A fix for filevault2 security issue

Just made a fix for filevault2 issue i described earlier.

Here is compiled (from sources) 10.7.2 kernel and a source patch

By default this kernel forbids booting into single-user-mode for everyone, if firevault 2 protection is enabled.

But you can allow one user (e.g. admin or yourself) to boot system to single-user-mode.

to do this, boot into osx typing password for that account at efi login screen.

then run this command:

ioreg -l -w0 -p IODeviceTree | grep efilogin-unlock-ident

you will get result like:

| | “efilogin-unlock-ident” = <"4B012BC6-A948-2893-3454-B345307B8234">

copy the value – 4B012BC6-A948-2893-3454-B345307B8234

andd insert it into /Library/Preferences/SystemConfiguration/ under name suallow, just like in example bellow:

Kernel Flags

So, now only the user you choosed can boot single user mode when FV2 enabled, and nobody else.

Now your files can be almost fully secured.


  1. thinkingguy
    November 30th, 2011 | 5:21 am

    really? there isn’t a better way to keep files secured?

    I never trusted Apple or Microsoft encryption for reasons like you mentioned in your post.

  2. j4y
    November 30th, 2011 | 2:58 pm

    I can sleep a little better at night with this fix. Thank you like always netkas for for patch. 8)

  3. February 12th, 2012 | 4:53 am

    Thanks for this, and for the heads up about FV2. I’d read the spec on it, but it just went under the radar that once an authorised user unlocks the disk, there’s no encryption on the account folders (as with FV1).

  4. February 12th, 2012 | 9:47 am

    Did you actually try the dscl . -passwd command in single user mode? It doesn’t work in Lion with FV2 enabled.

    As far as I can tell, if FV2 is enabled, not only the admin password but also the users own passwd can’t be changed that way anymore, as they are themselves encrypted on the recovery disk, not in system/launchdaemons as in Snow (and presumably unencrypted Lion disks).

Leave a reply