Mac OS X 10.7 system drive full disk encryption with FileVault2

Full disk encryption using FileVault2 under Mac OS X 10.7 is cumbersome. Use case scenario is uncertainty of file deletion on a SSD system drive. // FileVault2 cannot be taken seriously as a data privacy protection since // it's closed-source. Even in this scenario, protection is effective only // against non-motivated opponent. If you create encrypted partition during install (using DiskUtility in install environment, erasing drive, choosing "encrypted" option), every user you add after installation has the ability to unlock the drive. That means the key is protected by weakest user password. We want single and quite long disk password. 10.8 has the ability to remove users entitled to attach the disk by using fdesetup CLI tool. This tool is not present in 10.7, and I was not able to find any way how to remove user. eek. ---- 1) install macosx on a regular unencrypted drive. 2) add all users you will need 3) install all updates 4) install recovery hd partition necessary to enter the system disk password upon boot time as described for example here: https://apple.stackexchange.com/questions/19145/how-can-i-create-or-recreate-a-lion-recovery-partition 5) enter recovery system by rebooting and holding cmd+R 6) run Terminal from Utilities menu 7) diskutil list and find disk name to be encrypted (system disk) 8) diskutil cs convert /dev/disknametobeencrypted -stdinpassphrase 9) you can reboot and watch the progress of encryption with diskutil cs list (will last for several hours, depending on drive size) ---- Key for the drive is stored on Recovery HD partition in file: com.apple.boot.S/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey and is encrypted by disk password (and backdoor key by apple?). Decryption with known password or bruteforce is possible with libfvde (https://github.com/libyal/libfvde) as described in http://eprint.iacr.org/2012/374.pdf (paper) http://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf (slides) Encrypted key file is updated upon adding any user to the system, adding default ability to unlock the drive, which create possible weakness. EOF Comments requested ~~~~~~~~~ Binary Sxizophreny - index of comp related stuff Kangaroo's Homepage (czech)