>>> Date: Thursday, April 16, 2015 at 9:24 AM
>>>>> To: "email@hidden" <email@hidden>
>>>>> Subject: [Fed-Talk] Two Questions about FileVault
>>>>>
>>>>> Hello All,
>>>>>
>>>>> I’ve read the FileVault white paper, and I’ve searched the web, but can’t find the answer to these two questions:
>>>>>
>>>>> When you encrypt a disk from the Finder, Activity Monitor shows the disk activity as the drive is encrypted, but no process shows as being responsible for that read/write activity. Why? (My research indicates that corestoraged is doing the actual encryption, and that process is running, so why doesn’t it show the accumulated read/writes?)
>>>>>
>>>>> Second, and more important question: When using Disk Utility to erase a drive as HFS+ journaled and encrypted, it appears to take just 1 minute to encrypt a 2TB drive with less than 1GB in writes. As soon as that’s complete, disktuil cs list shows the encryption complete:
>>>>>
>>>>> +-- Logical Volume Group 23F9B929-6BFF-45A1-BCEB-DADBDE74852C
>>>>> =========================================================
>>>>> Name: DiskUtilityEncrypted
>>>>> Status: Online
>>>>> Size: 2000021315584 B (2.0 TB)
>>>>> Free Space: 9392128 B (9.4 MB)
>>>>> |
>>>>> +-< Physical Volume 03CB8A7D-323F-4FE4-8694-AF91B190B89D
>>>>> | ----------------------------------------------------
>>>>> | Index: 0
>>>>> | Disk: disk2s2
>>>>> | Status: Online
>>>>> | Size: 2000021315584 B (2.0 TB)
>>>>> |
>>>>> +-> Logical Volume Family EFCAA44A-00D3-457C-B038-00785AB060F7
>>>>> ----------------------------------------------------------
>>>>> Encryption Status: Unlocked
>>>>> Encryption Type: AES-XTS
>>>>> Conversion Status: Complete
>>>>> Conversion Direction: -none-
>>>>> Has Encrypted Extents: Yes
>>>>> Fully Secure: Yes
>>>>> Passphrase Required: Yes
>>>>> |
>>>>> +-> Logical Volume 991B75BA-9475-4B82-B966-50A9CE39D54B
>>>>> ---------------------------------------------------
>>>>> Disk: disk6
>>>>> Status: Online
>>>>> Size (Total): 1999659597824 B (2.0 TB)
>>>>> Conversion Progress: -none-
>>>>> Revertible: No
>>>>> LV Name: DiskUtilityEncrypted
>>>>> Volume Name: DiskUtilityEncrypted
>>>>> Content Hint: Apple_HFS
>>>>>
>>>>>
>>>>> Compared to a Finder Encrypting Drive 1 minute later:
>>>>>
>>>>> +-- Logical Volume Group 506D664C-946D-4A23-8A78-C862CA5DE723
>>>>> =========================================================
>>>>> Name: FinderEncrypted
>>>>> Status: Online
>>>>> Size: 2000021315584 B (2.0 TB)
>>>>> Free Space: 18964480 B (19.0 MB)
>>>>> |
>>>>> +-< Physical Volume EE9BDFE9-D79D-4E53-888A-A169763408D2
>>>>> | ----------------------------------------------------
>>>>> | Index: 0
>>>>> | Disk: disk7s2
>>>>> | Status: Online
>>>>> | Size: 2000021315584 B (2.0 TB)
>>>>> |
>>>>> +-> Logical Volume Family EB6B467F-9971-4E81-94D3-B0DC6C2DDB07
>>>>> ----------------------------------------------------------
>>>>> Encryption Status: Unlocked
>>>>> Encryption Type: AES-XTS
>>>>> Conversion Status: Converting
>>>>> Conversion Direction: forward
>>>>> Has Encrypted Extents: Yes
>>>>> Fully Secure: No
>>>>> Passphrase Required: Yes
>>>>> |
>>>>> +-> Logical Volume 62363DAE-A2D9-40A2-9E0F-50E6D38FB807
>>>>> ---------------------------------------------------
>>>>> Disk: disk8
>>>>> Status: Online
>>>>> Size (Total): 1999650029568 B (2.0 TB)
>>>>> Conversion Progress: 0%
>>>>> Revertible: Yes (unlock and decryption required)
>>>>> LV Name: FinderEncrypted
>>>>> Volume Name: FinderEncrypted
>>>>> Content Hint: Apple_HFS
>>>>>
>>>>>
>>>>> I have dozens of drives to encrypt and want to do it as efficiently as possible, but also correctly. Who can answer how FDE is accomplished in 1 minute with a reformat? Or is this a display bug where the disk writes will occur at idle? (I have seen some behavior to suggest that.)
>>>>>
>>>>> Thanks for the input.
>>>>> Paul
>>>>> --
>>>>> Paul Campbell | Senior Macintosh Systems Administrator
>>>>> ASRC Federal Research and Technology Solutions
>>>>> NASA Ames Research Center
>>>>> Moffett Field, CA 94035
>>>>> email@hidden
>>>>> W: 650.604.4014 | F: 650.604.3323
>>>>>
>>>>> ASRC Federal | Customer-Focused. Operationally Excellent.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Do not post admin requests to the list. They will be ignored.
>>>>> Fed-talk mailing list (email@hidden)
>>>>> Help/Unsubscribe/Update your Subscription:
>>>>>
>>>>> This email sent to email@hidden
>>>>
>>>> Personal email. email@hidden
>>>
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> ---
> Rich Trouton
> email@hidden
>
> JRC Help Desk
> phone: x4030
> email: email@hidden
>
> The best way to get in touch with me is through email.
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden