Is "suspend-to-disk" memory dump encrypted when using FileVault2?

Question

I am conserned about cold-boot attacks on my full disc encrypted (filevault2) laptop.

Therefore I am wondering if the memory image dump to /var/vm/sleepimage is encrypted before it is saved to disk?

I notice that the suspended drive asks me for my password before unlocking so it appears this is the case, but could anyone confirm this?

Re http://eprint.iacr.org/2012/374 … 2012/374 encryption of hibernatefile (sleepimage) with and without Core Storage in OS X — Graham Perrin, Jun 07 '13 at 18:32

score 4 · Accepted Answer · answered Jun 06 '13 at 15:00

4

Everything written to the volume under Filevault 2 is encrypted live and in-stream by the kernel / device drivers.

As long as there isn't a bug where data leaks to outside the core storage wrapper, you don't need to worry about someone analyzing the contents of your RAM by snooping the locked drive.

answered Jun 06 '13 at 15:00

bmike

235,889

So the only issue I need to worry about is FireWire attack on the computer while turned on then.
Thanks for your answer!
– Christopher Jun 06 '13 at 15:17
Yes - worrying about a lost key that will decrypt the Core Storage volume (or compromised passcode) from the running system (or observation) or a backup location is a much higher risk than unraveling the encrypted bits on Filevault IMO. – bmike Jun 06 '13 at 16:07

Is "suspend-to-disk" memory dump encrypted when using FileVault2?

1 Answers1