In a previous article I wrote about preventing Direct Memory Access (DMA) through the FireWire port on OS X, which is one way to protect the contents of your memory, including FileVault‘s encryption key, from being extracted through the FireWire port.
Klaus, one of our developers, sent me a link to one of the WWDC 2012 sessions in which Deric Horn, Engineering Manager at Apple, presented a more convenient way to make it harder for an attacker to steal FileVault’s encryption key from memory. The session is only available to registered developers, so if you’re interested in what’s new in Mountain Lion’s filesystem (among other stuff), you have to register for a developer account (costs $99 per year).
Securing Lion and Mountain Lion
It only takes a few simple steps to significantly enhance (Mountain) Lion’s default configuration, assuming FileVault 2, Apple’s Full Disk Encryption implementation has already been enabled. First you disable Fast User Switching and then you use the pmset utility to alter some of the power settings of your Mac, resulting in a) the volume encryption key being wiped from memory and b) power being removed from memory when your Mac goes to sleep.
Disable Fast User Switching
To disable Fast User Switching, open the System Preferences, go to Users & Groups and click on Login Options and uncheck “Show fast user switching menu as“. If the checkboxes on the right hand side are all grayed out, click on the “lock” icon on the lower left, where it says “Click the lock to make changes“.
Change power settings using the pmset utility
To make changes via the pmset utility we’re going to use the command shell (Terminal), but before making any changes, let’s first determine the current settings of the system by issuing the following command:
sudo pmset -g
The output on my system looks this (note the hibernatemode setting in bold):
Active Profiles:
Battery Power -1*
AC Power -1
Currently in use:
standbydelay 4200
standby 0
halfdim 1
sms 1
hibernatefile /var/vm/sleepimage
gpuswitch 2
disksleep 10
sleep 0
hibernatemode 3
ttyskeepawake 1
displaysleep 2
acwake 0
lidwake 1
Next we’re going to change the following settings:
| Option | Value | Description |
| destroyfvkeyonstandby | 1 | Destroy FileVault key when going to standby mode. By default FileVault keys are retained even when system goes to standby. If the keys are destroyed, user will be prompted to enter the password while coming out of standby mode. (value: 1 – Destroy, 0 – Retain) |
| hibernatemode | 25 | Forces the system to immediately write RAM to disk and remove power from memory upon sleep. This increase battery life and security, but also results in slower sleeps and wakes. |
To change those two settings go back to your command line and issue the following command:
sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25
The -a flags determines whether the settings apply to battery ( -b ), charger (wall power) ( -c ), UPS ( -u ) or all ( -a ). In our case, we want the setting to apply to all (-a) power modes. For more information on the pmset utility and all its options type man pmset on the command line.
To restore the default (less secure, but more convenient) behavior issue the following command:
sudo pmset -a destroyfvkeyonstandby 0 hibernatemode 3
Increasing security normally results in lower user convenience. The above technique is no exception, since enabling the parameters destroyfvkeyonstandby and setting hibernationmode to 25 requires you to enter your password twice when resuming from sleep and going to/resuming from sleep takes longer than usual.
Depending if I’m at home or traveling in a foreign country my data protection requirements may differ. So when I close the lid on my Macbook before going from my home office to the living room, I don’t want to have to enter my password twice when resuming from sleep – simply because it’s inconvenient. However if I’m on the road where the risk of loss or theft is much greater I can live with less convenience for the sake of increased security.
As a result, I’m going to write a little script that toggles those settings for me, when I leave or return to home. Using Apple’s geo fencing abilities, I may even try to write an application that toggles those settings automatically, based on my physical location.
For more information about how secure Apple’s FileVault 2 is, check out the following article, which also offers a script to perform a DRAM attack on OS X and other operating systems.
I hope it’s not to late to comment here.
Why should one power down RAM when the key has already been destroyed from RAM? In other words why toggling destroyfvkey wouldn’ be sufficient?
Hi Mat!
It’s never too late
It’s simply a precaution to ensure that no other, potentially sensitive information remains in memory while the system is in standby. Makes sense?
Cheers
Michael
Michael, this doesn’t seem to be working on my laptop (2009 macbook pro running 10.8.3).
First two lines of pmset -g say:
System-wide power settings:
DestroyFVKeyOnStandby 1
So I have it enabled. But I don’t have to re-enter any passwords when waking from sleep… Any idea what gives?
David,
what does Preferences –> Security & Privacy –> General say? There is a dropdown box that specifies how soon you are asked for the password after resuming from standby.
Cheers
Mike
Mike, That was set to “Immediately” but wasn’t the problem
I have figured out my issue at least, although I’m not sure why it matters.
My startup drive is an SSD that replaced the optical drive, and for some reason the hibernation settings and file vault key settings are not respected when running the system with the SSD in the optibay.
If I move it to the original hard drive bay everything works as expected.
Thanks!
David