Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 8 Sep 2015 12:21:59 -0700
From:      Brandon Vincent <Brandon.Vincent@asu.edu>
To:        Igor Mozolevsky <igor@hybrid-lab.co.uk>
Cc:        "Li, Xiao" <xaol@amazon.com>, Hackers freeBSD <freebsd-hackers@freebsd.org>, Analysiser <analysiser@gmail.com>
Subject:   Re: Passphraseless Disk Encryption Options?
Message-ID:  <CAJm423922bM7dCQRnOErRXvZHmbtAabU15B6sNPAWNPqX-Nfiw@mail.gmail.com>
In-Reply-To: <CADWvR2hHFYYKLGAW-YsAK_XQ7E5bdWjDxbTMgDfk4Ca8B05LcA@mail.gmail.com>
References:  <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <CADWvR2iv7xz02Fw9b=159%2BSMuphQGRKZsfyy9DDeqGMxn=p1BA@mail.gmail.com> <D214715D.1A32%xaol@amazon.com> <CADWvR2iVubsBQjnvQ8mDGGS7ujsR8wPQ2RAxn=kvFkmVGQkXiQ@mail.gmail.com> <D2147761.1A53%xaol@amazon.com> <CADWvR2hHFYYKLGAW-YsAK_XQ7E5bdWjDxbTMgDfk4Ca8B05LcA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Sep 8, 2015 at 11:51 AM, Igor Mozolevsky <igor@hybrid-lab.co.uk> wrote:
> I think you're missing the point- I suspect Apple's login *is* the decrypt
> process- OS X needs something from the user to give access to the data;
> without the user typing in their password, the data on the disk (as I said)
> is just a source of entropy.

Analysiser,

Backing up what Igor has stated, the underlying principles behind
FileVault 2 is no different than those employed by commercially
available FDE software and open source solutions such as LUKS on
GNU/Linux. When FileVault 2 is enabled on OS X, the system loads
additional EFI code from the unencrypted recovery partition during
startup and then references a file (on the unencrypted recovery
partition) which has the volume master key encrypted with a
intermediary key (essentially each user's password).

When you enable FileVault 2 for the first time, you have to enter the
system password for each user who you want to have the ability to
decrypt the hard drive on startup. After this point, if a user on the
system decides to update their password, OS X seamlessly updates the
intermediary key required to decrypt the key-encryption-key for the
volume.

Essentially, the engineers at Apple have elegantly streamlined the
process to minimize user frustration and interruption. Most open
source FDE is not quite polished similarly.

Brandon Vincent

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJm423922bM7dCQRnOErRXvZHmbtAabU15B6sNPAWNPqX-Nfiw>