contact Me

Use the form on the right to contact me.

You are welcome, to contact me regarding the topics of this page, my open source projects, or my work. Please use the contact form and leave a valid email address for me to respond to.

Thank you.

Egidestr. 9
44892 Bochum
Germany

OSX Full Disk Encryption separated from your User Account

/brain/dump

Random thoughts, bright ideas and interesting experiments. In short the ramblings of a fulltime nerd.

 

OSX Full Disk Encryption separated from your User Account

Jakob Westhoff

Using Apples FileVault as a full disk encryption solution for my notebook, I quickly had to realize, that Apple associates the encryption key with your user account for convenience reasons. This is done, by storing the HDD encryption key within your keychain, which is afterwards encrypted with your account password.

This technique allows for a lot of comfort, which may not easily be realized if the hdd encryption password would be separated from your account. Apple for example allows multiple users on the same machine to have the rights to decrypt the HDD. Furthermore a Recovery Key can be generated and stored with Apple, which allows to decrypt the HDD should you forget your account password. Other features include the usage of Institution keys, which allow business laptops to be decrypted utilizing either a user account, or a key known to the company.

Regardless of the obvious security implications, which are not part of this article, I don't need any of those features. I am the sole user of my notebook. I don't want or need a recovery key stored at Apple. Furthermore I would love separated HDD encryption and user account keys. I am not really concerned about a Cold boot attack, or someone with evil intentions having physical access to my laptop in a running or standby state. Therefore I would like to have a complex HDD encryption key ideally supported by my YubiKey. My user account password on the other hand may be a lot less complex, allowing me to easily enter it to unlock my system, while still providing reasonable security.

Full Disk Encryption without FileVault

After some research I found a way to utilize full disk encryption without using the full FileVault stack. As FileVault essentially is nothing else, then a 128bit AES encryption using XTS for block chaining, with all the mentioned comfort features on top, it is not more or less secure, then an encrypted manually created CoreStorage device.

Some time ago I realized, that I was able to boot from an encrypted external drive, which holds a mirror of my system. Trying to boot from this device I am asked for the encryption passphrase of the disk. Once I provided that OSX boots to the usual login screen allowing me to enter my user credentials.

I thought if this is working with external drives it will most likely work with my internal drive as well.

Converting your HDD to an encrypted CoreStorage device

In order to utilize simple full disk encryption without FileVault on top the first thing needed is an unencrypted hard drive. Therefore if FileVault is active on your system you first need to disable it.

After FileVault has been disabled you need to reboot your system to have a fully decrypted clean state again.

Once your system is ready for usage again. Open up Applications -> Utilities -> Terminal. Having a command console at your fingertips the first info required is the device name of your boot volume. Issuing the following command will output everything needed:

$ diskutil list

Look for a device with the size of your main drive, as well as the filesystem TYPE Apple_HFS. Disconnecting external devices before issuing the command may help to reduce the noise of the output. Once you found your main device note down its IDENTIFIER. In my case this is disk0s2.

Next up is moving the device over to CoreStorage, while enabling encryption again. Please make sure you have a backup of all your relevant data before continuing, in case anything goes wrong.

The following command will mark the hard disk for encryption again:

$ diskutil cs convert /dev/disk0s2 -stdinpassphrase

You will be prompted for the passphrase to be used for encryption. There will be no retype check. You will only be prompted once. Therefore be careful while entering the password to ensure it is correct. After you are back at the command prompt, reboot your system again in order to start the encryption process. During reboot you will be asked for your Disk Password. Once entered the system will boot up to your usual login screen.

Congratulations you have now encrypted your disk with a different key then the one used for your user account. Actually the encryption is still running in the background at this point. The current progress can be accessed using the diskutil cs list command. Look for the Conversion Progress property in the provided output.

Conclusion

I hope this solution is working for you as well as it has been for me. Currently I have only tested this in OSX Mavericks. However I don't see any reason, why the same way shouldn't be working with OSX Yosemite as well.