Re: [Fed-Talk] Two Questions about FileVault
Re: [Fed-Talk] Two Questions about FileVault
- Subject: Re: [Fed-Talk] Two Questions about FileVault
- From: "Miller, Timothy J." <email@hidden>
- Date: Wed, 13 May 2015 12:34:01 +0000
- Thread-topic: [Fed-Talk] Two Questions about FileVault
Free space erase is optional. "Erase" just nukes volume structure (header, allocation, catalo, extents, & attributes) and creates a new one.
Since you didn't actually overwrite any used data blocks you're able to raw-read blocks and see the old content. This is the essence of file recovery. It's orthogonal to FV2 because FV2 operates at a lower level and encrypts free space. If you were to yank the HD and use a low-level program to have the disk controller read those same blocks, you'd get noise (a.k.a. encrypted data)
IOW, WAD. HTH, HAND. ;)
-- T
> -----Original Message-----
> From: Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY
> SOLUTIONS] [mailto:email@hidden]
> Sent: Tuesday, May 12, 2015 2:55 PM
> To: Miller, Timothy J.
> Cc: Trouton, Rich R; Wm. Cerniuk; email@hidden Talk
> Subject: Re: [Fed-Talk] Two Questions about FileVault
>
> Tim,
>
> Taking any old HFS+ disk, I select it in Disk Utility choose Format as Mac OS
> Extended (Journaled, Encrypted) and click erase. Through that process, only
> bytes written to that drive in the future are encrypted, not free space on the
> drive. This is different from the behavior of FV2 through other means, like
> Finder Control-Click > Encrypt, System Preferences, or Time Machine encrypt
> disk. Seems inconsistent to me.
>
> Paul
> --
> Paul Campbell | Senior Macintosh Systems Administrator ASRC Federal
> Research and Technology Solutions NASA Ames Research Center Moffett
> Field, CA 94035 email@hidden
> W: 650.604.4014 | F: 650.604.3323
>
> ASRC Federal | Customer-Focused. Operationally Excellent.
>
> > On May 12, 2015, at 11:22 AM, Miller, Timothy J. <email@hidden>
> wrote:
> >
> > So you start with an HFS+ FS with blocks allocated, erase the disk, recreate
> the volume, set it to encrypt, and find you can raw-read the erased FS's
> allocated blocks out of the new volume's *un*allocated space?
> >
> > Are you sure you actually used free space erasure?
> >
> > If you didn't use FSE then I'd say that's WAD (Working as Designed). FV2
> encrypts unused space, so the system likely just reads the block and writes it
> back encrypted regardless of whether it's currently allocated or not.
> Previously-allocated unerased blocks just come along for the ride.
> >
> > If you can show that you used FSE, then that's a bug.
> >
> > OTOH, it would be a reasonable feature request for FV2 to simply encrypt a
> zero block when encrypting an unallocated block--i.e., employ FSE when
> encrypting free space.
> >
> > -- T
> >
> >> -----Original Message-----
> >> From: fed-talk-bounces+tmiller=email@hidden
> >> [mailto:fed-talk-
> >> bounces+tmiller=email@hidden] On Behalf Of Trouton, Rich
> >> bounces+R
> >> Sent: Tuesday, May 12, 2015 9:53 AM
> >> To: Wm. Cerniuk
> >> Cc: email@hidden Talk
> >> Subject: Re: [Fed-Talk] Two Questions about FileVault
> >>
> >> I talked with Paul offlist about this and the issue appears to be this:
> >>
> >> 1. You can wipe a previously non-encrypted drive with a single-pass
> >> erase and set it to be encrypted using Disk Utility 2. You can
> >> recover previously- written data from the drive following encryption.
> >>
> >> Anything that gets written to the drive after the erase-and-encrypt
> >> is encrypted. It's the before-erasure data which is recoverable.
> >>
> >> One way to address it may be to run a single zero-pass erase with the
> >> encrypt option. That should make sure that the disk is completely
> >> overwritten with encrypted zeroed data and also make the previously
> >> stored data inaccessible. That said, consult your agency's
> >> guidelines for media sanitization for guidance.
> >>
> >> Thanks,
> >> Rich
> >>
> >> On May 12, 2015, at 8:18 AM, William Cerniuk <email@hidden>
> wrote:
> >>
> >>> So confused as to the Disk Utility difference. It produces a disk
> >>> image that is encrypted. This is for may purposes the same as what
> >>> occurs in full disk drive encryption. (One OS's partition is another
> >>> OS's file)
> >>>
> >>> Is the "bytes on a drive" that you noted different?
> >>>
> >>> --
> >>> R/Wm.
> >>>
> >>> 703.594.7616
> >>>
> >>>
> >>>
> >>>
> >>>> On May 11, 2015, at 15:23, Campbell, Paul Madison (ARC-TH)[ASRC
> >> RESEARCH & TECHNOLOGY SOLUTIONS] <email@hidden>
> wrote:
> >>>>
> >>>> Hey Hank,
> >>>>
> >>>> FV1 didn’t operate like that. FV1 created an encrypted sparse
> >>>> bundle to
> >> hold the user’s home directory. It didn’t encrypt anything outside
> >> that and it wasn’t at the volume level. FV2 is volume encryption,
> >> specifically described as full disk encryption, though I now know
> >> their engineers don’t like to call it that because its inaccurate.
> >> They prefer full drive encryption because only a logical volume is
> encrypted, not the full disk.
> >>>> Paul
> >>>> --
> >>>> Paul Campbell | Senior Macintosh Systems Administrator ASRC Federal
> >>>> Research and Technology Solutions NASA Ames Research Center
> Moffett
> >>>> Field, CA 94035 email@hidden
> >>>> W: 650.604.4014 | F: 650.604.3323
> >>>>
> >>>> ASRC Federal | Customer-Focused. Operationally Excellent.
> >>>>
> >>>>> On May 11, 2015, at 11:53 AM, Henry B (Hank) Hotz, CISSP
> >> <email@hidden> wrote:
> >>>>>
> >>>>>
> >>>>>> On May 11, 2015, at 10:09 AM, Campbell, Paul Madison
> >>>>>> (ARC-TH)[ASRC
> >> RESEARCH & TECHNOLOGY SOLUTIONS] <email@hidden>
> wrote:
> >>>>>>
> >>>>>> Just to follow up in general thread:
> >>>>>>
> >>>>>> For question one, the kernel is performing the encryption below
> >>>>>> the
> >> level of Activity Monitor being able to attribute it to a specific
> >> process. So you can see the disk activity, but no process accumulates the
> read/writes.
> >> fs_usage can attribute the activity.
> >>>>>
> >>>>> Not quite sure what the question is. You want Activity Monitor to
> >>>>> show something that fs_usage does show? (If so, sounds like a
> >>>>> feature request?)
> >>>>>
> >>>>>> For question two, Disk Utility does not perform full drive
> >>>>>> encryption like
> >> System Preferences > Security & Privacy > FileVault, Time Machine
> >> disk encryption, or Finder Control Click > Encrypt. It only encrypts
> >> bytes-on-drive as they are written. I reported it to Apple as a bug,
> >> but they say its functioning as expected and closed my ticket.
> >>>>>
> >>>>> That’s the difference between FileVault 1 and FileVault 2, so I’d
> >>>>> say that
> >> really is as expected.
> >>>>>
> >>>>>> Paul
> >>>>>> --
> >>>>>> Paul Campbell | Senior Macintosh Systems Administrator ASRC
> >>>>>> Federal Research and Technology Solutions NASA Ames Research
> >>>>>> Center
> >> Moffett
> >>>>>> Field, CA 94035 email@hidden
> >>>>>> W: 650.604.4014 | F: 650.604.3323
> >>>>>>
> >>>>>> ASRC Federal | Customer-Focused. Operationally Excellent.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> From: <Campbell>, Paul Campbell <email@hidden>
> >>>>>> Date: Thursday, April 16, 2015 at 9:24 AM
> >>>>>> To: "email@hidden" <email@hidden>
> >>>>>> Subject: [Fed-Talk] Two Questions about FileVault
> >>>>>>
> >>>>>> Hello All,
> >>>>>>
> >>>>>> I’ve read the FileVault white paper, and I’ve searched the web,
> >>>>>> but
> >> can’t find the answer to these two questions:
> >>>>>>
> >>>>>> When you encrypt a disk from the Finder, Activity Monitor shows
> >>>>>> the disk activity as the drive is encrypted, but no process shows
> >>>>>> as being responsible for that read/write activity. Why? (My
> >>>>>> research indicates that corestoraged is doing the actual
> >>>>>> encryption, and that process is running, so why doesn’t it show
> >>>>>> the accumulated
> >>>>>> read/writes?)
> >>>>>>
> >>>>>> Second, and more important question: When using Disk Utility to
> >>>>>> erase
> >> a drive as HFS+ journaled and encrypted, it appears to take just 1
> >> minute to encrypt a 2TB drive with less than 1GB in writes. As soon
> >> as that’s complete, disktuil cs list shows the encryption complete:
> >>>>>>
> >>>>>> +-- Logical Volume Group 23F9B929-6BFF-45A1-BCEB-DADBDE74852C
> >>>>>>
> >>
> =========================================================
> >>>>>> Name: DiskUtilityEncrypted
> >>>>>> Status: Online
> >>>>>> Size: 2000021315584 B (2.0 TB)
> >>>>>> Free Space: 9392128 B (9.4 MB)
> >>>>>> |
> >>>>>> +-< Physical Volume 03CB8A7D-323F-4FE4-8694-AF91B190B89D
> >>>>>> | ----------------------------------------------------
> >>>>>> | Index: 0
> >>>>>> | Disk: disk2s2
> >>>>>> | Status: Online
> >>>>>> | Size: 2000021315584 B (2.0 TB)
> >>>>>> |
> >>>>>> +-> Logical Volume Family EFCAA44A-00D3-457C-B038-00785AB060F7
> >>>>>> ----------------------------------------------------------
> >>>>>> Encryption Status: Unlocked
> >>>>>> Encryption Type: AES-XTS
> >>>>>> Conversion Status: Complete
> >>>>>> Conversion Direction: -none-
> >>>>>> Has Encrypted Extents: Yes
> >>>>>> Fully Secure: Yes
> >>>>>> Passphrase Required: Yes
> >>>>>> |
> >>>>>> +-> Logical Volume 991B75BA-9475-4B82-B966-50A9CE39D54B
> >>>>>> ---------------------------------------------------
> >>>>>> Disk: disk6
> >>>>>> Status: Online
> >>>>>> Size (Total): 1999659597824 B (2.0 TB)
> >>>>>> Conversion Progress: -none-
> >>>>>> Revertible: No
> >>>>>> LV Name: DiskUtilityEncrypted
> >>>>>> Volume Name: DiskUtilityEncrypted
> >>>>>> Content Hint: Apple_HFS
> >>>>>>
> >>>>>>
> >>>>>> Compared to a Finder Encrypting Drive 1 minute later:
> >>>>>>
> >>>>>> +-- Logical Volume Group 506D664C-946D-4A23-8A78-C862CA5DE723
> >>>>>>
> >>
> =========================================================
> >>>>>> Name: FinderEncrypted
> >>>>>> Status: Online
> >>>>>> Size: 2000021315584 B (2.0 TB)
> >>>>>> Free Space: 18964480 B (19.0 MB)
> >>>>>> |
> >>>>>> +-< Physical Volume EE9BDFE9-D79D-4E53-888A-A169763408D2
> >>>>>> | ----------------------------------------------------
> >>>>>> | Index: 0
> >>>>>> | Disk: disk7s2
> >>>>>> | Status: Online
> >>>>>> | Size: 2000021315584 B (2.0 TB)
> >>>>>> |
> >>>>>> +-> Logical Volume Family EB6B467F-9971-4E81-94D3-B0DC6C2DDB07
> >>>>>> ----------------------------------------------------------
> >>>>>> Encryption Status: Unlocked
> >>>>>> Encryption Type: AES-XTS
> >>>>>> Conversion Status: Converting
> >>>>>> Conversion Direction: forward
> >>>>>> Has Encrypted Extents: Yes
> >>>>>> Fully Secure: No
> >>>>>> Passphrase Required: Yes
> >>>>>> |
> >>>>>> +-> Logical Volume 62363DAE-A2D9-40A2-9E0F-50E6D38FB807
> >>>>>> ---------------------------------------------------
> >>>>>> Disk: disk8
> >>>>>> Status: Online
> >>>>>> Size (Total): 1999650029568 B (2.0 TB)
> >>>>>> Conversion Progress: 0%
> >>>>>> Revertible: Yes (unlock and decryption required)
> >>>>>> LV Name: FinderEncrypted
> >>>>>> Volume Name: FinderEncrypted
> >>>>>> Content Hint: Apple_HFS
> >>>>>>
> >>>>>>
> >>>>>> I have dozens of drives to encrypt and want to do it as
> >>>>>> efficiently as possible, but also correctly. Who can answer how
> >>>>>> FDE is accomplished in 1 minute with a reformat? Or is this a
> >>>>>> display bug where the disk writes will occur at idle? (I have
> >>>>>> seen some behavior to suggest that.)
> >>>>>>
> >>>>>> Thanks for the input.
> >>>>>> Paul
> >>>>>> --
> >>>>>> Paul Campbell | Senior Macintosh Systems Administrator ASRC
> >>>>>> Federal Research and Technology Solutions NASA Ames Research
> >>>>>> Center
> >> Moffett
> >>>>>> Field, CA 94035 email@hidden
> >>>>>> W: 650.604.4014 | F: 650.604.3323
> >>>>>>
> >>>>>> ASRC Federal | Customer-Focused. Operationally Excellent.
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Do not post admin requests to the list. They will be ignored.
> >>>>>> Fed-talk mailing list (email@hidden)
> >>>>>> Help/Unsubscribe/Update your Subscription:
> talk/email@hidden
> >>>>>>
> >>>>>> This email sent to email@hidden
> >>>>>
> >>>>> Personal email. email@hidden
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Do not post admin requests to the list. They will be ignored.
> >>>> Fed-talk mailing list (email@hidden)
> >>>> Help/Unsubscribe/Update your Subscription:
> talk/email@hidden
> >>>>
> >>>> This email sent to email@hidden
> >>>
> >>> _______________________________________________
> >>> Do not post admin requests to the list. They will be ignored.
> >>> Fed-talk mailing list (email@hidden)
> >>> Help/Unsubscribe/Update your Subscription:
> >>> hh
> >>> mi.org
> >>>
> >>> This email sent to email@hidden
> >>
> >> ---
> >> Rich Trouton
> >> email@hidden
> >>
> >> JRC Help Desk
> >> phone: x4030
> >> email: email@hidden
> >>
> >> The best way to get in touch with me is through email.
> >>
> >>
> >> _______________________________________________
> >> Do not post admin requests to the list. They will be ignored.
> >> Fed-talk mailing list (email@hidden)
> >> Help/Unsubscribe/Update your Subscription:
> >>
> >> This email sent to email@hidden
> >
> > _______________________________________________
> > Do not post admin requests to the list. They will be ignored.
> > Fed-talk mailing list (email@hidden)
> > Help/Unsubscribe/Update your Subscription:
> > gov
> >
> > This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden