Maximizing FileVault Security in Mac OS X / by Matt Washchuk

For anyone using FileVault on Mac OS X, the security benefits are obvious: FileVault encrypts the entire boot volume, which prevents an unauthorized user from reading any of the data. Historically, if you were to pull the hard drive out of your Mac and hook it up to another machine with an external enclosure, you could read all the data from the drive. A careful thief could copy the entire contents of your hard drive without you ever knowing—and without ever having to know your administrator password. FileVault prevents this.  

The problem with FileVault, however, is that the computer needs to constantly use a decryption key to turn the encrypted data into readable data. It would be unrealistic to ask the user to constantly enter her password for the system to decrypt data, so this decryption key is held in RAM while the system is running. The decryption key will even remain in memory while the machine is asleep so that a user can simply bring the machine out of sleep without a password. 

Unfortunately, it is possible for a hacker with sophisticated software to access the contents of your RAM (and therefore get the decryption key) if the hacker has physical access to your machine and your machine has a FireWire or Thunderbolt port.  Thus, even though you have FileVault turned on, it is possible for a dedicated hacker to try to access your data. Luckily, there are some steps you can take to mitigate this security hole, though doing so requires trading away some conveniences.

  1. I assume you've already enabled FileVault, but if you haven't, you can do so in the Security & Privacy section of System Preferences. You'll need to reboot your Mac after enabling FileVault so that the system can begin encrypting the boot drive (whether it's a spinning hard drive or an SSD). 
  2. Then (still in the Security & Privacy section), go to the "General" tab and choose to require a password after sleep or the screen saver begins. For maximum security, set it to immediately. Otherwise, set it to something reasonable for this. This ensures that when you put your machine to sleep, no one can immediately wake it up and begin using it.
  3.  The next thing you need to decide, and this is a critical decision, is how you want to handle hibernation mode. While your Mac is asleep, the decryption key is still in memory, and with the right software and hardware, a hacker could access this data. You need to tell your Mac to delete the decryption key while in hibernation mode so that it becomes inaccessible to the hacker. The question is whether you want to do this immediately upon entering sleep or after a period of time. Once the decryption key is destroyed, you will have to enter your password twice before you can use your Mac again. (The first time you enter the password, it allows the Mac to decrypt the RAM contents, and the second time is to access your account.)
  4. To tell your Mac to destroy the FIleVault decryption key when in hibernation mode, open up Terminal and enter this command:
    sudo pmset -a destroyfvkeyonstandby 1
  5. To tell your Mac to enter hibernation mode immediately upon going to sleep, enter this command:
    sudo pmset -a hibernatemode 25
  6. Alternatively, if you want to have your Mac stay in sleep mode (where you can simply wake your Mac up without having to put in the FileVault password to decrypt memory) for a period of time, enter these two commands:
    sudo pmset -a hibernatemode 3
    sudo pmset -a standbydelay XXX (where XXX is the number of seconds you want to delay the process; the default is 3 hours, which would be 10800 seconds).
  7. Finally, you must install a firmware password. Follow this Apple support document to learn how to add a firmware password to your Mac.

There are a few caveats worth discussing here. First, while all modern Macs can go into hibernation mode, they don't enter the mode under all circumstances. Apple has a support article explaining the process your Mac naturally takes to enter hibernation mode. For example, unless you make the changes listed above, a Mac laptop will enter hibernation mode only after being asleep for three hours AND the laptop doesn't have its power cord plugged in AND there is nothing plugged into its ports. So, you can't make your MacBook, MacBook Air, or MacBook Pro enter hibernation mode if you've got a USB device plugged in, a Thunderbolt device plugged in, or external power. Those are Apple's rules. Even if you change the hibernation mode to occur after a one-second delay, you will need to disconnect everything to make your laptop enter hibernation mode. Desktop Macs are a little less strict: as long as you don't have external media (hard drives, DVDs, flash storage, etc.) mounted, these Macs can enter hibernation mode.

There are also many anecdotal reports that entering hibernation mode immediately (hibernatemode 25) causes kernel panics. I have not had that experience, but I will say that if I use hibernatemode 25 on my MacBook Air, I have a pretty limited period of time (less than an hour) where I can wake up my Mac without the machine completely turning off (and therefore shutting down in a less than graceful manner). So, if your security requirements allow it, consider using hibernatemode 3 with a reasonable delay until hibernation begins. 

One other thing to consider is simply the time it takes to enter and wake from hibernation. As already mentioned, you'll have to enter your FileVault password twice to wake up from hibernation mode, compared to a single time to wake from sleep (or zero times if you're not requiring it at all, which is a serious security risk). When you enter or wake from hibernation, your Mac has to write the contents of your RAM to disk (and then read it again when waking). It will take much longer to do this if you have 16 GB RAM vs. 2 GB, and writing the data to a spinning hard drive is much slower than to an SSD. So, it may annoy you that it takes an extra 2-10 seconds to complete this process. 

One advantage of using the firmware password is that if the SSD and the RAM are soldered (meaning, they cannot be physically removed from the machine), a firmware password prevents someone from booting your Mac from an external drive and creating an image of your encrypted disk. A hacker could take that encrypted disk image back with them and try to brute-force decrypt the data using GPU-accelerated software. If they can't boot from an external source or put the Mac into target disk mode to read the data, you have better protection. Unfortunately, if you have a Mac that has removable RAM, the firmware password can be disabled. Further, if your Mac has a removable hard drive or SSD inside it, a hacker could simply remove the drive to image it before replacing it in your machine.

Note: There is conflicting evidence on whether enabling the firmware password disables DMA mode on the FireWire or Thunderbolt port. From what I can gather, enabling the firmware password will prevent someone from putting the Mac in target disk mode but will not prevent the Mac from passing the contents of RAM, so you must still destroy the FileVault key on hibernate to fully protect yourself.

Paranoid advice: If you want the absolute best protection for your Mac at this point, here's the advice: only buy a Mac with a soldered SSD drive and soldered RAM, enable FileVault with a strong password, enable the firmware password with a strong password, and immediately shut down your computer whenever you are done using it.