Re: [Fed-Talk] Two Questions about FileVault
Re: [Fed-Talk] Two Questions about FileVault
- Subject: Re: [Fed-Talk] Two Questions about FileVault
- From: "Henry B (Hank) Hotz, CISSP" <email@hidden>
- Date: Tue, 12 May 2015 13:16:57 -0700
On May 12, 2015, at 12:54 PM, Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS] <email@hidden> wrote:
> Tim,
>
> Taking any old HFS+ disk, I select it in Disk Utility choose Format as Mac OS Extended (Journaled, Encrypted) and click erase.
So you did not press the “Erase Free Space...” button before (or after for that matter) the “erase” button? I note that the “Security Options...” dialog specifically warns you that files may be recovered afterward.
> Through that process, only bytes written to that drive in the future are encrypted, not free space on the drive. This is different from the behavior of FV2 through other means, like Finder Control-Click > Encrypt, System Preferences, or Time Machine encrypt disk. Seems inconsistent to me.
>
> Paul
> --
> Paul Campbell | Senior Macintosh Systems Administrator
> ASRC Federal Research and Technology Solutions
> NASA Ames Research Center
> Moffett Field, CA 94035
> email@hidden
> W: 650.604.4014 | F: 650.604.3323
>
> ASRC Federal | Customer-Focused. Operationally Excellent.
>
>> On May 12, 2015, at 11:22 AM, Miller, Timothy J. <email@hidden> wrote:
>>
>> So you start with an HFS+ FS with blocks allocated, erase the disk, recreate the volume, set it to encrypt, and find you can raw-read the erased FS's allocated blocks out of the new volume's *un*allocated space?
>>
>> Are you sure you actually used free space erasure?
>>
>> If you didn't use FSE then I'd say that's WAD (Working as Designed). FV2 encrypts unused space, so the system likely just reads the block and writes it back encrypted regardless of whether it's currently allocated or not. Previously-allocated unerased blocks just come along for the ride.
>>
>> If you can show that you used FSE, then that's a bug.
>>
>> OTOH, it would be a reasonable feature request for FV2 to simply encrypt a zero block when encrypting an unallocated block--i.e., employ FSE when encrypting free space.
>>
>> -- T
>>
>>> -----Original Message-----
>>> From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-talk-
>>> bounces+tmiller=email@hidden] On Behalf Of Trouton, Rich R
>>> Sent: Tuesday, May 12, 2015 9:53 AM
>>> To: Wm. Cerniuk
>>> Cc: email@hidden Talk
>>> Subject: Re: [Fed-Talk] Two Questions about FileVault
>>>
>>> I talked with Paul offlist about this and the issue appears to be this:
>>>
>>> 1. You can wipe a previously non-encrypted drive with a single-pass erase
>>> and set it to be encrypted using Disk Utility 2. You can recover previously-
>>> written data from the drive following encryption.
>>>
>>> Anything that gets written to the drive after the erase-and-encrypt is
>>> encrypted. It's the before-erasure data which is recoverable.
>>>
>>> One way to address it may be to run a single zero-pass erase with the
>>> encrypt option. That should make sure that the disk is completely
>>> overwritten with encrypted zeroed data and also make the previously stored
>>> data inaccessible. That said, consult your agency's guidelines for media
>>> sanitization for guidance.
>>>
>>> Thanks,
>>> Rich
>>>
>>> On May 12, 2015, at 8:18 AM, William Cerniuk <email@hidden> wrote:
>>>
>>>> So confused as to the Disk Utility difference. It produces a disk
>>>> image that is encrypted. This is for may purposes the same as what
>>>> occurs in full disk drive encryption. (One OS's partition is another
>>>> OS's file)
>>>>
>>>> Is the "bytes on a drive" that you noted different?
>>>>
>>>> --
>>>> R/Wm.
>>>>
>>>> 703.594.7616
>>>>
>>>>
>>>>
>>>>
>>>>> On May 11, 2015, at 15:23, Campbell, Paul Madison (ARC-TH)[ASRC
>>> RESEARCH & TECHNOLOGY SOLUTIONS] <email@hidden> wrote:
>>>>>
>>>>> Hey Hank,
>>>>>
>>>>> FV1 didn’t operate like that. FV1 created an encrypted sparse bundle to
>>> hold the user’s home directory. It didn’t encrypt anything outside that and it
>>> wasn’t at the volume level. FV2 is volume encryption, specifically described
>>> as full disk encryption, though I now know their engineers don’t like to call it
>>> that because its inaccurate. They prefer full drive encryption because only a
>>> logical volume is encrypted, not the full disk.
>>>>> Paul
>>>>> --
>>>>> Paul Campbell | Senior Macintosh Systems Administrator ASRC Federal
>>>>> Research and Technology Solutions NASA Ames Research Center Moffett
>>>>> Field, CA 94035 email@hidden
>>>>> W: 650.604.4014 | F: 650.604.3323
>>>>>
>>>>> ASRC Federal | Customer-Focused. Operationally Excellent.
>>>>>
>>>>>> On May 11, 2015, at 11:53 AM, Henry B (Hank) Hotz, CISSP
>>> <email@hidden> wrote:
>>>>>>
>>>>>>
>>>>>>> On May 11, 2015, at 10:09 AM, Campbell, Paul Madison (ARC-TH)[ASRC
>>> RESEARCH & TECHNOLOGY SOLUTIONS] <email@hidden> wrote:
>>>>>>>
>>>>>>> Just to follow up in general thread:
>>>>>>>
>>>>>>> For question one, the kernel is performing the encryption below the
>>> level of Activity Monitor being able to attribute it to a specific process. So you
>>> can see the disk activity, but no process accumulates the read/writes.
>>> fs_usage can attribute the activity.
>>>>>>
>>>>>> Not quite sure what the question is. You want Activity Monitor to
>>>>>> show something that fs_usage does show? (If so, sounds like a
>>>>>> feature request?)
>>>>>>
>>>>>>> For question two, Disk Utility does not perform full drive encryption like
>>> System Preferences > Security & Privacy > FileVault, Time Machine disk
>>> encryption, or Finder Control Click > Encrypt. It only encrypts bytes-on-drive
>>> as they are written. I reported it to Apple as a bug, but they say its
>>> functioning as expected and closed my ticket.
>>>>>>
>>>>>> That’s the difference between FileVault 1 and FileVault 2, so I’d say that
>>> really is as expected.
>>>>>>
>>>>>>> Paul
>>>>>>> --
>>>>>>> Paul Campbell | Senior Macintosh Systems Administrator ASRC Federal
>>>>>>> Research and Technology Solutions NASA Ames Research Center
>>> Moffett
>>>>>>> Field, CA 94035 email@hidden
>>>>>>> W: 650.604.4014 | F: 650.604.3323
>>>>>>>
>>>>>>> ASRC Federal | Customer-Focused. Operationally Excellent.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> From: <Campbell>, Paul Campbell <email@hidden>
>>>>>>> Date: Thursday, April 16, 2015 at 9:24 AM
>>>>>>> To: "email@hidden" <email@hidden>
>>>>>>> Subject: [Fed-Talk] Two Questions about FileVault
>>>>>>>
>>>>>>> Hello All,
>>>>>>>
>>>>>>> I’ve read the FileVault white paper, and I’ve searched the web, but
>>> can’t find the answer to these two questions:
>>>>>>>
>>>>>>> When you encrypt a disk from the Finder, Activity Monitor shows the
>>>>>>> disk activity as the drive is encrypted, but no process shows as
>>>>>>> being responsible for that read/write activity. Why? (My research
>>>>>>> indicates that corestoraged is doing the actual encryption, and
>>>>>>> that process is running, so why doesn’t it show the accumulated
>>>>>>> read/writes?)
>>>>>>>
>>>>>>> Second, and more important question: When using Disk Utility to erase
>>> a drive as HFS+ journaled and encrypted, it appears to take just 1 minute to
>>> encrypt a 2TB drive with less than 1GB in writes. As soon as that’s complete,
>>> disktuil cs list shows the encryption complete:
>>>>>>>
>>>>>>> +-- Logical Volume Group 23F9B929-6BFF-45A1-BCEB-DADBDE74852C
>>>>>>>
>>> =========================================================
>>>>>>> Name: DiskUtilityEncrypted
>>>>>>> Status: Online
>>>>>>> Size: 2000021315584 B (2.0 TB)
>>>>>>> Free Space: 9392128 B (9.4 MB)
>>>>>>> |
>>>>>>> +-< Physical Volume 03CB8A7D-323F-4FE4-8694-AF91B190B89D
>>>>>>> | ----------------------------------------------------
>>>>>>> | Index: 0
>>>>>>> | Disk: disk2s2
>>>>>>> | Status: Online
>>>>>>> | Size: 2000021315584 B (2.0 TB)
>>>>>>> |
>>>>>>> +-> Logical Volume Family EFCAA44A-00D3-457C-B038-00785AB060F7
>>>>>>> ----------------------------------------------------------
>>>>>>> Encryption Status: Unlocked
>>>>>>> Encryption Type: AES-XTS
>>>>>>> Conversion Status: Complete
>>>>>>> Conversion Direction: -none-
>>>>>>> Has Encrypted Extents: Yes
>>>>>>> Fully Secure: Yes
>>>>>>> Passphrase Required: Yes
>>>>>>> |
>>>>>>> +-> Logical Volume 991B75BA-9475-4B82-B966-50A9CE39D54B
>>>>>>> ---------------------------------------------------
>>>>>>> Disk: disk6
>>>>>>> Status: Online
>>>>>>> Size (Total): 1999659597824 B (2.0 TB)
>>>>>>> Conversion Progress: -none-
>>>>>>> Revertible: No
>>>>>>> LV Name: DiskUtilityEncrypted
>>>>>>> Volume Name: DiskUtilityEncrypted
>>>>>>> Content Hint: Apple_HFS
>>>>>>>
>>>>>>>
>>>>>>> Compared to a Finder Encrypting Drive 1 minute later:
>>>>>>>
>>>>>>> +-- Logical Volume Group 506D664C-946D-4A23-8A78-C862CA5DE723
>>>>>>>
>>> =========================================================
>>>>>>> Name: FinderEncrypted
>>>>>>> Status: Online
>>>>>>> Size: 2000021315584 B (2.0 TB)
>>>>>>> Free Space: 18964480 B (19.0 MB)
>>>>>>> |
>>>>>>> +-< Physical Volume EE9BDFE9-D79D-4E53-888A-A169763408D2
>>>>>>> | ----------------------------------------------------
>>>>>>> | Index: 0
>>>>>>> | Disk: disk7s2
>>>>>>> | Status: Online
>>>>>>> | Size: 2000021315584 B (2.0 TB)
>>>>>>> |
>>>>>>> +-> Logical Volume Family EB6B467F-9971-4E81-94D3-B0DC6C2DDB07
>>>>>>> ----------------------------------------------------------
>>>>>>> Encryption Status: Unlocked
>>>>>>> Encryption Type: AES-XTS
>>>>>>> Conversion Status: Converting
>>>>>>> Conversion Direction: forward
>>>>>>> Has Encrypted Extents: Yes
>>>>>>> Fully Secure: No
>>>>>>> Passphrase Required: Yes
>>>>>>> |
>>>>>>> +-> Logical Volume 62363DAE-A2D9-40A2-9E0F-50E6D38FB807
>>>>>>> ---------------------------------------------------
>>>>>>> Disk: disk8
>>>>>>> Status: Online
>>>>>>> Size (Total): 1999650029568 B (2.0 TB)
>>>>>>> Conversion Progress: 0%
>>>>>>> Revertible: Yes (unlock and decryption required)
>>>>>>> LV Name: FinderEncrypted
>>>>>>> Volume Name: FinderEncrypted
>>>>>>> Content Hint: Apple_HFS
>>>>>>>
>>>>>>>
>>>>>>> I have dozens of drives to encrypt and want to do it as efficiently
>>>>>>> as possible, but also correctly. Who can answer how FDE is
>>>>>>> accomplished in 1 minute with a reformat? Or is this a display bug
>>>>>>> where the disk writes will occur at idle? (I have seen some
>>>>>>> behavior to suggest that.)
>>>>>>>
>>>>>>> Thanks for the input.
>>>>>>> Paul
>>>>>>> --
>>>>>>> Paul Campbell | Senior Macintosh Systems Administrator ASRC Federal
>>>>>>> Research and Technology Solutions NASA Ames Research Center
>>> Moffett
>>>>>>> Field, CA 94035 email@hidden
>>>>>>> W: 650.604.4014 | F: 650.604.3323
>>>>>>>
>>>>>>> ASRC Federal | Customer-Focused. Operationally Excellent.
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Do not post admin requests to the list. They will be ignored.
>>>>>>> Fed-talk mailing list (email@hidden)
>>>>>>> Help/Unsubscribe/Update your Subscription:
>>>>>>>
>>>>>>> This email sent to email@hidden
>>>>>>
>>>>>> Personal email. email@hidden
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Do not post admin requests to the list. They will be ignored.
>>>>> Fed-talk mailing list (email@hidden)
>>>>> Help/Unsubscribe/Update your Subscription:
>>>>>
>>>>> This email sent to email@hidden
>>>>
>>>> _______________________________________________
>>>> Do not post admin requests to the list. They will be ignored.
>>>> Fed-talk mailing list (email@hidden)
>>>> Help/Unsubscribe/Update your Subscription:
>>>> mi.org
>>>>
>>>> This email sent to email@hidden
>>>
>>> ---
>>> Rich Trouton
>>> email@hidden
>>>
>>> JRC Help Desk
>>> phone: x4030
>>> email: email@hidden
>>>
>>> The best way to get in touch with me is through email.
>>>
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
Personal email. email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden