FileVault is a new technology in Mac OS X. Matt Willmore teaches you about what FileVault is, how to use it, and if you should even be using it in this final installment of our Mac OS X security series.
This third article in the Complete Mac Security series expands upon the first and second installments. We've already covered physical security, Open Firmware, LoginWindow, Fast User Switching, and Screen Effects, and how they can be used to secure your Mac. This installment will focus on file security and encryption.
Theory
Even if you follow the suggestions of the first two articles to the letter, security of your computer and files is not guaranteed. Most of the security threats to your Mac come from access to the files themselves, either through directly interfacing with the Mac, or through an open network connection. By taking steps now to prevent these attempts, we won't have to worry about it later.
File Encryption: Past to Present
Starting with Mac OS 9, Mac users have been able to encrypt files for free with Apple File Security, which used a 56-bit key to compress individual files on your system when you dragged the file onto it or selected "Encrypt" from the File menu. You'd enter a password, and the file was encrypted and compressed, and you had the option to save the password to the keychain. You couldn't encrypt folders, disks, volumes, or System Folder items. Plus, since you could assign a different password for each file, managing multiple files could become a pain without the keychain.
What has changed in OS X? Plently. There's now multiple tools you can use to keep your files secure in OS X:
- FileVault
- Secure disk images with Disk Utility
- Secure Empty Trash
FileVault
Panther introduced to the Mac community a tool called FileVault, which, when enabled, encrypts and decrypts your home directory - on the fly. The idea behind this is that your home directory can be completely secure at all times, while allowing you to access and change the contents of it at will. Thanks to Apple's usual ingenious ways, FileVault is the result of this. Using 128-bit Advanced Encryption Standard (AES) encryption, FileVault encrypts every file in your home directory, all behind the curtains. When you or OS X or anyone else with permission accesses a file, FileVault automatically decrypts the file, serves it, and instantly reencrypts it. Plus, it's fast enough (with the possibility of older OS X machines) that you shouldn't notice any speed drop.
FileVault Shortcomings
As cool as FileVault sounds, it isn't perfect. There are some shortcomings, which are the fault of system features by Apple, UNIX, and 3rd-party developers. The first problem deals with a technology called Adapative Hot File Clustering (AHFC), introduced in 10.3. One of the two major roles of AHFC is to check every file under 20MB that's opened for fragmentation. (Files larger than 20MB are not analyzed.) If it's found, the file is moved to a free sector big enough for the entire file, and the directory node(s) pertaining to the old, fragmented file are removed. If you decide to use Secure Delete on the file it moved, it will not go back and delete the fragmented copy. Even though it's declared free space, there's no promise that another file has been written to any of those sectors, leaving a rogue copy of that file on the hard drive, albeit unreferenced.
The other problem deals with applications such as Microsoft Office v.X that create temp files of what you are working on. Those can be placed by the program in a different location than the actual file. If you were to securely delete the file, the temp files left behind would not be deleted, leaving a spare (possibly partial) copy of the sensitive information on your hard drive - and this file IS referenced by OS X.
Another problem you may encounter is when using a program like iMovie or Final Cut Pro that requires a high bandwidth requirement from the hard drive, and your scratch location is inside your home directory. If so, you may have problems with access times from your hard drive. FileVault can't keep up with the bandwidth that those applications require, and the application will throw up an error. The solution to this is to store the media outside of your home directory. If you need to keep it secure, you can create an encrypted disk image with Disk Utility (see below) and store it in there.
Enabling FileVault
FileVault is a snap to enable, and once it's turned on, you're set. If you choose at a later date to disable FileVault, you have that option — just remember that you will need the user password or master password to do that, or your data is lost forever.
- In System Preferences, select the Security control panel. FileVault has the top half of the window. If you haven't set a master password, do that now. This can unlock any FileVault account, in case its password is lost. After the master password is set, click Turn On FileVault... to start the process. You should know that in order to create the encrypted home directory, you'll need hard drive space equal to the size of your current home directory; the process to make the secure home directory requires it. If you don't have enough space, FileVault will let you know.
- The process requires you to log out so it can make the encrypted directory. Once it logs out, you'll see the window as it creates the secure directory, then places you back at the login window. Log back in, and you're ready to go. You'll notice that your home directory icon has changed to the FileVault icon. At this point the directory is secure, and you can forget about it.
- If the need arises, you can disable FileVault in much the same way you enabled it: click the Turn Off FileVault... button, and go through the same process to disable it. Log back in, and you'll be exactly where you started.
Secure Disk Images with Disk Utility
This is a cool trick that was around even before Panther. With Disk Utility (formerly Disk Copy before it was assimilated into Disk Utility with the release of Panther), you can create 128-bit AES-encrypted disk images useful for completely secure file transfers on CD, DVD, or download, or just for secure storage. Creating one is a snap.
After starting up Disk Utility, select Images > New > Blank Image... from the menu bar, and select the location, size, and read/write abilities of the image. For encryption, select AES-128 (recommended). Click OK, and the image will be created. During the creation process, Disk Utility will ask you for the image's password. This is similar to FileVault in that if you forget it, the data's good as gone. Check the box to save the password to the Keychain if you like, and then click OK. Your image will be created and mounted on the desktop. It's also important to note that the other two options in Images > New, Image from Folder and Image from (Select a Device) also have the option to enable encryption.
Secure Empty Trash
Securely empty the trash? How was the method before not secure? Anyone familiar with modern operating systems can tell you that when you delete a file in the GUI, the file itself is not deleted. In reality, the OS merely erases its record of where the file is on the hard drive. The OS thinks of those blocks as free, and the old data is eventually overwritten with something else. However, this has been proven to be a gold mine for people looking for sensitive information that we may have "deleted".
While there have been multiple shareware and freeware programs available for OS X that would do this very thing for some time, Panther is the first OS from Apple to include an option in the Finder to securely delete sensitive files that you want completely erased. It accomplishes this by writing random text over the file data seven times, in accordance with U.S. DoD specifications. This removes any chance of the original contents of the file being readable. Since it's a file deletion, the entry in the OS's file directory is also deleted, and the space is declared free for storage.
It should be mentioned that this may not be the best method for large amounts of data. Seeing as how it has to write over every file block seven times, the time needed to accomplish this on large files can be quite high. This is most suitable for small personal files that need to be securely erased.
In the coming weeks, MacZealots.com will publish additional articles in the Complete Mac Security series, covering every aspect of practical OS X security, including permissions, network ports, file/web sharing, and other topics.
Matt Willmore is a founding partner of MacZealots.com. Matt is also a Resident Assistant at Owen Hall and does Mac support at ECN, and is active in PUMUG. He can be reached at .
Reader Comments (14)
DISCLAIMER: The views expressed below are those of their authors and not necessarily endorsed or supported by MacZealots.com. In all cases, the comments provided here are offered as a courtesy and will be moderated. Any content deemed off-topic or offensive will be removed without notice. Posting a comment here boils down to two things: 1.) Think before you type 2.) Respect the thoughts of others. See our commenting guidelines and/or privacy policy for more information.
#1) On February 27, 2004 3:18 AM
Unfortunately, the Secure Empty Trash is not at all secure.
Under Panther, files under 20 MB are automatically re-written when read or opened; the purpose of this is to defragment them if needed. What this means is that your files are copied all over your hard disk, if they are less than 20 MB, and if they get fragmented.
Programs like Word, which write plenty of temporary files, also leave traces of your information. If you delete your top-secrect Word file, you won’t be able to delete the many (dozens, or even hundreds) temp files.
There is truly no way to securely delete files on a Mac, unless you use a utility to erase all the free space.
#2) On February 27, 2004 3:38 AM
To add on to what Kirk said:
Yes, When opening a file that has 8 or more fragments and is smaller than 20 MB in size, it’s automatically degfragmented — that is only if you’re using the default Panther file system (Mac OS Extended Journaled). This is just one of the optimizations to the HFS+ driver when using a journaled file system.
Another thing that negates the “Secure Empty Trash” is Panther’s Adaptive Hot File Clustering (Running Mac OS X Panther, Chapter 10, page 152):
These optimizations weren’t part of the officaial advertised feature set of Panther, but were discovered by some programmers while reading the source code fo rthe filesystem drivers available for the Darwin project.
What these two behaviors mean, is that with the Operating System automatically moving files around behind the scenes, it would be difficult if not impossible to completely shred the contents of your history, even by doing a Secure Empty Trash.
This just reinforces the need for better physical system security among other things.
#3) On May 16, 2004 11:16 PM
I let a child use my computer and they downloaded a “sit” file which my computer cannot translate as I’m on a Powerbook G4, 667MHZ, 512 MB, OSX.2.8 Anyway, Can anyone suggest how to DUMP these files? One is a SIT and the other is a ZIP file. I can’t unzip the file to delete it nor delete the other.
THANKS!
#4) On May 17, 2004 6:35 AM
a) .sit & .zip files can be unpacked by the free stuffit Expander www.aladdinsys.com . Under 10.3 zip files can be expanded by the Finder .
b) why would you need tu unstuff or unzip the files if you only wants to delete them ?? Just drop the zipped or stuffed file in the trash , no need to unpack them first !
Hope this asnwers your questions
#5) On June 3, 2005 5:01 PM
Since Tiger, there is an “Erase Free Space..” button on the Erase tab in Disk Utility.
The “Security Options..” button on the same tab gives you a choice of “Don’t Erase”, “Zero Out Data”, 7-Pass Erase and 35-Pass Erase (for your Top Secret Files ;) ) - “Erase”, in this case, means overwriting with random data as described in the DoD-Specs mentioned in the original article.
One thing i’m still waiting for is FileVault options in Disk Utility. Funky knobs like “Encrypt this Partition” or “Encrypt this Device”.. dreaming
#6) On June 4, 2005 1:57 AM
This is a neat web site. Some topics are touched upon here that I’ve never seen B4 all in the same place. Thanks, MacZealots!
In the past (beginning with Jaguar (10.2), after turning on File Vault and (later) running a commercial freespace wiper, a peculiar anomaly occurred that so far no one, including the techs at Apple Care, has ever been able to explain. It still has me completely flummoxed.
Immediately following completion of the first wipe, freespace on the active partition began diminishing exponentially following every reboot, until at last there was not enough expansion room left on the drive to open files. When you’re hamstrung there’s no alternative but to format and reinstall OS-X. I’d been using the same wiper tool for several months B4 turning on FV for the first time, and nothing wierd ever came about in the course of several previous wipes. So FV was defnitely a factor.
This outrageous quirk paid a visitation twice. After the first episode I’d assumed that one of the Java-related exploits “going around” at the time had been the actual cause; but when it happened a second time, that scared me. I emailed the people who make the shredder (which I’m still using) — but nothing ever got solved there; they indicated that no one in their Development dept. had ever heard of such a thing. I believed them.
Now, being twice-burned and four-times shy, I’m a little hesitant to initiate FileVault (in Panther), fearing the same results.
Anybody know what the odds are of this happening in 10.3.9, and/or how I can prevent it? Or if it’s a known risk?
A
#7) On October 10, 2005 6:29 PM
I cannot turn off FileVault! I use Tiger 10.4.2 and am having some trouble seeing video clips in Final Cut Express HD’s viewer winder (many audio and video dropped frames). Troubleshooting investigations suggest turning of FileVault. When I try to do this, I get the following message:
“Turning off FileVault requires an additional 4071.1 GB of free disk space to create an unencrypted copy of the home folder. Try emptying the Trash or deleting files you don’t need.”
This is ridiculous, of course. Who has a 4 Terabyte hard disk?
Anybody else have this problem? If so, how did you get FileVault to turn off.
P.G. Carey
#8) On November 8, 2005 10:29 AM
I have the same problem, but I need 4.076TB of free disk space.
#9) On January 2, 2006 11:34 PM
Same problem…
#10) On January 14, 2006 2:31 PM
Replying to #7:
Paul, the disk space requirements seem to be a bug in FileVault that still exists to this date and the most recent build of Tiger (10.4.4). This problem also exists when some users attempt to turn ON FileVault, and is therefore not only limited to turning OFF the encryption.
This is quite baffling, but a possible reason might be the presence of thousands of fragmented small files that the system is having a hard time indexing/discerning between them, although far fetched, I don’t see any other possible causes of this flaw than just plain old shoddy coding on Apple’s part.
I suggest calling Apple, and also emailing them about it, if you really need to turn it off, then you will have to back up your data and restore your machine to factory settings, because I doubt you are willing to pay thousands of dollars on a 4+ Terabyte HD.
Good luck :)
#11) On January 14, 2006 2:33 PM
Another suggestion would be to move your final cut pro working directory to a folder outside your home directory, until this issue is resolved. That way you are able to cirumvent FileVault’s speed throttles.
Good luck again :)
#12) On January 14, 2006 2:55 PM
OK after digging around I found a possible solution for this. Find an external HD, copy your Home directory contents ALL OF THEM to that external location, delete your home dir sparse image. This will cause FileVault to shrink your dir to a negligible size. You must then repair permissions, after that you may turn off FileVault with no problems. Copy the contents of your home dir back from the external HD into Home and you’re golden!
This bug apparently involves an incorrect “calculation”. All it does is (4000 + HD_size_in_GB) and reports a value around 4074.6GB as the required space. I don’t understand what Apple software engineers were thinking, possibly they were confused with external 4TB RAID arrays and they just made 4074.6 the maximum possible space you could require. Again, this is just supposition, take it with a grain of salt.
Anyways, follow the instructions in the first paragraph and you should be good. I don’t pretend to have cooked these instructions up, I got them from dear old Google. For more information I suggest (http://episteme.arstechnica.com/groupee/forums/a/tpc/f/8300945231/m/485000104731/r/817006204731). That is the page I got this information from.
Youssef Francis
#13) On January 31, 2006 10:35 PM
I’d like to make an encrypted container that uses a certificate separate from whatever is used for things like FileVault.
I want to be able to remove the private key file from the system to secure the files that have been encrypted. Does the keychain manager facilitate this?
#14) On February 4, 2006 1:07 PM
my disk is s.m.a.r.t. status failing.. in this cas eht edrive will soon be headed to apple.. yet the option to secure delete and zero empty space are now greyed out..
can anyone tell me of another utility to use to “scrub” the free space as much as possible..?