The libfvde project’s open source library and tools allow users to access data on volumes that have been encrypted with Apple’s FileVault2hard disk encryption program on Mac OS X 10.7 Lion. With libfvde and fvdetools, these volumes can be read using either a Mac OS X or a Linux system.
The tools use Filesystem in Userspace (FUSE) to, for example, mount an image of a Mac system disk encrypted with FileVault2. To this end, they extract the volume master key – although the user still needs to unlock it by entering the password. This means that if a user doesn’t know the volume’s password, libfvde can’t access the encoded data. A wiki page explains the first steps involved for working with
fvdemount and other programs.
However, a few quick tests conducted by The H’s associates at heise Security revealed a significant limitation: libfvde currently only works with system volumes, for which Mac OS X creates a special recovery partition that includes a file called EncryptedRoot.plist.wipekey with a copy of the required encoded volume master key. Mac OS X Lion can also encrypt external hard drives and USB flash drives with FileVault2, but it doesn’t create a recovery partition for these. Project head Joachim Metz told heise Security that he and his team members are still looking for a way to extract the key needed for decoding volumes without a recovery partition.
The libfvde library and tools are available to download from the project’s Google Code page and are licensed under the LGPLv3.