MacOS – Where does OS X keep the FileVault password during reboots in an upgrade

filevaultmacospasswordSecurity

For security concerns, I wonder how it would be possible for an OS X upgrade (e.g. from Mavericks to El Capitan), to reboot my Mac multiple times without asking me for my FileVault 2 password?

I mean, the whole drive is encrypted and even an OS X installer would not know the password after a reboot. In spite of that, it reboots one or more times without asking me for my password.

Therefore I suspect that Apple stores my password somewhere, either on disk, in NVRAM, or online, at least during the upgrade process. If so, wouldn't this be a serious security concern?

Can anyone shed a bit of light on this? How does it work?

Best Answer

There's an OS X feature called authenticated restart that stores the FileVault key in the SMC for the duration of the reboot. Apple acknowledges in the manpage that it does reduce FileVault security for the duration of the restart:

On supported hardware, fdesetup allows restart of a FileVault-enabled system without requiring unlock during the subsequent boot using the authrestart command.

WARNING: FileVault protections are reduced during authenticated restarts.

In particular, fdesetup deliberately stores at least one additional copy of a permanent FDE (full disk encryption) unlock key in both system memory and (on supported systems) the System Management Controller (SMC). fdesetup must be run as root and itself prompts for a password to unlock the FileVault root volume. Use pmset destroyfvkeyonstandby to prevent saving the key across standby modes. Once authrestart is authenticated, it launches reboot(8) and, upon successful unlock, the unlock key will be removed.

Best Answer

Related Solutions

MacOS – Filevault 2 and Changing the Password

MacOS – How to access a FileVault-encrypted home directory with forgotten password

Related Question