Enabling FileVault

The Mac OS X FileVault system leverages the power of the disk image by providing OS-level support to turn a user's entire home folder into an encrypted, password-protected disk image. FileVault is an all-or-nothing system for a user's home folder, so it's best to understand some of the issues involveda lost password can make the contents of the folder irretrievable.

Setting Master Password

Mac OS X features an important security feature called the master password, which is set from the Security pane of System Preferences. When set, it should not be shared with anyone. This master password allows you to log in as any user on the system.

As a system administrator, it is very important that you set a Mac OS X master password before any of your users use FileVault for their home directories. This master password is the only potential emergency backdoor to unlock a user's home folder if he or she has forgotten his or her own password (or if the user has been specifically locked out of his or her home folder due to job termination or a security breach). If another administrative user creates the master password before you, it is possible you do not know that password.

Turning On FileVault

FileVault is enabled on a per-user basis from the Security pane of System Preferences.

Besides the very real problem of accidentally losing access to all of a user's data in his or her home folder, there are some other caveats when using FileVault. First, the ability to share information through the Public and Sites folder is no longer possible, since those folders are now password-protected and encrypted along with the rest of the home folder. Second, backups will potentially be much larger, because it's harder to track incremental changes from an encrypted image than to look at the files and folders themselves.

One key issue when using a FileVault home directory is resetting user passwords. If a user should forget his or her password, the user's entire home directory would be irretrievably lost if not for the Master Password mechanism. This allows a system administrator who knows the master password to recover the user's home directory.

Note

The master password is not related to any administrator user's password, and in fact should not be the same as any user's password.

When you set a master password on a machine, the system creates a new keychain file at /Library/Keychains/FileVaultMaster.keychain. The password for the new keychain file is the master password. The system then generates a X.509 private key and certificate. It stores the certificate in /Library/Keychains/FileVaultMaster.cer, and the private key in the newly created keychain.

Note

For enterprise deployments, you can copy the two files FilevaultMaster.cer and FileVaultMaster.keychain to /Library/Keychains on another machine and it will automatically use the same master password.

When a user's home directory is converted to a FileVault home directory, the system generates a 128-bit random encryption key, which is used to encrypt the disk image. Two copies of this key are then encrypted and stored along with the disk imagethe first is encrypted using the user's password, the second is encrypted using the FileVaultMaster. cer certificate. When the user logs in normally, the password that he or she enters is used to decrypt the first copy of the disk image's encryption key so the user can mount and access the disk image.

However, if an administrator needs to reset the user's password, he or she can enter the master password for the machine to unlock the FileVaultMaster.keychain file and retrieve the private key. This private key then decrypts the second copy of the disk image's encryption key, letting the administrator recover the contents of the user's home directory. However, that does not allow the administrator to recover the user's original password since it only retrieves the underlying encryption key for the disk image, not the password for the first copy.