How does FileVault work compared to LUKS
I currently use LUKS to encrypt my the drive of my Linux computer. I am planning to buy a Mac and want to enable full-disk encryption. With LUKS you will be prompted for your password before the boot.
On macOS I heard you need to use your user password to unlock the disk.
- How does this work in detail?
- The login screen needs to be unencrypted, is it a separate partition then?
- How does the login screen gets a list of the users while the disk is still encrypted?
encryption filevault
edited 7 hours ago
fsb
14.4k62954
asked 7 hours ago
EmilEmil
564
add a comment |
I currently use LUKS to encrypt my the drive of my Linux computer. I am planning to buy a Mac and want to enable full-disk encryption. With LUKS you will be prompted for your password before the boot.
On macOS I heard you need to use your user password to unlock the disk.
- How does this work in detail?
- The login screen needs to be unencrypted, is it a separate partition then?
- How does the login screen gets a list of the users while the disk is still encrypted?
encryption filevault
edited 7 hours ago
fsb
14.4k62954
asked 7 hours ago
EmilEmil
564
add a comment |
I currently use LUKS to encrypt my the drive of my Linux computer. I am planning to buy a Mac and want to enable full-disk encryption. With LUKS you will be prompted for your password before the boot.
On macOS I heard you need to use your user password to unlock the disk.
- How does this work in detail?
- The login screen needs to be unencrypted, is it a separate partition then?
- How does the login screen gets a list of the users while the disk is still encrypted?
encryption filevault
edited 7 hours ago
fsb
14.4k62954
asked 7 hours ago
EmilEmil
564
I currently use LUKS to encrypt my the drive of my Linux computer. I am planning to buy a Mac and want to enable full-disk encryption. With LUKS you will be prompted for your password before the boot.
On macOS I heard you need to use your user password to unlock the disk.
- How does this work in detail?
- The login screen needs to be unencrypted, is it a separate partition then?
- How does the login screen gets a list of the users while the disk is still encrypted?
encryption filevault
encryption filevault
edited 7 hours ago
fsb
14.4k62954
asked 7 hours ago
EmilEmil
564
edited 7 hours ago
fsb
14.4k62954
asked 7 hours ago
EmilEmil
564
edited 7 hours ago
fsb
14.4k62954
edited 7 hours ago
fsb
14.4k62954
edited 7 hours ago
fsb
14.4k62954
14.4k62954
asked 7 hours ago
EmilEmil
564
asked 7 hours ago
EmilEmil
564
asked 7 hours ago
EmilEmil
564
564
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You can find a setup guide for FileVault 2 here:
https://support.apple.com/en-gb/HT204837
When you enable FileVault 2 on your boot drive, an admin user will need to unlock the computer before it can be used. I.e. non-admin users will not be able to unlock and decrypt the drive.
When you turn on the computer, it boots from a separate, non-encrypted partition. That partition holds the decryption software as well as a list of admin users that can unlock the drive. This is done so that the bootup partition can display a startup image similar to a normal login screen with the names and avatars of the users that can unlock the drive.
Note that the unencrypted drive only holds the user names, not passwords, salted hashed passwords or anything like that. The user will need to enter a password that successfully decrypts the decryption key in order to unlock the computer.
In addition to the login password (which is used as a passphrase for one of the keys), you can also choose to enable either a recovery key, which is a 120-bit master password that can be used to decrypt the drive, or the option to allow an AppleID to unlock the drive. This means that you can unlock the drive by logging in to your AppleID which enables you to retrieve the key from Apple's servers. Some like this option for its ease of use, others prefer not to enable it for security reasons.
When you compare FileVault to LUKS, the systems are in principle very similar. However on a modern Mac with the T2 security chip, you'll find an additional security layer implemented with a Secure Enclave which tries to hinder brute forcing the pass phrase by adding delays, and protects against side-channels attacks on the main CPU as the encryption keys are never in memory on the Intel CPU. You can find further technical details here:
https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf
edited 5 hours ago
IconDaemon
12.1k62842
answered 6 hours ago
jksoegaardjksoegaard
16.8k1744
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "118"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fapple.stackexchange.com%2fquestions%2f351006%2fhow-does-filevault-work-compared-to-luks%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can find a setup guide for FileVault 2 here:
https://support.apple.com/en-gb/HT204837
When you enable FileVault 2 on your boot drive, an admin user will need to unlock the computer before it can be used. I.e. non-admin users will not be able to unlock and decrypt the drive.
When you turn on the computer, it boots from a separate, non-encrypted partition. That partition holds the decryption software as well as a list of admin users that can unlock the drive. This is done so that the bootup partition can display a startup image similar to a normal login screen with the names and avatars of the users that can unlock the drive.
Note that the unencrypted drive only holds the user names, not passwords, salted hashed passwords or anything like that. The user will need to enter a password that successfully decrypts the decryption key in order to unlock the computer.
In addition to the login password (which is used as a passphrase for one of the keys), you can also choose to enable either a recovery key, which is a 120-bit master password that can be used to decrypt the drive, or the option to allow an AppleID to unlock the drive. This means that you can unlock the drive by logging in to your AppleID which enables you to retrieve the key from Apple's servers. Some like this option for its ease of use, others prefer not to enable it for security reasons.
When you compare FileVault to LUKS, the systems are in principle very similar. However on a modern Mac with the T2 security chip, you'll find an additional security layer implemented with a Secure Enclave which tries to hinder brute forcing the pass phrase by adding delays, and protects against side-channels attacks on the main CPU as the encryption keys are never in memory on the Intel CPU. You can find further technical details here:
https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf
edited 5 hours ago
IconDaemon
12.1k62842
answered 6 hours ago
jksoegaardjksoegaard
16.8k1744
add a comment |
You can find a setup guide for FileVault 2 here:
https://support.apple.com/en-gb/HT204837
When you enable FileVault 2 on your boot drive, an admin user will need to unlock the computer before it can be used. I.e. non-admin users will not be able to unlock and decrypt the drive.
When you turn on the computer, it boots from a separate, non-encrypted partition. That partition holds the decryption software as well as a list of admin users that can unlock the drive. This is done so that the bootup partition can display a startup image similar to a normal login screen with the names and avatars of the users that can unlock the drive.
Note that the unencrypted drive only holds the user names, not passwords, salted hashed passwords or anything like that. The user will need to enter a password that successfully decrypts the decryption key in order to unlock the computer.
In addition to the login password (which is used as a passphrase for one of the keys), you can also choose to enable either a recovery key, which is a 120-bit master password that can be used to decrypt the drive, or the option to allow an AppleID to unlock the drive. This means that you can unlock the drive by logging in to your AppleID which enables you to retrieve the key from Apple's servers. Some like this option for its ease of use, others prefer not to enable it for security reasons.
When you compare FileVault to LUKS, the systems are in principle very similar. However on a modern Mac with the T2 security chip, you'll find an additional security layer implemented with a Secure Enclave which tries to hinder brute forcing the pass phrase by adding delays, and protects against side-channels attacks on the main CPU as the encryption keys are never in memory on the Intel CPU. You can find further technical details here:
https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf
edited 5 hours ago
IconDaemon
12.1k62842
answered 6 hours ago
jksoegaardjksoegaard
16.8k1744
add a comment |
You can find a setup guide for FileVault 2 here:
https://support.apple.com/en-gb/HT204837
When you enable FileVault 2 on your boot drive, an admin user will need to unlock the computer before it can be used. I.e. non-admin users will not be able to unlock and decrypt the drive.
When you turn on the computer, it boots from a separate, non-encrypted partition. That partition holds the decryption software as well as a list of admin users that can unlock the drive. This is done so that the bootup partition can display a startup image similar to a normal login screen with the names and avatars of the users that can unlock the drive.
Note that the unencrypted drive only holds the user names, not passwords, salted hashed passwords or anything like that. The user will need to enter a password that successfully decrypts the decryption key in order to unlock the computer.
In addition to the login password (which is used as a passphrase for one of the keys), you can also choose to enable either a recovery key, which is a 120-bit master password that can be used to decrypt the drive, or the option to allow an AppleID to unlock the drive. This means that you can unlock the drive by logging in to your AppleID which enables you to retrieve the key from Apple's servers. Some like this option for its ease of use, others prefer not to enable it for security reasons.
When you compare FileVault to LUKS, the systems are in principle very similar. However on a modern Mac with the T2 security chip, you'll find an additional security layer implemented with a Secure Enclave which tries to hinder brute forcing the pass phrase by adding delays, and protects against side-channels attacks on the main CPU as the encryption keys are never in memory on the Intel CPU. You can find further technical details here:
https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf
edited 5 hours ago
IconDaemon
12.1k62842
answered 6 hours ago
jksoegaardjksoegaard
16.8k1744
You can find a setup guide for FileVault 2 here:
https://support.apple.com/en-gb/HT204837
When you enable FileVault 2 on your boot drive, an admin user will need to unlock the computer before it can be used. I.e. non-admin users will not be able to unlock and decrypt the drive.
When you turn on the computer, it boots from a separate, non-encrypted partition. That partition holds the decryption software as well as a list of admin users that can unlock the drive. This is done so that the bootup partition can display a startup image similar to a normal login screen with the names and avatars of the users that can unlock the drive.
Note that the unencrypted drive only holds the user names, not passwords, salted hashed passwords or anything like that. The user will need to enter a password that successfully decrypts the decryption key in order to unlock the computer.
In addition to the login password (which is used as a passphrase for one of the keys), you can also choose to enable either a recovery key, which is a 120-bit master password that can be used to decrypt the drive, or the option to allow an AppleID to unlock the drive. This means that you can unlock the drive by logging in to your AppleID which enables you to retrieve the key from Apple's servers. Some like this option for its ease of use, others prefer not to enable it for security reasons.
When you compare FileVault to LUKS, the systems are in principle very similar. However on a modern Mac with the T2 security chip, you'll find an additional security layer implemented with a Secure Enclave which tries to hinder brute forcing the pass phrase by adding delays, and protects against side-channels attacks on the main CPU as the encryption keys are never in memory on the Intel CPU. You can find further technical details here:
https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf
edited 5 hours ago
IconDaemon
12.1k62842
answered 6 hours ago
jksoegaardjksoegaard
16.8k1744
edited 5 hours ago
IconDaemon
12.1k62842
edited 5 hours ago
IconDaemon
12.1k62842
edited 5 hours ago
IconDaemon
12.1k62842
12.1k62842
answered 6 hours ago
jksoegaardjksoegaard
16.8k1744
answered 6 hours ago
jksoegaardjksoegaard
16.8k1744
answered 6 hours ago
jksoegaardjksoegaard
16.8k1744
16.8k1744
add a comment |
add a comment |
Thanks for contributing an answer to Ask Different!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fapple.stackexchange.com%2fquestions%2f351006%2fhow-does-filevault-work-compared-to-luks%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
