Filevault Decryption: Does It Work While Your Mac Sleeps?

does filevault decryption work while computer sleeps

FileVault is an Apple disk encryption feature that allows users to encrypt their hard drives and protect their data. When a user enables FileVault, their files are always encrypted until they turn off the feature. However, there are concerns about the security of FileVault while the computer is in sleep mode. In sleep mode, the computer is vulnerable to attacks that can access the encryption keys from RAM, such as DMA and Cold Boot Attacks. To address this, Apple has introduced features like DestroyFVKeyOnStandby, which allows users to destroy the FileVault key during standby, and disabling DMA on FireWire and Thunderbolt ports when the computer is locked. While FileVault provides a level of security, it is important for users to take additional precautions, such as setting a firmware password and requiring login credentials upon wake-up, to ensure the protection of their data.

shunsleep

FileVault 2 is secure against DMA attacks if the screen is locked

FileVault 2 is a full-disk encryption program built into macOS that encrypts the user's files with their password. It is important to note that FileVault 2 is distinct from the user's password, which is used to unlock the encryption and allow the files to be read from RAM.

FileVault 2 is considered secure against DMA attacks if the screen is locked. DMA attacks refer to Direct Memory Access, which allows an attacker to access the computer's memory directly and extract sensitive information such as passwords or encryption keys. However, if the screen is locked, the OS enables additional protections that prevent this type of attack. Specifically, OS X Lion (10.7.2 and higher) disables DMA when the user is logged out or the screen is locked.

It is worth noting that FileVault 2 does not protect against all types of attacks. For example, it is vulnerable to Cold Boot Attacks because the encryption keys are kept in memory while the machine is powered on. Additionally, if an attacker has physical access to the machine, they may be able to exploit other vulnerabilities, such as Firewire DMA attacks.

To maximize the security of FileVault 2, it is recommended to update to the latest version of macOS, use strong and unique passwords, and enable a firmware (pre-boot) password. Additionally, users should avoid connecting FireWire to untrusted devices while logged into an account with active FileVault keys.

shunsleep

FileVault decryption can be stopped by enabling DestroyFVKeyOnStandby

FileVault is a whole-disk encryption program built into macOS. It offers security against unauthorized access to the data stored on your Mac. When you power up a Mac with FileVault enabled, the disk is decrypted after you enter your password.

However, when your Mac is awake and logged in, all your files are accessible and unencrypted. This is where the "DestroyFVKeyOnStandby" feature comes in.

"DestroyFVKeyOnStandby" is a power management feature of OS X. Enabling this feature allows for the destruction of the FileVault key during standby for all power modes, including UPS, battery, and charger (wall power). This means that even if someone has physical access to your Mac while it is in standby mode, they won't be able to access your encrypted files without the decryption key.

To enable this feature, you can use the command "pmset -a destroyfvkeyonstandby 1". This command applies the setting to all power profiles. It is important to note that this feature may lead to slower sleep/wake times for your computer, and it has been reported to sometimes cause a kernel panic on wake. Additionally, if you find this feature unnecessary or frustrating, you can easily reverse it by changing the 1 to a 0 in the command: "pmset -a destroyfvkeyonstandby 0".

shunsleep

FileVault keys are retained when the system goes to standby

FileVault is a disk encryption feature built into macOS to protect your hard drive from unauthorized access. When enabled, your startup volume is locked when the Mac is sleeping or shut down, and the data is encoded so it can’t be read unless the login password is used.

By default, FileVault keys are retained even when the system goes to standby. This is because standby mode is a power-saving feature that automatically hibernates a Mac after it has been in sleep mode for a while, and the FileVault key is stored in EFI (firmware) so that the Mac can quickly come out of standby mode when woken from deep sleep.

However, if you are concerned about maximum security and protecting your Mac from aggressive attacks, you can set OS X to automatically destroy the FileVault key when it enters standby mode. This will prevent the stored key from being a potential weak point or attack target. By enabling this setting, FileVault users must enter their FileVault password when a Mac is awoken from standby mode, as the FV key is no longer stored for quick awakening.

To enable the destruction of the FileVault key during standby, you can use the command "sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25". This will work for all power modes, including UPS, battery, and charger. However, it is important to note that this setting may lead to slower sleep/wake times and has been reported to sometimes cause a kernel panic on wake.

Additionally, it is crucial to remember your FileVault password and recovery key. If you lose both your Mac password and FileVault recovery key, you will not be able to log in to your device or access your data.

Sedation Dentistry: Where Can I Sleep?

You may want to see also

shunsleep

FileVault can be decrypted, but it takes a long time

FileVault is a highly recommended disk encryption feature for security-conscious Mac users. It is designed to protect your data by keeping your files always encrypted. However, there may be instances where you need to disable FileVault and decrypt your Mac's hard drive.

The decryption process can take a significant amount of time, depending on several factors, including the speed of your Mac, the speed of the disk drive (SSDs are faster than HDDs), the size of the drive, and the amount of data stored on it. During this process, you can continue using your Mac, but you may experience slower performance and sluggishness. Therefore, it is often advisable to initiate the decryption process when you do not need to use your Mac actively, such as leaving it overnight or during the weekend.

The time required for decryption can vary from a few hours to several days. Some users have reported decryption times ranging from 90 minutes to 30 hours, with others experiencing even longer waits. It is worth noting that older Macs with spinning hard drives and older versions of macOS may encounter noticeable slowdowns with FileVault enabled, prompting them to disable the feature.

While FileVault decryption may take a while, it is important to prioritize the security of your data. If you plan to disable FileVault, ensure you have a lock screen password and a screensaver that activates after a period of inactivity to maintain a basic level of security.

shunsleep

FileVault full-disk encryption does not impact macOS wake-up times from sleep

FileVault 2 is secure against a DMA Attack if the screen isn't unlocked. It is assumed that, on sleep, the keys are encrypted with the user's password, rather than just left in memory. This also means it is protected against a Cold Boot Attack. However, it is not protected against a cold boot unless steps are taken to clear the memory on sleep.

One way to do this is to enable a power management feature of OS X called "DestroyFVKeyOnStandby". This will, however, lead to slower sleep/wake times and will reportedly sometimes cause a kernel panic on wake. Another option is to use the "Destroy File Vault Key when going to standby mode" feature. By default, FileVault keys are retained even when the system goes to standby. If the keys are destroyed, the user will be prompted to enter their password while coming out of standby mode.

It is important to note that, while the computer is on but locked, the key is in memory in the clear. This means that if someone were to dump the contents of RAM, they would be able to pull out the key. To prevent this, Apple has disabled functions like DMA on FireWire and Thunderbolt ports while the computer is locked, as these provide direct access to RAM.

Additionally, once a hard drive is encrypted with FileVault, all files are always encrypted until FileVault is turned off. This means that as long as the computer is awake and logged in, all files are accessible and unencrypted.

Frequently asked questions

FileVault decryption does work while the computer sleeps, but it is not protected against a cold boot attack unless you take steps to clear the memory on sleep.

You can stop FileVault decryption by going to "Energy Saver" in System Preferences and changing the sleep setting.

If you have FileVault enabled, your hard drive is encrypted until you turn it off. You will be asked to enter your password when you power up your Mac.

To prevent someone from accessing your files while your Mac is sleeping, you can enable a power management feature called "DestroyFVKeyOnStandby". This will destroy the FileVault key during standby for all power modes.

Your drive is always encrypted, so if someone pulls out a drive from a running Mac with FV2 enabled, they won't be able to read the blocks. However, your key is in memory when the computer is locked, so it is vulnerable to attacks that provide direct access to RAM.

Written by
Reviewed by

Explore related products

Share this post
Print
Did this article help you?

Leave a comment