Apple's FileVault 2 whole-disk encryption can be unencrypted within an hour, according to encryption and password-recovery company Passware.
One of the welcome features in OS X Lion was the replacement of Apple's first-generation FileVault file encryption technology, which only encrypted the home folder, with a new whole-disk encryption approach.
Unlike the first FileVault, which required a number of workarounds and still had compatibility problems with various programs and utilities, the new technology is transparent to the operating system and enhances security since it not only encrypts user data but also all other data on the drive, including system caches, application files, and system configuration files that might contain some personal information.
FileVault 2 requires the hard drive to be partitioned with a recovery partition that in part acts to store the password and encryption keys used to decrypt the drive. When you start up the FileVault-encrypted system, you will be prompted for your log-in credentials, which are used to unlock the keys and decrypt the drive before loading the OS and subsequently logging you in to your user account.
This security feature, along with similar programs like BitLocker and TrueCrypt, has been increasingly popular among individuals, especially laptop owners who might be concerned that a thief could extract personal information from a portable system. However, recent developments suggest that it's actually quite easy to tackle these encryption technologies.
In a statement (PDF) issued this morning, password recovery company Passware has claimed that it can fully decrypt a FileVault-encrypted Mac disk within an hour. Using a live-memory analysis approach via the system's FireWire connection, Passware says its utilities can sample system memory and extract the encryption key for FileVault disks. The process apparently takes no more than 40 minutes, regardless of the length or complexity of the password used.
Passware has been actively tackling various encryption technologies such as BitLocker, TrueCrypt, and FileVault, and says its latest Passware Kit Forensic 11.3 software can extract encryption keys for all of these technologies. In addition to extracting FileVault keys, Passware can also extract passwords from encrypted keychain files and recover log-in passwords for user accounts.
One goal of the company's efforts is to help law enforcement agencies in digital investigations, and its recent findings serve as a warning to Mac users that relying solely on one approach to encrypting files does not necessarily secure their data. Passware President Dmitry Sumin claims that the company's live-memory analysis approach "opens up great possibilities [for] password recovery and decryption." In addition Sumin states, "Every user should be aware that even full-disk encryption is insecure while the data rests in computer memory."
This news is cause for concern, especially since tools like the Passware Kit Forensic 11.3 are available for purchase by anyone willing to part with $995 for a license.
While it is unlikely that a common thief will use such tools to extract data from your personal hard drive, others may be concerned about data privacy for corporate or legal reasons, as we saw with recent court decisions on encryption technology.
Given this news, it is likely that Apple will investigate ways to better secure the FileVault keys and protect user data, though we will have to wait and see how these developments pan out. For now, FileVault is still a very highly recommended technology for anyone wishing to secure personal data, but in addition you might consider using options like encrypted disk images to further secure any files you wish to keep private.
Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.