I have an early 2015 13" MacBook Pro running OS X 10.11.2 and I'm considering enabling FileVault 2. I realize that the disk is always encrypted, even when the machine is in use and only parts of it are decrypted, but the decryption keys are stored in RAM (I believe) when the machine is on. When I close the lid and the machine goes to some sort of sleep state, is it possible for an attacker with physical access to the device to obtain the decryption key granted that they don't know my user login password? User login password is set to be required immediately after waking from sleep. I got the idea that in newer versions of OS X FileVault keys are encrypted with user login keys, but I couldn't get any confirmation on this. I want to avoid enabling destroyfvkeyonstandby if possible as fast and reliable wake-from-sleep is important to me.
MacOS – Does FileVault 2 encrypt keys in sleep mode
encryptionfilevaultmacosSecurity
Related Question
- Hide “disk password” login option at EFI (Filevault) login screen
- MacOS – Does using Sleep with FileVault negate some benefits of FileVault
- MacOS – Does FileVault protect against ransomware
- Mac – Password incorrect after enabling FileVault
- MacOS – Convert between FileVault 2 and Disk Utility encryption
- MacOS – FileVault – One account can unlock but preventing full login and forcing logout and login again with other user
- MacOS – When and how does FileVault decrypt a SSD on a T2 Machine
Best Answer
I don't believe any extra encryption is specified for the keys and also want to disagree with the statement "only parts of it are decrypted" as the entire volume is either unlocked or locked. For the filesystem to be mounted - all of it is unlocked.
So, you could enable
destroyfvkeyonstandbybeing sure to also disable power nap since that causes restarts if the machine wakes up too many times to find that the filesystem is encrypted while it tries to run.For me, the risk that somehow the RAM will be captured from a sleeping Mac isn't worth the delay every wake of having to unlock the volume. My suspicions are that Apple has implemented the unlock in a way to make it highly secure whether the Mac is sleeping or not so that even if the contents of the drive are captured, you still need the proper password to unlock the volume the next time it is locked.