MacOS – Do linked files located on FileVault partition make the encrypted file readable

encryptionfilevaultmacospermission

Question

Does a link, symlink, or macOS finder aliases to a file/directory located on a version 1 FileVault partition/container/volume to a partition not under the FileVault coverage allow unencrypted access?

 # Example
/Volumes/UnEncryptedVolume/Reference-To-Unlocked-FileVault-File     ->   ~/THE_FILEVAULT_FILE

Constraints

  • APFS formatted SSD
  • Permissions are not restrictive permissions on Database volume. All Users & Staff grouped Users can access it.
  • User is logged in, unlocking the FileVault volume
  • Link is either soft or hard, has standard permissions
  • Finder created alias has default permissions
  • Original file is again, standard permissions even if under $HOME (Change those UMASKS newcomers! :))
  • Original file is on the FileVault container
  • Database is on the same Disk, but a different container.
  • Disk is APFS formatted (composed of containers, not volumes or partitions, apfs is friggin' confusing IMO)

File System Structure

My Internal SSD partition structure (not a OEM SSD for those curious)

+-- Container disk1 
|   ====================================================
|   APFS Container Reference:     disk1
|   Size (Capacity Ceiling):      999995129856 B (1000.0 GB)
|   Capacity In Use By Volumes:   314911416320 B (314.9 GB) (31.5% used)
|   Capacity Not Allocated:       685083713536 B (685.1 GB) (68.5% free)
|   |
|   +-< Physical Store disk0s2 
|   |   -----------------------------------------------------------
|   |   APFS Physical Store Disk:   disk0s2
|   |   Size:                       999995129856 B (1000.0 GB)
|   |
|   +-> Volume disk1s1 
|   |   ---------------------------------------------------
|   |   APFS Volume Disk (Role):   disk1s1 (Data)
|   |   Name:                      MacOS - Data (Case-insensitive)
|   |   Mount Point:               /System/Volumes/Data
|   |   Capacity Consumed:         138089828352 B (138.1 GB)
|   |   FileVault:                 Yes (Unlocked)
|   |
|   +-> Volume disk1s2 
|   |   ---------------------------------------------------
|   |   APFS Volume Disk (Role):   disk1s2 (Preboot)
|   |   Name:                      Preboot (Case-insensitive)
|   |   Mount Point:               Not Mounted
|   |   Capacity Consumed:         80568320 B (80.6 MB)
|   |   FileVault:                 No
|   |
|   +-> Volume disk1s3 
|   |   ---------------------------------------------------
|   |   APFS Volume Disk (Role):   disk1s3 (Recovery)
|   |   Name:                      Recovery (Case-insensitive)
|   |   Mount Point:               /Volumes/Recovery
|   |   Capacity Consumed:         525770752 B (525.8 MB)
|   |   FileVault:                 No
|   |
|   +-> Volume disk1s4 
|   |   ---------------------------------------------------
|   |   APFS Volume Disk (Role):   disk1s4 (VM)
|   |   Name:                      VM (Case-insensitive)
|   |   Mount Point:               /private/var/vm
|   |   Capacity Consumed:         3222294528 B (3.2 GB)
|   |   FileVault:                 No
|   |
|   +-> Volume disk1s5 
|   |   ---------------------------------------------------
|   |   APFS Volume Disk (Role):   disk1s5 (System)
|   |   Name:                      MacOS (Case-insensitive)
|   |   Mount Point:               /
|   |   Capacity Consumed:         11236782080 B (11.2 GB)
|   |   FileVault:                 Yes (Unlocked)
|   |
|   +-> Volume disk1s6 
|       ---------------------------------------------------
|       APFS Volume Disk (Role):   disk1s6 (No specific role)
|       Name:                      Database (Case-insensitive)
|       Mount Point:               /Volumes/Database
|       Capacity Consumed:         161548357632 B (161.5 GB)
|       FileVault:                 No
|

Best Answer

The answer is no. Symlinks do not somehow "circumvent" FileVault encryption.

Symlinks are always "soft" by the way.

Related Question