How does FileVault work compared to LUKS












2















I currently use LUKS to encrypt my the drive of my Linux computer. I am planning to buy a Mac and want to enable full-disk encryption. With LUKS you will be prompted for your password before the boot.



On macOS I heard you need to use your user password to unlock the disk.




  • How does this work in detail?

  • The login screen needs to be unencrypted, is it a separate partition then?

  • How does the login screen gets a list of the users while the disk is still encrypted?










share|improve this question





























    2















    I currently use LUKS to encrypt my the drive of my Linux computer. I am planning to buy a Mac and want to enable full-disk encryption. With LUKS you will be prompted for your password before the boot.



    On macOS I heard you need to use your user password to unlock the disk.




    • How does this work in detail?

    • The login screen needs to be unencrypted, is it a separate partition then?

    • How does the login screen gets a list of the users while the disk is still encrypted?










    share|improve this question



























      2












      2








      2








      I currently use LUKS to encrypt my the drive of my Linux computer. I am planning to buy a Mac and want to enable full-disk encryption. With LUKS you will be prompted for your password before the boot.



      On macOS I heard you need to use your user password to unlock the disk.




      • How does this work in detail?

      • The login screen needs to be unencrypted, is it a separate partition then?

      • How does the login screen gets a list of the users while the disk is still encrypted?










      share|improve this question
















      I currently use LUKS to encrypt my the drive of my Linux computer. I am planning to buy a Mac and want to enable full-disk encryption. With LUKS you will be prompted for your password before the boot.



      On macOS I heard you need to use your user password to unlock the disk.




      • How does this work in detail?

      • The login screen needs to be unencrypted, is it a separate partition then?

      • How does the login screen gets a list of the users while the disk is still encrypted?







      encryption filevault






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Feb 9 at 19:55









      fsb

      14.4k62954




      14.4k62954










      asked Feb 9 at 19:49









      EmilEmil

      564




      564






















          1 Answer
          1






          active

          oldest

          votes


















          4














          You can find a setup guide for FileVault 2 here:



          https://support.apple.com/en-gb/HT204837



          When you enable FileVault 2 on your boot drive, an admin user will need to unlock the computer before it can be used. I.e. non-admin users will not be able to unlock and decrypt the drive.



          When you turn on the computer, it boots from a separate, non-encrypted partition. That partition holds the decryption software as well as a list of admin users that can unlock the drive. This is done so that the bootup partition can display a startup image similar to a normal login screen with the names and avatars of the users that can unlock the drive.



          Note that the unencrypted drive only holds the user names, not passwords, salted hashed passwords or anything like that. The user will need to enter a password that successfully decrypts the decryption key in order to unlock the computer.



          In addition to the login password (which is used as a passphrase for one of the keys), you can also choose to enable either a recovery key, which is a 120-bit master password that can be used to decrypt the drive, or the option to allow an AppleID to unlock the drive. This means that you can unlock the drive by logging in to your AppleID which enables you to retrieve the key from Apple's servers. Some like this option for its ease of use, others prefer not to enable it for security reasons.



          When you compare FileVault to LUKS, the systems are in principle very similar. However on a modern Mac with the T2 security chip, you'll find an additional security layer implemented with a Secure Enclave which tries to hinder brute forcing the pass phrase by adding delays, and protects against side-channels attacks on the main CPU as the encryption keys are never in memory on the Intel CPU. You can find further technical details here:



          https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf






          share|improve this answer

























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "118"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fapple.stackexchange.com%2fquestions%2f351006%2fhow-does-filevault-work-compared-to-luks%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            4














            You can find a setup guide for FileVault 2 here:



            https://support.apple.com/en-gb/HT204837



            When you enable FileVault 2 on your boot drive, an admin user will need to unlock the computer before it can be used. I.e. non-admin users will not be able to unlock and decrypt the drive.



            When you turn on the computer, it boots from a separate, non-encrypted partition. That partition holds the decryption software as well as a list of admin users that can unlock the drive. This is done so that the bootup partition can display a startup image similar to a normal login screen with the names and avatars of the users that can unlock the drive.



            Note that the unencrypted drive only holds the user names, not passwords, salted hashed passwords or anything like that. The user will need to enter a password that successfully decrypts the decryption key in order to unlock the computer.



            In addition to the login password (which is used as a passphrase for one of the keys), you can also choose to enable either a recovery key, which is a 120-bit master password that can be used to decrypt the drive, or the option to allow an AppleID to unlock the drive. This means that you can unlock the drive by logging in to your AppleID which enables you to retrieve the key from Apple's servers. Some like this option for its ease of use, others prefer not to enable it for security reasons.



            When you compare FileVault to LUKS, the systems are in principle very similar. However on a modern Mac with the T2 security chip, you'll find an additional security layer implemented with a Secure Enclave which tries to hinder brute forcing the pass phrase by adding delays, and protects against side-channels attacks on the main CPU as the encryption keys are never in memory on the Intel CPU. You can find further technical details here:



            https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf






            share|improve this answer






























              4














              You can find a setup guide for FileVault 2 here:



              https://support.apple.com/en-gb/HT204837



              When you enable FileVault 2 on your boot drive, an admin user will need to unlock the computer before it can be used. I.e. non-admin users will not be able to unlock and decrypt the drive.



              When you turn on the computer, it boots from a separate, non-encrypted partition. That partition holds the decryption software as well as a list of admin users that can unlock the drive. This is done so that the bootup partition can display a startup image similar to a normal login screen with the names and avatars of the users that can unlock the drive.



              Note that the unencrypted drive only holds the user names, not passwords, salted hashed passwords or anything like that. The user will need to enter a password that successfully decrypts the decryption key in order to unlock the computer.



              In addition to the login password (which is used as a passphrase for one of the keys), you can also choose to enable either a recovery key, which is a 120-bit master password that can be used to decrypt the drive, or the option to allow an AppleID to unlock the drive. This means that you can unlock the drive by logging in to your AppleID which enables you to retrieve the key from Apple's servers. Some like this option for its ease of use, others prefer not to enable it for security reasons.



              When you compare FileVault to LUKS, the systems are in principle very similar. However on a modern Mac with the T2 security chip, you'll find an additional security layer implemented with a Secure Enclave which tries to hinder brute forcing the pass phrase by adding delays, and protects against side-channels attacks on the main CPU as the encryption keys are never in memory on the Intel CPU. You can find further technical details here:



              https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf






              share|improve this answer




























                4












                4








                4







                You can find a setup guide for FileVault 2 here:



                https://support.apple.com/en-gb/HT204837



                When you enable FileVault 2 on your boot drive, an admin user will need to unlock the computer before it can be used. I.e. non-admin users will not be able to unlock and decrypt the drive.



                When you turn on the computer, it boots from a separate, non-encrypted partition. That partition holds the decryption software as well as a list of admin users that can unlock the drive. This is done so that the bootup partition can display a startup image similar to a normal login screen with the names and avatars of the users that can unlock the drive.



                Note that the unencrypted drive only holds the user names, not passwords, salted hashed passwords or anything like that. The user will need to enter a password that successfully decrypts the decryption key in order to unlock the computer.



                In addition to the login password (which is used as a passphrase for one of the keys), you can also choose to enable either a recovery key, which is a 120-bit master password that can be used to decrypt the drive, or the option to allow an AppleID to unlock the drive. This means that you can unlock the drive by logging in to your AppleID which enables you to retrieve the key from Apple's servers. Some like this option for its ease of use, others prefer not to enable it for security reasons.



                When you compare FileVault to LUKS, the systems are in principle very similar. However on a modern Mac with the T2 security chip, you'll find an additional security layer implemented with a Secure Enclave which tries to hinder brute forcing the pass phrase by adding delays, and protects against side-channels attacks on the main CPU as the encryption keys are never in memory on the Intel CPU. You can find further technical details here:



                https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf






                share|improve this answer















                You can find a setup guide for FileVault 2 here:



                https://support.apple.com/en-gb/HT204837



                When you enable FileVault 2 on your boot drive, an admin user will need to unlock the computer before it can be used. I.e. non-admin users will not be able to unlock and decrypt the drive.



                When you turn on the computer, it boots from a separate, non-encrypted partition. That partition holds the decryption software as well as a list of admin users that can unlock the drive. This is done so that the bootup partition can display a startup image similar to a normal login screen with the names and avatars of the users that can unlock the drive.



                Note that the unencrypted drive only holds the user names, not passwords, salted hashed passwords or anything like that. The user will need to enter a password that successfully decrypts the decryption key in order to unlock the computer.



                In addition to the login password (which is used as a passphrase for one of the keys), you can also choose to enable either a recovery key, which is a 120-bit master password that can be used to decrypt the drive, or the option to allow an AppleID to unlock the drive. This means that you can unlock the drive by logging in to your AppleID which enables you to retrieve the key from Apple's servers. Some like this option for its ease of use, others prefer not to enable it for security reasons.



                When you compare FileVault to LUKS, the systems are in principle very similar. However on a modern Mac with the T2 security chip, you'll find an additional security layer implemented with a Secure Enclave which tries to hinder brute forcing the pass phrase by adding delays, and protects against side-channels attacks on the main CPU as the encryption keys are never in memory on the Intel CPU. You can find further technical details here:



                https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Feb 9 at 21:26









                IconDaemon

                12.2k62842




                12.2k62842










                answered Feb 9 at 20:38









                jksoegaardjksoegaard

                17.1k1744




                17.1k1744






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Ask Different!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fapple.stackexchange.com%2fquestions%2f351006%2fhow-does-filevault-work-compared-to-luks%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    How to change which sound is reproduced for terminal bell?

                    Can I use Tabulator js library in my java Spring + Thymeleaf project?

                    Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents