FileVault Cracking: What You Need to Know

TL;DR

Cracking FileVault encryption is extremely difficult and time-consuming, even with powerful hardware. It’s generally not feasible for individuals without significant resources. This guide explains the methods used (and their limitations) if you need to understand the process or assess your security.

Understanding FileVault

FileVault is Apple’s full disk encryption system. It protects all data on a Mac’s startup disk. There are two main versions:

• FileVault 1: Older, less secure. Uses XTS-AES with a 128-bit key.
• FileVault 2: More secure. Uses XTS-AES with a 256-bit key and a recovery key derived from the user’s password and a unique hardware key.

Modern Macs use FileVault 2.

Methods for Attempting to Crack FileVault

1. Password Guessing/Dictionary Attack: The simplest approach, but highly unlikely to succeed with strong passwords.
   • Tools like Hashcat can be used to test a list of potential passwords against the FileVault hash.

   hashcat -m 3900 --attack-mode 0 /path/to/filevault_hash /path/to/password_list

   Note: `–attack-mode 0` is a basic dictionary attack. Other modes exist for brute-force, mask attacks etc.

2. Key Stretching Attack (for FileVault 2): This targets the PBKDF2 key derivation function used in FileVault 2.
   • Requires significant computational power to perform enough iterations quickly. GPUs are essential.
   • Tools like FileVaultUnlocker (and similar projects) attempt this, but success depends on password complexity and hardware capabilities.

   Warning: Key stretching attacks are very slow.

3. Hardware Attacks: The most effective, but also the most complex and expensive.
   • Involves physically accessing the Mac’s Secure Enclave Processor (SEP) to extract encryption keys directly.
   • Requires specialized equipment and expertise. Often involves chip-off forensics or side-channel attacks.

   This is beyond the scope of most users.

4. Exploiting Vulnerabilities: Rare, but possible.
   • Security researchers occasionally discover vulnerabilities in FileVault that could allow for decryption without a password. These are usually patched quickly by Apple.

   Keep your macOS updated to mitigate this risk.

Practical Considerations

• Time: Cracking FileVault can take days, weeks, months or even years depending on password strength and available resources.
• Hardware: Powerful GPUs are essential for key stretching attacks. Multiple GPUs significantly reduce the time required.
• Password Strength: A strong, unique password (12+ characters with a mix of upper/lowercase letters, numbers, and symbols) makes cracking exponentially more difficult.
• Recovery Key: If a recovery key was created during FileVault setup, it can be used to unlock the disk without the password. Protect this key securely!

Legal Implications

Attempting to crack encryption on a device you do not own or have explicit permission to access is illegal in many jurisdictions.

Preventative Measures (Strengthening FileVault)

• Strong Password: Use a long, complex password.
• Recovery Key Management: Store the recovery key securely and separately from the Mac. Consider not creating one at all if you can reliably remember your password.
• macOS Updates: Keep macOS updated to patch security vulnerabilities.
• Firmware Password (Optional): Add a firmware password for an extra layer of protection, preventing booting from external media.