Re: [Fed-Talk] Two Questions about FileVault
Re: [Fed-Talk] Two Questions about FileVault
- Subject: Re: [Fed-Talk] Two Questions about FileVault
- From: "Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS]" <email@hidden>
- Date: Wed, 13 May 2015 14:37:31 +0000
- Thread-topic: [Fed-Talk] Two Questions about FileVault
Tim,
I had a co-worker set the key without my knowledge, attached the drive to a test system that had never had that disk connected, let alone a key saved to access, and while the prompt was displayed to enter the key for mounting read the data from the free space. There was no credentialed access guaranteed.
I should note that FV2 through every means still leaves a small amount of recoverable data. Like with boot volumes, there's the recovery partition that isn't encrypted and some small amount of slack space (I think about 35MB), but the DU method leaves behind the entirety of unused space for recovery which is dramatically worse.
Paul
On May 13, 2015, at 7:26 AM, Miller, Timothy J. <email@hidden> wrote:
>> When using DU to erase and encrypt a volume, check diskutil cs list and 30
>> seconds later the drive is listed as fully secure, conversion complete. Yet,
>> while LOCKED and UNMOUNTED, on a system that's never touched that
>> drive, the free space content is trivially recovered with Data Rescue 3 or 4.
>> Unlike the other methods, DU is not running a background process to
>> encrypt the entire drive.
>
> I was hoping that wasn't the case, but I wasn't able to tease that out from the thread.
>
> I'd feel better if you were able to reproduce on a system that has no HFS+ support or by using other techniques just so as to eliminate the possibility that Data Rescue and or CoreStrorage is smart enough to snag credentials from Keychain and unlock/decrypt the volume on its own. There are some projects working in this space (e.g., hfsexplorer), so it's entirely possible.
>
> If you can do so, that's a vulnerability--if Apple won't give it attention you could disclose via CERT or a similar body.
>
> The obvious workaround would be to secureErase prior to formatting with diskutil or after, using secureErase freespace.
>
> -- T
>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
References: | |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS]" <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Henry B (Hank) Hotz, CISSP" <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS]" <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: William Cerniuk <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Trouton, Rich R" <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Miller, Timothy J." <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS]" <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Henry B (Hank) Hotz, CISSP" <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS]" <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Miller, Timothy J." <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS]" <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Miller, Timothy J." <email@hidden>) |