How does FileVault work compared to LUKS





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







2















I currently use LUKS to encrypt my the drive of my Linux computer. I am planning to buy a Mac and want to enable full-disk encryption. With LUKS you will be prompted for your password before the boot.



On macOS I heard you need to use your user password to unlock the disk.




  • How does this work in detail?

  • The login screen needs to be unencrypted, is it a separate partition then?

  • How does the login screen gets a list of the users while the disk is still encrypted?










share|improve this question































    2















    I currently use LUKS to encrypt my the drive of my Linux computer. I am planning to buy a Mac and want to enable full-disk encryption. With LUKS you will be prompted for your password before the boot.



    On macOS I heard you need to use your user password to unlock the disk.




    • How does this work in detail?

    • The login screen needs to be unencrypted, is it a separate partition then?

    • How does the login screen gets a list of the users while the disk is still encrypted?










    share|improve this question



























      2












      2








      2








      I currently use LUKS to encrypt my the drive of my Linux computer. I am planning to buy a Mac and want to enable full-disk encryption. With LUKS you will be prompted for your password before the boot.



      On macOS I heard you need to use your user password to unlock the disk.




      • How does this work in detail?

      • The login screen needs to be unencrypted, is it a separate partition then?

      • How does the login screen gets a list of the users while the disk is still encrypted?










      share|improve this question
















      I currently use LUKS to encrypt my the drive of my Linux computer. I am planning to buy a Mac and want to enable full-disk encryption. With LUKS you will be prompted for your password before the boot.



      On macOS I heard you need to use your user password to unlock the disk.




      • How does this work in detail?

      • The login screen needs to be unencrypted, is it a separate partition then?

      • How does the login screen gets a list of the users while the disk is still encrypted?







      encryption filevault






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Feb 9 at 19:55









      fsb

      14.9k62957




      14.9k62957










      asked Feb 9 at 19:49









      EmilEmil

      514




      514






















          1 Answer
          1






          active

          oldest

          votes


















          4














          You can find a setup guide for FileVault 2 here:



          https://support.apple.com/en-gb/HT204837



          When you enable FileVault 2 on your boot drive, an admin user will need to unlock the computer before it can be used. I.e. non-admin users will not be able to unlock and decrypt the drive.



          When you turn on the computer, it boots from a separate, non-encrypted partition. That partition holds the decryption software as well as a list of admin users that can unlock the drive. This is done so that the bootup partition can display a startup image similar to a normal login screen with the names and avatars of the users that can unlock the drive.



          Note that the unencrypted drive only holds the user names, not passwords, salted hashed passwords or anything like that. The user will need to enter a password that successfully decrypts the decryption key in order to unlock the computer.



          In addition to the login password (which is used as a passphrase for one of the keys), you can also choose to enable either a recovery key, which is a 120-bit master password that can be used to decrypt the drive, or the option to allow an AppleID to unlock the drive. This means that you can unlock the drive by logging in to your AppleID which enables you to retrieve the key from Apple's servers. Some like this option for its ease of use, others prefer not to enable it for security reasons.



          When you compare FileVault to LUKS, the systems are in principle very similar. However on a modern Mac with the T2 security chip, you'll find an additional security layer implemented with a Secure Enclave which tries to hinder brute forcing the pass phrase by adding delays, and protects against side-channels attacks on the main CPU as the encryption keys are never in memory on the Intel CPU. You can find further technical details here:



          https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf






          share|improve this answer

































            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            4














            You can find a setup guide for FileVault 2 here:



            https://support.apple.com/en-gb/HT204837



            When you enable FileVault 2 on your boot drive, an admin user will need to unlock the computer before it can be used. I.e. non-admin users will not be able to unlock and decrypt the drive.



            When you turn on the computer, it boots from a separate, non-encrypted partition. That partition holds the decryption software as well as a list of admin users that can unlock the drive. This is done so that the bootup partition can display a startup image similar to a normal login screen with the names and avatars of the users that can unlock the drive.



            Note that the unencrypted drive only holds the user names, not passwords, salted hashed passwords or anything like that. The user will need to enter a password that successfully decrypts the decryption key in order to unlock the computer.



            In addition to the login password (which is used as a passphrase for one of the keys), you can also choose to enable either a recovery key, which is a 120-bit master password that can be used to decrypt the drive, or the option to allow an AppleID to unlock the drive. This means that you can unlock the drive by logging in to your AppleID which enables you to retrieve the key from Apple's servers. Some like this option for its ease of use, others prefer not to enable it for security reasons.



            When you compare FileVault to LUKS, the systems are in principle very similar. However on a modern Mac with the T2 security chip, you'll find an additional security layer implemented with a Secure Enclave which tries to hinder brute forcing the pass phrase by adding delays, and protects against side-channels attacks on the main CPU as the encryption keys are never in memory on the Intel CPU. You can find further technical details here:



            https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf






            share|improve this answer






























              4














              You can find a setup guide for FileVault 2 here:



              https://support.apple.com/en-gb/HT204837



              When you enable FileVault 2 on your boot drive, an admin user will need to unlock the computer before it can be used. I.e. non-admin users will not be able to unlock and decrypt the drive.



              When you turn on the computer, it boots from a separate, non-encrypted partition. That partition holds the decryption software as well as a list of admin users that can unlock the drive. This is done so that the bootup partition can display a startup image similar to a normal login screen with the names and avatars of the users that can unlock the drive.



              Note that the unencrypted drive only holds the user names, not passwords, salted hashed passwords or anything like that. The user will need to enter a password that successfully decrypts the decryption key in order to unlock the computer.



              In addition to the login password (which is used as a passphrase for one of the keys), you can also choose to enable either a recovery key, which is a 120-bit master password that can be used to decrypt the drive, or the option to allow an AppleID to unlock the drive. This means that you can unlock the drive by logging in to your AppleID which enables you to retrieve the key from Apple's servers. Some like this option for its ease of use, others prefer not to enable it for security reasons.



              When you compare FileVault to LUKS, the systems are in principle very similar. However on a modern Mac with the T2 security chip, you'll find an additional security layer implemented with a Secure Enclave which tries to hinder brute forcing the pass phrase by adding delays, and protects against side-channels attacks on the main CPU as the encryption keys are never in memory on the Intel CPU. You can find further technical details here:



              https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf






              share|improve this answer




























                4












                4








                4







                You can find a setup guide for FileVault 2 here:



                https://support.apple.com/en-gb/HT204837



                When you enable FileVault 2 on your boot drive, an admin user will need to unlock the computer before it can be used. I.e. non-admin users will not be able to unlock and decrypt the drive.



                When you turn on the computer, it boots from a separate, non-encrypted partition. That partition holds the decryption software as well as a list of admin users that can unlock the drive. This is done so that the bootup partition can display a startup image similar to a normal login screen with the names and avatars of the users that can unlock the drive.



                Note that the unencrypted drive only holds the user names, not passwords, salted hashed passwords or anything like that. The user will need to enter a password that successfully decrypts the decryption key in order to unlock the computer.



                In addition to the login password (which is used as a passphrase for one of the keys), you can also choose to enable either a recovery key, which is a 120-bit master password that can be used to decrypt the drive, or the option to allow an AppleID to unlock the drive. This means that you can unlock the drive by logging in to your AppleID which enables you to retrieve the key from Apple's servers. Some like this option for its ease of use, others prefer not to enable it for security reasons.



                When you compare FileVault to LUKS, the systems are in principle very similar. However on a modern Mac with the T2 security chip, you'll find an additional security layer implemented with a Secure Enclave which tries to hinder brute forcing the pass phrase by adding delays, and protects against side-channels attacks on the main CPU as the encryption keys are never in memory on the Intel CPU. You can find further technical details here:



                https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf






                share|improve this answer















                You can find a setup guide for FileVault 2 here:



                https://support.apple.com/en-gb/HT204837



                When you enable FileVault 2 on your boot drive, an admin user will need to unlock the computer before it can be used. I.e. non-admin users will not be able to unlock and decrypt the drive.



                When you turn on the computer, it boots from a separate, non-encrypted partition. That partition holds the decryption software as well as a list of admin users that can unlock the drive. This is done so that the bootup partition can display a startup image similar to a normal login screen with the names and avatars of the users that can unlock the drive.



                Note that the unencrypted drive only holds the user names, not passwords, salted hashed passwords or anything like that. The user will need to enter a password that successfully decrypts the decryption key in order to unlock the computer.



                In addition to the login password (which is used as a passphrase for one of the keys), you can also choose to enable either a recovery key, which is a 120-bit master password that can be used to decrypt the drive, or the option to allow an AppleID to unlock the drive. This means that you can unlock the drive by logging in to your AppleID which enables you to retrieve the key from Apple's servers. Some like this option for its ease of use, others prefer not to enable it for security reasons.



                When you compare FileVault to LUKS, the systems are in principle very similar. However on a modern Mac with the T2 security chip, you'll find an additional security layer implemented with a Secure Enclave which tries to hinder brute forcing the pass phrase by adding delays, and protects against side-channels attacks on the main CPU as the encryption keys are never in memory on the Intel CPU. You can find further technical details here:



                https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Feb 9 at 21:26









                IconDaemon

                12.4k62843




                12.4k62843










                answered Feb 9 at 20:38









                jksoegaardjksoegaard

                20.3k2150




                20.3k2150















                    Popular posts from this blog

                    Human spaceflight

                    Can not write log (Is /dev/pts mounted?) - openpty in Ubuntu-on-Windows?

                    張江高科駅