Date: Tue, 8 Sep 2015 12:21:59 -0700 From: Brandon Vincent <Brandon.Vincent@asu.edu> To: Igor Mozolevsky <igor@hybrid-lab.co.uk> Cc: "Li, Xiao" <xaol@amazon.com>, Hackers freeBSD <freebsd-hackers@freebsd.org>, Analysiser <analysiser@gmail.com> Subject: Re: Passphraseless Disk Encryption Options? Message-ID: <CAJm423922bM7dCQRnOErRXvZHmbtAabU15B6sNPAWNPqX-Nfiw@mail.gmail.com> In-Reply-To: <CADWvR2hHFYYKLGAW-YsAK_XQ7E5bdWjDxbTMgDfk4Ca8B05LcA@mail.gmail.com> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <CADWvR2iv7xz02Fw9b=159%2BSMuphQGRKZsfyy9DDeqGMxn=p1BA@mail.gmail.com> <D214715D.1A32%xaol@amazon.com> <CADWvR2iVubsBQjnvQ8mDGGS7ujsR8wPQ2RAxn=kvFkmVGQkXiQ@mail.gmail.com> <D2147761.1A53%xaol@amazon.com> <CADWvR2hHFYYKLGAW-YsAK_XQ7E5bdWjDxbTMgDfk4Ca8B05LcA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 8, 2015 at 11:51 AM, Igor Mozolevsky <igor@hybrid-lab.co.uk> wrote: > I think you're missing the point- I suspect Apple's login *is* the decrypt > process- OS X needs something from the user to give access to the data; > without the user typing in their password, the data on the disk (as I said) > is just a source of entropy. Analysiser, Backing up what Igor has stated, the underlying principles behind FileVault 2 is no different than those employed by commercially available FDE software and open source solutions such as LUKS on GNU/Linux. When FileVault 2 is enabled on OS X, the system loads additional EFI code from the unencrypted recovery partition during startup and then references a file (on the unencrypted recovery partition) which has the volume master key encrypted with a intermediary key (essentially each user's password). When you enable FileVault 2 for the first time, you have to enter the system password for each user who you want to have the ability to decrypt the hard drive on startup. After this point, if a user on the system decides to update their password, OS X seamlessly updates the intermediary key required to decrypt the key-encryption-key for the volume. Essentially, the engineers at Apple have elegantly streamlined the process to minimize user frustration and interruption. Most open source FDE is not quite polished similarly. Brandon Vincent
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJm423922bM7dCQRnOErRXvZHmbtAabU15B6sNPAWNPqX-Nfiw>