Can FileVault be bypassed with OS X password reset routines?
Given Apple-supplied password reset tools, you may have concerns about the possibility of these being used to override a FileVault-protected volume.
FileVault is OS X's built-in data encryption technology, and when enabled, as with an unencrypted OS X volume you simply enter your account credentials to get into your system. However, given Apple supplies password resetting utilities that can change an administrative password even without being logged in, you might be concerned this will allow a bad guy to simply reset your password, bypass FileVault, and get to your encrypted files.
MacFixIt reader Fred recently wrote in with such a concern:
If I have FileVault enabled on my Mac, what prevents someone from restarting with Command-R held down, and then use the "resetpassword" command to change the password and log into the system?
Without FileVault enabled this is definitely the case, but if you have FileVault enabled these password reset routines will not work.
The password reset features Apple provides are for the account password in the operating system, and not for the FileVault password or encryption keys. The way OS X sets up these passwords to appear the same may seem a bit convoluted, but these passwords are in fact different and are treated differently by the system.
When you enable FileVault, the system will initially mirror your account password to the FileVault volume's EFI login prompt. This prompt, which is stored on a separate hidden partition, looks like the standard OS X login window (with some nuance differences), but is a different process altogether. You can see this primarily in the timing of when the system boots--without FileVault the system will load a few background processes and take a second or two to display the login window, but with FileVault enabled the system will almost immediately show the login window.
This is because the FileVault login window is the EFI login process, and not the standard OS X login window. When the EFI login window appears, you are looking at a system that does not have OS X running in any way -- the system software and all contents of the disk are still locked away and encrypted.
At this point, the EFI login password is accepted to unlock the volume, and then OS X is allowed to boot and load system processes and user accounts, etc.
The seamless aspect that Apple has built here is to mirror the OS X login window's look and feel, and then copy your account password to use for unlocking the disk. When you provide your login credentials at the EFI login prompt, these credentials first unlock the volume, and then are passed to OS X when it loads, allowing the system to immediately log into your account.
If you change your account password in the Users & Groups system preferences in OS X, then the FileVault EFI login password will be updated accordingly; however, if you use alternative approaches like booting to the OS X Recovery partition to reset passwords, then there will be several blocks.
First and foremost, you will be required to unlock an encrypted boot volume for these password resetting routines to work, which in itself requires knowledge of the encrypted drive's password. Without this, these routines will not be able to access the OS X directory to change an account password.
Second, even if the encrypted drive is unlocked, the use of non-standard password changing routines in OS X (such as the "passwd" command in the Terminal, and the "resetpassword" tool in the Recovery volume) will not properly update the EFI login password, meaning that even though your account password has changed, the system will still require the old password to first unlock the volume at boot.
If your account password is changed in this manner to be separate from the EFI login, then you will see the system first request the EFI password, then display the login window again (this time the true OS X login window) so you can supply the changed account password. This split happens because the old password required at the EFI login prompt will not be valid when the system passes it to the OS X login window, so automatic login will fail and you will be required to enter your new login password to get into your account.
It may help to consider various scenarios of what might happen if you try to use password resetting tools and routines on a FileVault-protected volume:
- Scenario 1: FileVault is enabled, and you boot to the OS X Recovery HD partition and try to use the "resetpassword" utility.
In this case you will not see your boot drive listed as valid source for a system account in which to change the password. You will first have to open Disk Utility and unlock the volume, and even then the resetpassword utility will only change the OS X account password, and not the FileVault password. - Scenario 2: You start up your Mac in Target Disk mode and try using another Mac to access the drive and change the password.
In this case, as with scenario 1, you will first need to provide the FileVault password before any data on the disk can be accessed by password reset routines. - Scenario 3. You try booting to Single User mode to bypass the login prompt, and then use terminal-based commands to change passwords.
In this case, the attempt will fail since FileVault's locked volume disables the ability to boot to alternative modes such as Single User mode. The volume must first be unlocked before any boot process can take place, be it normal mode, single user mode, safe mode, or any other. Additionally, since these modes require passage of hardware variables (ie, a key combination) to the OS X kernel, this can only be done at a specific point in the boot process (at the boot chimes) and FileVault's unlock requirement breaks this ability.
Overall, the password reset routines Apple provides with OS X are for account passwords only, and not for FileVault. For simplicity, Apple mirrors your account password with FileVault, and sets up an EFI login routine that looks like, but is separate than, the OS X login prompt. If you try to use secondary password reset routines, you will still first have to unlock the FileVault volume so its contents can be accessed. Without this, these password reset routines will be useless. The only way to change a FileVault password when you change your account password is by using the Users & Groups system preferences, and even though there are methods for managing the FileVault password separately, in all cases, in order for the FileVault password to be changed, the disk must first be unlocked.
Questions? Comments? Have a fix? Post them below or
e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.