Re: [Fed-Talk] Two Questions about FileVault
Re: [Fed-Talk] Two Questions about FileVault
- Subject: Re: [Fed-Talk] Two Questions about FileVault
- From: "Miller, Timothy J." <email@hidden>
- Date: Wed, 13 May 2015 13:10:27 +0000
- Thread-topic: [Fed-Talk] Two Questions about FileVault
DU erasure doesn't overwrite squat unless you specifically tell it to, so recovering old data from a disk erased via the default is expected (and in fact, it warns you). TM uses an FS image sparsebundle, so there *is* no free space.
All the other methods are equivalent. Prefs, Finder, and DU are just a different GUIs over diskutil and hdiutil, depending on usage (OK, to be pedantic, they're calling the same system services in the same way). Encrypted image files shouldn't be a problem--they either have no free space (sparesbundle images) or are initially allocated with zero'd blocks (other images). Reusing a pre-existing image would be similar to physical devices.
Assuming a physical device, are you recovering from an unmounted device volume (e.g., dd off a byte copy) or from a mounted drive?
If the recovery device was mounted, recovery of old data is expected because physical volume free space is encrypted.
If the recovery device was unmounted, did you query the volume to ensure that encryption was complete before you attempted data recovery (diskutil coreStorage list)? CS allows a volume to be active while it's being encrypted, and will invisibly stop/start the process as the device is removed or the system rebooted.
-- T
> -----Original Message-----
> From: Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY
> SOLUTIONS] [mailto:email@hidden]
> Sent: Tuesday, May 12, 2015 3:54 PM
> To: Henry B (Hank) Hotz, CISSP
> Cc: Miller, Timothy J.; email@hidden Talk
> Subject: Re: [Fed-Talk] Two Questions about FileVault
>
> Hank,
>
> The topic was never about the Erase Free Space button. The topic is: Disk
> Utility Erase and Encrypt does not provide FDE equivalent to System
> Preferences, Time Machine encrypt disk, and Finder Control-Click > Encrypt
> Disk. The latter three methods encrypt free space, the first does not.
> Paul
> --
> Paul Campbell | Senior Macintosh Systems Administrator ASRC Federal
> Research and Technology Solutions NASA Ames Research Center Moffett
> Field, CA 94035 email@hidden
> W: 650.604.4014 | F: 650.604.3323
>
> ASRC Federal | Customer-Focused. Operationally Excellent.
>
> > On May 12, 2015, at 1:16 PM, Henry B (Hank) Hotz, CISSP
> <email@hidden> wrote:
> >
> >
> > On May 12, 2015, at 12:54 PM, Campbell, Paul Madison (ARC-TH)[ASRC
> RESEARCH & TECHNOLOGY SOLUTIONS] <email@hidden> wrote:
> >
> >> Tim,
> >>
> >> Taking any old HFS+ disk, I select it in Disk Utility choose Format as Mac OS
> Extended (Journaled, Encrypted) and click erase.
> >
> > So you did not press the "Erase Free Space..." button before (or after for
> that matter) the "erase" button? I note that the "Security Options..." dialog
> specifically warns you that files may be recovered afterward.
> >
> >> Through that process, only bytes written to that drive in the future are
> encrypted, not free space on the drive. This is different from the behavior of
> FV2 through other means, like Finder Control-Click > Encrypt, System
> Preferences, or Time Machine encrypt disk. Seems inconsistent to me.
> >>
> >> Paul
> >> --
> >> Paul Campbell | Senior Macintosh Systems Administrator ASRC Federal
> >> Research and Technology Solutions NASA Ames Research Center Moffett
> >> Field, CA 94035 email@hidden
> >> W: 650.604.4014 | F: 650.604.3323
> >>
> >> ASRC Federal | Customer-Focused. Operationally Excellent.
> >>
> >>> On May 12, 2015, at 11:22 AM, Miller, Timothy J. <email@hidden>
> wrote:
> >>>
> >>> So you start with an HFS+ FS with blocks allocated, erase the disk,
> recreate the volume, set it to encrypt, and find you can raw-read the erased
> FS's allocated blocks out of the new volume's *un*allocated space?
> >>>
> >>> Are you sure you actually used free space erasure?
> >>>
> >>> If you didn't use FSE then I'd say that's WAD (Working as Designed). FV2
> encrypts unused space, so the system likely just reads the block and writes it
> back encrypted regardless of whether it's currently allocated or not.
> Previously-allocated unerased blocks just come along for the ride.
> >>>
> >>> If you can show that you used FSE, then that's a bug.
> >>>
> >>> OTOH, it would be a reasonable feature request for FV2 to simply
> encrypt a zero block when encrypting an unallocated block--i.e., employ FSE
> when encrypting free space.
> >>>
> >>> -- T
> >>>
> >>>> -----Original Message-----
> >>>> From: fed-talk-bounces+tmiller=email@hidden
> >>>> [mailto:fed-talk-
> >>>> bounces+tmiller=email@hidden] On Behalf Of Trouton,
> >>>> bounces+Rich R
> >>>> Sent: Tuesday, May 12, 2015 9:53 AM
> >>>> To: Wm. Cerniuk
> >>>> Cc: email@hidden Talk
> >>>> Subject: Re: [Fed-Talk] Two Questions about FileVault
> >>>>
> >>>> I talked with Paul offlist about this and the issue appears to be this:
> >>>>
> >>>> 1. You can wipe a previously non-encrypted drive with a single-pass
> >>>> erase and set it to be encrypted using Disk Utility 2. You can
> >>>> recover previously- written data from the drive following encryption.
> >>>>
> >>>> Anything that gets written to the drive after the erase-and-encrypt
> >>>> is encrypted. It's the before-erasure data which is recoverable.
> >>>>
> >>>> One way to address it may be to run a single zero-pass erase with
> >>>> the encrypt option. That should make sure that the disk is
> >>>> completely overwritten with encrypted zeroed data and also make the
> >>>> previously stored data inaccessible. That said, consult your
> >>>> agency's guidelines for media sanitization for guidance.
> >>>>
> >>>> Thanks,
> >>>> Rich
> >>>>
> >>>> On May 12, 2015, at 8:18 AM, William Cerniuk <email@hidden>
> wrote:
> >>>>
> >>>>> So confused as to the Disk Utility difference. It produces a disk
> >>>>> image that is encrypted. This is for may purposes the same as what
> >>>>> occurs in full disk drive encryption. (One OS's partition is
> >>>>> another OS's file)
> >>>>>
> >>>>> Is the "bytes on a drive" that you noted different?
> >>>>>
> >>>>> --
> >>>>> R/Wm.
> >>>>>
> >>>>> 703.594.7616
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>> On May 11, 2015, at 15:23, Campbell, Paul Madison (ARC-TH)[ASRC
> >>>> RESEARCH & TECHNOLOGY SOLUTIONS] <email@hidden>
> wrote:
> >>>>>>
> >>>>>> Hey Hank,
> >>>>>>
> >>>>>> FV1 didn't operate like that. FV1 created an encrypted sparse
> >>>>>> bundle to
> >>>> hold the user's home directory. It didn't encrypt anything outside
> >>>> that and it wasn't at the volume level. FV2 is volume encryption,
> >>>> specifically described as full disk encryption, though I now know
> >>>> their engineers don't like to call it that because its inaccurate.
> >>>> They prefer full drive encryption because only a logical volume is
> encrypted, not the full disk.
> >>>>>> Paul
> >>>>>> --
> >>>>>> Paul Campbell | Senior Macintosh Systems Administrator ASRC
> >>>>>> Federal Research and Technology Solutions NASA Ames Research
> >>>>>> Center Moffett Field, CA 94035 email@hidden
> >>>>>> W: 650.604.4014 | F: 650.604.3323
> >>>>>>
> >>>>>> ASRC Federal | Customer-Focused. Operationally Excellent.
> >>>>>>
> >>>>>>> On May 11, 2015, at 11:53 AM, Henry B (Hank) Hotz, CISSP
> >>>> <email@hidden> wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>> On May 11, 2015, at 10:09 AM, Campbell, Paul Madison
> >>>>>>>> (ARC-TH)[ASRC
> >>>> RESEARCH & TECHNOLOGY SOLUTIONS] <email@hidden>
> wrote:
> >>>>>>>>
> >>>>>>>> Just to follow up in general thread:
> >>>>>>>>
> >>>>>>>> For question one, the kernel is performing the encryption below
> >>>>>>>> the
> >>>> level of Activity Monitor being able to attribute it to a specific
> >>>> process. So you can see the disk activity, but no process accumulates
> the read/writes.
> >>>> fs_usage can attribute the activity.
> >>>>>>>
> >>>>>>> Not quite sure what the question is. You want Activity Monitor
> >>>>>>> to show something that fs_usage does show? (If so, sounds like a
> >>>>>>> feature request?)
> >>>>>>>
> >>>>>>>> For question two, Disk Utility does not perform full drive
> >>>>>>>> encryption like
> >>>> System Preferences > Security & Privacy > FileVault, Time Machine
> >>>> disk encryption, or Finder Control Click > Encrypt. It only
> >>>> encrypts bytes-on-drive as they are written. I reported it to Apple
> >>>> as a bug, but they say its functioning as expected and closed my ticket.
> >>>>>>>
> >>>>>>> That's the difference between FileVault 1 and FileVault 2, so
> >>>>>>> I'd say that
> >>>> really is as expected.
> >>>>>>>
> >>>>>>>> Paul
> >>>>>>>> --
> >>>>>>>> Paul Campbell | Senior Macintosh Systems Administrator ASRC
> >>>>>>>> Federal Research and Technology Solutions NASA Ames Research
> >>>>>>>> Center
> >>>> Moffett
> >>>>>>>> Field, CA 94035 email@hidden
> >>>>>>>> W: 650.604.4014 | F: 650.604.3323
> >>>>>>>>
> >>>>>>>> ASRC Federal | Customer-Focused. Operationally Excellent.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> From: <Campbell>, Paul Campbell <email@hidden>
> >>>>>>>> Date: Thursday, April 16, 2015 at 9:24 AM
> >>>>>>>> To: "email@hidden" <email@hidden>
> >>>>>>>> Subject: [Fed-Talk] Two Questions about FileVault
> >>>>>>>>
> >>>>>>>> Hello All,
> >>>>>>>>
> >>>>>>>> I've read the FileVault white paper, and I've searched the web,
> >>>>>>>> but
> >>>> can't find the answer to these two questions:
> >>>>>>>>
> >>>>>>>> When you encrypt a disk from the Finder, Activity Monitor shows
> >>>>>>>> the disk activity as the drive is encrypted, but no process
> >>>>>>>> shows as being responsible for that read/write activity. Why?
> >>>>>>>> (My research indicates that corestoraged is doing the actual
> >>>>>>>> encryption, and that process is running, so why doesn't it show
> >>>>>>>> the accumulated
> >>>>>>>> read/writes?)
> >>>>>>>>
> >>>>>>>> Second, and more important question: When using Disk Utility to
> >>>>>>>> erase
> >>>> a drive as HFS+ journaled and encrypted, it appears to take just 1
> >>>> minute to encrypt a 2TB drive with less than 1GB in writes. As soon
> >>>> as that's complete, disktuil cs list shows the encryption complete:
> >>>>>>>>
> >>>>>>>> +-- Logical Volume Group 23F9B929-6BFF-45A1-BCEB-
> DADBDE74852C
> >>>>>>>>
> >>>>
> =========================================================
> >>>>>>>> Name: DiskUtilityEncrypted
> >>>>>>>> Status: Online
> >>>>>>>> Size: 2000021315584 B (2.0 TB)
> >>>>>>>> Free Space: 9392128 B (9.4 MB)
> >>>>>>>> |
> >>>>>>>> +-< Physical Volume 03CB8A7D-323F-4FE4-8694-AF91B190B89D
> >>>>>>>> | ----------------------------------------------------
> >>>>>>>> | Index: 0
> >>>>>>>> | Disk: disk2s2
> >>>>>>>> | Status: Online
> >>>>>>>> | Size: 2000021315584 B (2.0 TB)
> >>>>>>>> |
> >>>>>>>> +-> Logical Volume Family EFCAA44A-00D3-457C-B038-
> 00785AB060F7
> >>>>>>>> ----------------------------------------------------------
> >>>>>>>> Encryption Status: Unlocked
> >>>>>>>> Encryption Type: AES-XTS
> >>>>>>>> Conversion Status: Complete
> >>>>>>>> Conversion Direction: -none-
> >>>>>>>> Has Encrypted Extents: Yes
> >>>>>>>> Fully Secure: Yes
> >>>>>>>> Passphrase Required: Yes
> >>>>>>>> |
> >>>>>>>> +-> Logical Volume 991B75BA-9475-4B82-B966-50A9CE39D54B
> >>>>>>>> ---------------------------------------------------
> >>>>>>>> Disk: disk6
> >>>>>>>> Status: Online
> >>>>>>>> Size (Total): 1999659597824 B (2.0 TB)
> >>>>>>>> Conversion Progress: -none-
> >>>>>>>> Revertible: No
> >>>>>>>> LV Name: DiskUtilityEncrypted
> >>>>>>>> Volume Name: DiskUtilityEncrypted
> >>>>>>>> Content Hint: Apple_HFS
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Compared to a Finder Encrypting Drive 1 minute later:
> >>>>>>>>
> >>>>>>>> +-- Logical Volume Group 506D664C-946D-4A23-8A78-
> C862CA5DE723
> >>>>>>>>
> >>>>
> =========================================================
> >>>>>>>> Name: FinderEncrypted
> >>>>>>>> Status: Online
> >>>>>>>> Size: 2000021315584 B (2.0 TB)
> >>>>>>>> Free Space: 18964480 B (19.0 MB)
> >>>>>>>> |
> >>>>>>>> +-< Physical Volume EE9BDFE9-D79D-4E53-888A-A169763408D2
> >>>>>>>> | ----------------------------------------------------
> >>>>>>>> | Index: 0
> >>>>>>>> | Disk: disk7s2
> >>>>>>>> | Status: Online
> >>>>>>>> | Size: 2000021315584 B (2.0 TB)
> >>>>>>>> |
> >>>>>>>> +-> Logical Volume Family EB6B467F-9971-4E81-94D3-
> B0DC6C2DDB07
> >>>>>>>> ----------------------------------------------------------
> >>>>>>>> Encryption Status: Unlocked
> >>>>>>>> Encryption Type: AES-XTS
> >>>>>>>> Conversion Status: Converting
> >>>>>>>> Conversion Direction: forward
> >>>>>>>> Has Encrypted Extents: Yes
> >>>>>>>> Fully Secure: No
> >>>>>>>> Passphrase Required: Yes
> >>>>>>>> |
> >>>>>>>> +-> Logical Volume 62363DAE-A2D9-40A2-9E0F-50E6D38FB807
> >>>>>>>> ---------------------------------------------------
> >>>>>>>> Disk: disk8
> >>>>>>>> Status: Online
> >>>>>>>> Size (Total): 1999650029568 B (2.0 TB)
> >>>>>>>> Conversion Progress: 0%
> >>>>>>>> Revertible: Yes (unlock and decryption required)
> >>>>>>>> LV Name: FinderEncrypted
> >>>>>>>> Volume Name: FinderEncrypted
> >>>>>>>> Content Hint: Apple_HFS
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> I have dozens of drives to encrypt and want to do it as
> >>>>>>>> efficiently as possible, but also correctly. Who can answer how
> >>>>>>>> FDE is accomplished in 1 minute with a reformat? Or is this a
> >>>>>>>> display bug where the disk writes will occur at idle? (I have
> >>>>>>>> seen some behavior to suggest that.)
> >>>>>>>>
> >>>>>>>> Thanks for the input.
> >>>>>>>> Paul
> >>>>>>>> --
> >>>>>>>> Paul Campbell | Senior Macintosh Systems Administrator ASRC
> >>>>>>>> Federal Research and Technology Solutions NASA Ames Research
> >>>>>>>> Center
> >>>> Moffett
> >>>>>>>> Field, CA 94035 email@hidden
> >>>>>>>> W: 650.604.4014 | F: 650.604.3323
> >>>>>>>>
> >>>>>>>> ASRC Federal | Customer-Focused. Operationally Excellent.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> Do not post admin requests to the list. They will be ignored.
> >>>>>>>> Fed-talk mailing list (email@hidden)
> >>>>>>>> Help/Unsubscribe/Update your Subscription:
> talk/hbhotz@oxy.e
> >>>>>>>> du
> >>>>>>>>
> >>>>>>>> This email sent to email@hidden
> >>>>>>>
> >>>>>>> Personal email. email@hidden
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Do not post admin requests to the list. They will be ignored.
> >>>>>> Fed-talk mailing list (email@hidden)
> >>>>>> Help/Unsubscribe/Update your Subscription:
> >>>>>> om
> >>>>>>
> >>>>>> This email sent to email@hidden
> >>>>>
> >>>>> _______________________________________________
> >>>>> Do not post admin requests to the list. They will be ignored.
> >>>>> Fed-talk mailing list (email@hidden)
> >>>>> Help/Unsubscribe/Update your Subscription:
> >>>>> a.hh
> >>>>> mi.org
> >>>>>
> >>>>> This email sent to email@hidden
> >>>>
> >>>> ---
> >>>> Rich Trouton
> >>>> email@hidden
> >>>>
> >>>> JRC Help Desk
> >>>> phone: x4030
> >>>> email: email@hidden
> >>>>
> >>>> The best way to get in touch with me is through email.
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Do not post admin requests to the list. They will be ignored.
> >>>> Fed-talk mailing list (email@hidden)
> >>>> Help/Unsubscribe/Update your Subscription:
> >>>> g
> >>>>
> >>>> This email sent to email@hidden
> >>>
> >>> _______________________________________________
> >>> Do not post admin requests to the list. They will be ignored.
> >>> Fed-talk mailing list (email@hidden)
> >>> Help/Unsubscribe/Update your Subscription:
> >>> a.gov
> >>>
> >>> This email sent to email@hidden
> >>
> >>
> >> _______________________________________________
> >> Do not post admin requests to the list. They will be ignored.
> >> Fed-talk mailing list (email@hidden)
> >> Help/Unsubscribe/Update your Subscription:
> >>
> >> This email sent to email@hidden
> >
> > Personal email. email@hidden
> >
> >
> >
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden