Mac OS X 10.7 system drive full disk encryption with FileVault2

Mac OS X 10.7 system drive full disk encryption
with FileVault2

Full disk encryption using FileVault2 under Mac OS X 10.7 is cumbersome.
Use case scenario is uncertainty of file deletion on a SSD system drive.
// FileVault2 cannot be taken seriously as a data privacy protection since
// it's closed-source. Even in this scenario, protection is effective only
// against non-motivated opponent.

If you create encrypted partition during install (using DiskUtility in
install environment, erasing drive, choosing "encrypted" option), every user
you add after installation has the ability to unlock the drive. That means
the key is protected by weakest user password. We want single and quite
long disk password.

10.8 has the ability to remove users entitled to attach the disk by using
fdesetup CLI tool. This tool is not present in 10.7, and I was not able to
find any way how to remove user. eek.

----

1) install macosx on a regular unencrypted drive.

2) add all users you will need

3) install all updates

4) install recovery hd partition necessary to enter the system disk password
upon boot time as described for example here:
https://apple.stackexchange.com/questions/19145/how-can-i-create-or-recreate-a-lion-recovery-partition

5) enter recovery system by rebooting and holding cmd+R

6) run Terminal from Utilities menu

7) diskutil list
and find disk name to be encrypted (system disk)

8) diskutil cs convert /dev/disknametobeencrypted -stdinpassphrase

9) you can reboot and watch the progress of encryption with
diskutil cs list
(will last for several hours, depending on drive size)

----

Key for the drive is stored on Recovery HD partition in file:
com.apple.boot.S/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey
and is encrypted by disk password (and backdoor key by apple?).

Decryption with known password or bruteforce is possible with libfvde
(https://github.com/libyal/libfvde) as described in
http://eprint.iacr.org/2012/374.pdf (paper)
http://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf (slides)

Encrypted key file is updated upon adding any user to the system, adding
default ability to unlock the drive, which create possible weakness.

EOF

Comments requested

~~~~~~~~~
Binary Sxizophreny - index of comp related stuff
Kangaroo's Homepage (czech)