An Unencrypted Look at FileVault
Subject:   The paradoxes in the article
Date:   2005-04-26 19:23:21
From:   josh2059
You said under "The Competition" the following:
"The strength of FileVault lies in the fact that it is fully integrated into Mac OS X, at the lowest level: the operating system itself takes care of performing the tasks on the fly, without relying upon add-ons."

You go on to say under "Threats Against Which FileVault Cannot Protect You,"

"However, it is important to keep in mind that, as soon as you log in, Mac OS X decrypts the data so that you and your applications can access it. Therefore, once you are logged in, a hacker or a virus can steal information as easily as when it is not encrypted."

This is almost a direct contradiction. If the encryption/decryption is done on the fly the data sits there in its encrypted form and when a user opens it, the data is decrypted. However, your second statement makes it seem like the entire image is decrypted and then mounted. This means when a user opens a file for editing, he's editing a plaintext file which will be decrypted and added to the image when he logs out (thus not being on the fly). So, which is it?
I have been looking extensively through the MAC OS X kernel and I have not found anything about FileVault in the kernel. I also looked on a MAC which wasn't using filevault to see if any new modules had been loaded and none had. Also, I cannot find any mention of FileVault in the modules that are loaded.
I suspect FileVault exists entirely in user space. This means it decrypts the image, mounts it as usually you would, and then waits. When the user logs out, the image is subsequently unmounted and repackaged (re-encrypted). I'd appreciate any clarifications/contradictions you guys might have.


Full Threads Oldest First

Showing messages 1 through 1 of 1.

  • FJ de Kermadec photo The paradoxes in the article
    2005-04-27 00:45:38  FJ de Kermadec | O'Reilly Blogger [View]


    First of all, thank you very much for taking the time to write, I really do appreciate it! :^)

    The encryption does happen on-the-fly as the file is never stored outside of the FileVault itself, much like if you were to create your own encrypted image and save a document immediately inside of it as you are working on it. Should the computer crash or be force-rebooted in any way, there would be no trace of the file outside of the vault, even without a proper shutdown procedure — that is, provided that the application you are using does not store caches in strange, non-standard places.

    However, you are entirely right about FileVault existing in the user space: the FileVault image is mounted as a whole and, as you are logged in, any application running with your privileges or the system privileges can access your files as if they were unencrypted — which is necessary for the system to function normally.

    Both aspects of FileVault aren't in contradiction but it is true that it might seem surprising at first.

    I hope this answers your question and remain at your disposition to provide you with any additional information you may deem useful.

    Truly yours,