Question
Does a link, symlink, or macOS finder aliases to a file/directory located on a version 1 FileVault partition/container/volume to a partition not under the FileVault coverage allow unencrypted access?
# Example
/Volumes/UnEncryptedVolume/Reference-To-Unlocked-FileVault-File -> ~/THE_FILEVAULT_FILE
Constraints
- APFS formatted SSD
- Permissions are not restrictive permissions on Database volume. All Users & Staff grouped Users can access it.
- User is logged in, unlocking the FileVault volume
- Link is either soft or hard, has standard permissions
- Finder created alias has default permissions
- Original file is again, standard permissions even if under
$HOME
(Change those UMASKS newcomers! :)) - Original file is on the FileVault container
- Database is on the same Disk, but a different container.
- Disk is APFS formatted (composed of containers, not volumes or partitions, apfs is friggin' confusing IMO)
File System Structure
My Internal SSD partition structure (not a OEM SSD for those curious)
+-- Container disk1
| ====================================================
| APFS Container Reference: disk1
| Size (Capacity Ceiling): 999995129856 B (1000.0 GB)
| Capacity In Use By Volumes: 314911416320 B (314.9 GB) (31.5% used)
| Capacity Not Allocated: 685083713536 B (685.1 GB) (68.5% free)
| |
| +-< Physical Store disk0s2
| | -----------------------------------------------------------
| | APFS Physical Store Disk: disk0s2
| | Size: 999995129856 B (1000.0 GB)
| |
| +-> Volume disk1s1
| | ---------------------------------------------------
| | APFS Volume Disk (Role): disk1s1 (Data)
| | Name: MacOS - Data (Case-insensitive)
| | Mount Point: /System/Volumes/Data
| | Capacity Consumed: 138089828352 B (138.1 GB)
| | FileVault: Yes (Unlocked)
| |
| +-> Volume disk1s2
| | ---------------------------------------------------
| | APFS Volume Disk (Role): disk1s2 (Preboot)
| | Name: Preboot (Case-insensitive)
| | Mount Point: Not Mounted
| | Capacity Consumed: 80568320 B (80.6 MB)
| | FileVault: No
| |
| +-> Volume disk1s3
| | ---------------------------------------------------
| | APFS Volume Disk (Role): disk1s3 (Recovery)
| | Name: Recovery (Case-insensitive)
| | Mount Point: /Volumes/Recovery
| | Capacity Consumed: 525770752 B (525.8 MB)
| | FileVault: No
| |
| +-> Volume disk1s4
| | ---------------------------------------------------
| | APFS Volume Disk (Role): disk1s4 (VM)
| | Name: VM (Case-insensitive)
| | Mount Point: /private/var/vm
| | Capacity Consumed: 3222294528 B (3.2 GB)
| | FileVault: No
| |
| +-> Volume disk1s5
| | ---------------------------------------------------
| | APFS Volume Disk (Role): disk1s5 (System)
| | Name: MacOS (Case-insensitive)
| | Mount Point: /
| | Capacity Consumed: 11236782080 B (11.2 GB)
| | FileVault: Yes (Unlocked)
| |
| +-> Volume disk1s6
| ---------------------------------------------------
| APFS Volume Disk (Role): disk1s6 (No specific role)
| Name: Database (Case-insensitive)
| Mount Point: /Volumes/Database
| Capacity Consumed: 161548357632 B (161.5 GB)
| FileVault: No
|
Best Answer
The answer is no. Symlinks do not somehow "circumvent" FileVault encryption.
Symlinks are always "soft" by the way.