Sunday, December 2, 2007

Mac Users: Set Your File Vault Master Password

Since this blog is, at least in part, about bringing to your attention possible security threats, I'll make my first post here about a threat I recently thought up.  I mentioned this to a friend and, the more we discussed it, the scarier it seemed.  Luckily, there's a simple fix.

The threat in question is the threat of an unset Master Password on your macintosh's File Vault.  Now, many of you are like me, and have been so scared reading about File Vault that you don't currently intend to ever turn it on.  But, at the very least, you should set a Master Password in the File Vault preferences pane (System Preferences > Security > File Vault).  Doing so will NOT turn on File Vault.

Why, you ask?  Well, I suppose that depends, in part, on where you're using your computer.  Mine, a Powerbook G4 running Leopard, stays open on my desk all day.  I'm a graduate student at a university, and my desk is in an office I share with many others.  The office itself remains open during the day and so passers by theoretically have direct access to my machine.

I regularly leave it there, protected by a laptop lock, and go get coffee, teach lab, or take a walk.  In addition to this physical protection, I've recently disabled automatic login and turned on password requirements to wake the computer from sleep or screen saver (both in System Preferences > Security > General).  I've also made an encrypted disk image (using Disk Utility) that contains all of my sensitive data.  This encrypted disk image means that even if someone gains physical access to my machine with the login passwords down, my most sensitive data is safe from prying eyes.  But despite all of these measures, the File Vault Master Password is another security hole that is too easily plugged to risk ignoring it.

It's an unlikely scenario, but one in which you would be completely fucked if it were to occur.  Let's say I'm off getting coffee and my officemates are off doing whatever they are doing.  Now further assume that in a moment of forgetfulness, I left my computer open and didn't trigger the screen saver.  A person with malicious intent could walk in before the screen saver automatically starts and, unopposed, access the File Vault Preferences.  If the Master Password is unset, they could set it themselves and trigger File Vault to lock up my home directory.  I would come back from coffee to an unusable machine in which all of my precious personal data, including any encrypted disk images that I put sensitive stuff in, was encrypted with a key that I did not possess.

While it's true that the antagonist still shouldn't have access to my most personal data, because it's in the encrypted disk image that I never mount unless I'm actively using, it would deny ME access to my own data, which is almost as bad.

I admit, it's an improbable happening, but one that, nonetheless, remains well within the realm of possibility and for which the countermeasures are far too easy to justify ignoring.  If you set the Master Password, then you and your computer are safe from would-be practical jokers or evil office trolls who might encrypt your home directory without giving you the key.   Having the Master Password set doesn't require you to turn File Vault on, but it does allow you to turn it off if someone else turns it on.  And, if that's not enough of an incentive to make you take action, I don't know what is.


ultra toast said...

DoS at it's finest. People tend to think of Denial of Service as a problem preventing people from using the services of another group (think, flooding so people can't shop.)

It also defines situations like this one where someone can deny you from having access to your OWN data.

Scary thought of someone locking up your house and not giving you a key.

Of course, I use FileVault. I live on the edge baby!

ultra toast said...

btw, excellent first post. We need more traffic and posts like this will hopefully generate it! Thanks

The Bug said...

Um, they could much more easily just delete the contents of your home directory. Enabling FileVault would be an unnecessarily complicated and time-consuming attack for them to employ.

Sam said...

@the bug: yes they could, but a simple delete & Empty Trash wouldn't prevent you from using an undelete tool to recover. Overwriting your cleartext home directory with a Filevault-encrypted copy would.

Tony said...

It seems to me....

You should also be sure to set a *root* password for your system, even if you never use the root account.

And set a boot password so no unauthorized person can boot your computer from another drive or the CD.

Anonymous said...

Genial brief and this enter helped me alot in my college assignement. Say thank you you seeking your information.

Anonymous said...

Today is my lucky day :)
Apple is giving review copies of iPad to 100 lucky person. Go to and apply for it.