MacOS – Can macOS’s ramdisk be swapped to disk by the operating system

filesystemkernelmacosSecurity

I want to create a secret provisioning systems that on deployment decrypts secrets on the target machine and put them in RAM. They should be accessible as file so that services on the same machine can open them

On Linux there is a file-system called ramfs that will never be swapped out to disk. On macOS there seems to be only a ramdisk. Does this ramdisk get swapped to the disk by the operating system (which would put the secret data on disk)?

Best Answer

Since macOS High Sierra 10.13.x the virtual memory "swapfile(s)" have been encrypted even if FileVault2 disk encryption is off. Obviously, I would test that theory and review any CVE reports and validate it.

https://support.apple.com/guide/mac-help/what-is-secure-virtual-memory-on-mac-mh11852/mac

You might be scratching your left ear with your right hand roundabout the hard way. Consider creating an additional keychain and using that instead. It's far more secure and this is precisely what keychains are designed to accomplish. They secure secrets.

Developer API Docs: https://developer.apple.com/documentation/security

Command line (scripting): man security

Related Solutions

MacOS – How to mount a specific file system on a disk image in OSX

You should parse the output of hdiutil, and mount the filesystems you're interested in - because you can't do what you're trying to do with mount.

The first few lines of the man page show supported syntax:

 mount [-adfruvw] [-t lfs | external_type]
 mount [-dfruvw] special | node
 mount [-dfruvw] [-o options] [-t lfs | external_type] special node

Notice for -a, there are no options to specify a node path, which makes your command invalid syntax.

(Also, I'd suggest testing with a proper image file - one that is an actual CD image. Your image is a hard-disk type, with an Apple Partition Map, and no non-HFS partitions. In Disk Utility, choose New -> Blank Image and note all the selections carefully. You want "CD/DVD"; you can then edit the partition map after you've created it; say, to change to two partitions.)

MacOS – What user behavior is necessary to make Filevault 2 maximally secure

Your question contains the most important thing needed to secure a computer against a motivated attack to compromise a FileVault 2 protected Mac volume.

Don't connect FireWire to a device you don't or can't trust while you are logged in to an account that has file vault keys active.
Pick good single use passwords to reduce the chance of other compromises degrading the security of your FileVault password.
Update to 10.7.3 and verify sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25 power management settings that force hibernate mode to secure your keys from compromise when the device would normally "sleep"

I do follow Rich Trouton to keep up to date on his blog for nice commentary on securing macs. The mix of up to date topics seasoned with experience as a real world system administrator make his writing very valuable to me.

The crux of the issue is your parsing What user behavior is necessary to have security. I always like to think of security as a mindset and ongoing attempt to plan, implement, measure and adapt. Security isn't something you buy or something you "set up" and training users to actually not divulge the passcode they have used to store their unlock phrase is the weakest part of FileVault's security layer. Not reusing that passcode - having a system where you get your users to understand why their keychain password needs to be unique and secure is far, far harder and takes far longer than just setting up a plan for implementing file vault initially. Best of luck in your quest for security!

Best Answer

Related Solutions

MacOS – How to mount a specific file system on a disk image in OSX

MacOS – What user behavior is necessary to make Filevault 2 maximally secure

Related Question