6

As an alternative to using encrypted disk images, I created a FileVault 2 encrypted partition in Lion for some important data on the SSD in my MacBook Air. The password is not stored in a keychain. Once it is unlocked, I can unmount and mount it again without authenticating, even after logging out and back in again. Nothing short of restarting seems to lock this partition again.

Re-locking an internal encrypted partition while logged in is possible in other implementations of whole-disk encryption, and for FileVault 2, according to the man page for diskutil, specifically, for the command diskutil coreStorage unlockVolume,

"This verb unlocks an LVF by providing that authentication; as the LVs are thus appear
as dev nodes, any file systems upon them are automatically mounted. To "re-lock" the
volume, make it offline again by ejecting it, e.g. with diskutil eject"

While this does work as it should with encrypted external drives, it does not seem to work on my encrypted internal partition. I can eject the logical volume, which is /dev/disk1, but it does not get locked. Trying to eject its containing Logical Volume Family, Physical Volume, or Logical Volume Group, results in errors, even using administrator privileges. I tried variations, using unmount, unmountDisk, referring to the device UUIDs, with no luck. What am I doing wrong here?

lmn
  • 61
  • 2
  • Ouch... You can't eject the whole internal drive while the system is booted from a "partner volume" on the same internal drive. I don't want to suggest you use a second encryption (like a disk image) inside the corestorage volume, but fail to see another workaround at the moment other than the obvious one of moving that data to it's own drive. – bmike Sep 12 '11 at 20:22

3 Answers3

2

Due to the limitations, you might want to use an encrypted disk image rather than whole disk encryption.

Come to think of it - why not use both?

You could always turn off FileVault if you felt it too much a hassle, but to get around the limitation you caught (thank goodness you did catch it), consider using Disk Utility to make secure the parts of your data you need to force into a locked state when that disk image is unmounted. This will let you sleep your mac and not compromise that data by allowing it to be re-mounted without the appropriate passcode being supplied.

bmike
  • 235,889
1

This is the response from Apple I got to my bug report:

We are aware of this issue. It is being addressed, and we would like to thank you for taking the time to pass it along to us.

lid
  • 1,835
0

The only problem I can think of with disk images which "re-lockable" internal partitions wouldn't have concerns Time Machine backups. Since FileVault 2 makes it possible to have an encrypted TM drive, it now makes sense to have secure data backed up and easily accessed from within Time Machine. For a disk image, this means backing up its contents rather than the image file itself. This requires various hacks and may not be possible in Lion. Personally, these issues aren't deal-breakers, but those working in more secure environments may want to be aware of them…

As for the original issue, a quick search seems to indicate that re-locking without rebooting is possible for partitions on a boot drive in Linux and Bitlocker for Windows, so perhaps this isn't an inherent limitation of FileVault 2, and some future iteration will implement it.

Community
  • 1
lmn
  • 1