Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
FileVault
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==FileVault 2== ===Security=== FileVault uses the user's login password as the encryption passphrase. It uses the [[Disk encryption theory|XTS-AES]] mode of [[Advanced Encryption Standard|AES]] with 128 bit blocks and a 256 bit key to encrypt the disk, as recommended by [[NIST]].<ref name="wpfv2" /><ref>{{cite journal | url=http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf | title=Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices | author=Dworkin, Morris | journal=NIST Special Publication |date=January 2010 | issue=800β3E| doi=10.6028/NIST.SP.800-38E }}</ref> Only unlock-enabled users can start or unlock the drive. Once unlocked, other users may also use the computer until it is shut down.<ref name=aboutfv2 /> ===Performance=== The [[I/O]] performance penalty for using FileVault 2 was found to be in the order of around 3% when using CPUs with the [[AES instruction set]], such as the [[Broadwell (microarchitecture)|Intel Core i]], and [[OS X Yosemite|OS X 10.10.3 Yosemite]].<ref>{{cite web |url=https://archive.techarp.com/showarticle0037.html?artno=877&pgno=1 |website=Tech ARP |title=How Fast is the 512 GB PCIe X4 SSD in the 2015 MacBook Pro?}}</ref> Performance deterioration will be larger for CPUs without this instruction set, such as older [[Intel Core (microarchitecture)|Core]] CPUs. ===Master passwords and recovery keys=== When FileVault 2 is enabled while the system is running, the system creates and displays a recovery key for the computer, and optionally offers the user to store the key with Apple. The 120 bit recovery key is encoded with all letters and numbers 1 through 9, and read from {{mono|/dev/random}}, and therefore relies on the security of the [[Pseudorandom number generator|PRNG]] used in macOS. During a cryptanalysis in 2012, this mechanism was found safe.<ref name=choudary2012>{{cite journal|last=Choudary|first=Omar|author2=Felix Grobert |author3=Joachim Metz |title=Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption|date=July 2012|url=http://eprint.iacr.org/2012/374|access-date=January 19, 2013}}</ref> Changing the recovery key is not possible without re-encrypting the File Vault volume.<ref name="aboutfv2" /> ===Validation=== Users who use FileVault 2 in OS X 10.9 and above can validate their key correctly works after encryption by running {{mono|sudo fdesetup validaterecovery}} in Terminal after encryption has finished. The key must be in form {{mono|xxxx-xxxx-xxxx-xxxx-xxxx-xxxx}} and will return true if correct.<ref>{{cite web | url=https://developer.apple.com/library/Mac/documentation/Darwin/Reference/ManPages/man8/fdesetup.8.html | title=fdesetup(8) Mac OS X Manual Page | publisher=[[Apple Inc.|Apple]] | date=August 21, 2013 | access-date=August 9, 2014}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)