FileVault security hole when used on SSDs

encryptionfilevaultSecurityssd

I just woke up to the fact that it looks like user data can be leaked when using FileVault and Migration Assistant on an SSD on a new Mac when following the default prompts.

When I set up a new Mac, it encourages me to "Transfer Information to This Mac" early in the process, before I'm allowed to enable FileVault. This is OK on an HDD because even though I'm copying my data to the new Mac in the clear, FileVault will eventually overwrite all of it with encryption.

On an SSD, however, it's impossible to overwrite data securely:

… the Mac's "Secure Erase Trash" function leaves 2/3rds of a file recoverable.

Mac fail: SSD security

… it is almost impossible to securely delete an individual file on an SSD, because the way that SSDs write and delete files is scattered, and a user has no control over what an SSD is doing where. If that's the kind of security you're looking for, your best bet is encryption …

Ask Ars: How can I securely erase the data from my SSD drive?

So by the time I'm allowed to enable FileVault, it's too late. Even worse, I can't securely wipe the drive before selling the computer later:

With OS X Lion and an SSD drive, Secure Erase and Erasing Free Space are not available in Disk Utility. These options are not needed for an SSD drive because a standard erase makes it difficult to recover data from an SSD. For more security, consider turning on FileVault 2 encryption when you start using the SSD drive.

Mac OS X: About Disk Utility's erase free space feature (support.apple.com/kb/HT3680)

So it looks like the solution is:

  1. Skip the Migration Assistant when prompted.
  2. Create a new user account.
  3. Run Software Update to completion to generate more entropy before enabling FileVault in order to mitigate this "worst-case scenario, in which
    the PRNG has only been seeded with the least amount
    of entropy" — Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk
    Encryption
    (eprint.iacr.org/2012/374.pdf), page 9.
  4. Enable FileVault.
  5. Run the Migration Assistant.

I'm assuming that even though FileVault is still encrypting the disk before I run Migration Assistant (my computer tells me it has 36 minutes of encryption time remaining) that all new writes made by Migration Assistant will be encrypted and thus my data will never touch the NANDs in the clear.

Do you agree with the problem and my solution?

Best Answer

Your making a test user account with a short name different than the eventual user to be migrated is sound.

In practice, you will in time over write more and more of the data, but if you have the time to first establish a file vault key and have the drive completely encrypted before copying any sensitive data, you have a more secure system and can know that the data can be sanitized cryptographically as opposed to being over-written or actually erased.

You'll want to look for these lines in the diskutil cs list output to know it's ready for the start of data migration:

|       Conversion Status:       Complete
|       High Level Queries:      Fully Secure
|       |                        Passphrase Required