This is an alert to our Knox customers and everyone interested about the security of encrypted files on their Macs.
All new Macs come with a feature called Safe Sleep, also known as “hibernate”, that stores the contents of the Mac’s memory to disk when sleeping. This allows you to wake back to the same session even if the Mac’s battery is removed or runs out during sleep.
Everything in your Mac’s memory is stored on disk, in unencrypted form, whenever your Mac goes to sleep.
If you care about security, you need to turn this feature off right away. The commands you need to run in Terminal are:
sudo pmset -a hibernatemode 0
sudo rm /var/vm/sleepimageAfter that, you may want to zero the free space on the volume with Disk Utility, and never visit the Energy Saver preference panel again so that the setting doesn’t reset back. Although it still might — through a power manager reset, for example. Just stay vigilant and observe the time your Mac takes to sleep.
As of Mac OS X 10.4.8, there is no way around this, apparently even if you have turned secure virtual memory on from the Security system preference pane (and you have, right — without it, none of this matters).
You should visit this security discussion at MacInTouch for the full lowdown. Scroll down to Travis Beals’s comments posted on November 2nd to see the gory details.
P.S. There is a physical safety issue to Safe Sleep as well. On my MacBook Pro, it takes so much time (writing the contents of 3GB of memory to a slow 4200rpm disk) that I’ve ended up shoving the MacBook into my backpack with its disk still spinning — a great way to ruin the hard drive.
Thanks for the news, Marko! We should probably all send feedback to Apple asking for an option on this.
Is there any chance you guys could build it in to the next version of Knox?
When you say "All new Macs", how far back are you talking about? Just the new Intel breed? I have a 1.67GHz PPC model...
Jim, if your PowerBook is of the last generation (with dual-layer SuperDrive, released October 2005) then it has Safe Sleep - it was a new feature at that time. A quick way to determine if your computer has Safe Sleep is to actually put it to sleep. If the power/sleep LED begins "breathing" immediately, then you don't have it. If the light stays solid for 5-20 seconds, then that's the time in which your computer is writing RAM to disk.
Below is a snippet of my system.log from going to sleep:
Dec 30 23:38:30 Kimono kernel[0]: System SafeSleep
Dec 30 23:38:30 Kimono kernel[0]: mapping_hibernate_flush start
Dec 30 23:38:30 Kimono kernel[0]: mapping_hibernate_flush time: 307 ms
Dec 30 23:38:30 Kimono kernel[0]: hibernate_page_list_setall start
Dec 30 23:38:30 Kimono kernel[0]: removed hash, pca: 2176 pages
Dec 30 23:38:30 Kimono kernel[0]: hibernate_page_list_setall time: 223 ms
Dec 30 23:38:30 Kimono kernel[0]: pages 323332, wire 38868, act 169800, inact 36871, zf 4781, could discard act 29463 inact 43549
Dec 30 23:38:30 Kimono kernel[0]: hibernate_page_list_setall found pageCount 323332
Dec 30 23:38:30 Kimono kernel[0]: IOHibernatePollerOpen, ml_get_interrupts_enabled 0
Dec 30 23:38:30 Kimono kernel[0]: IOHibernatePollerOpen(0)
Dec 30 23:38:30 Kimono kernel[0]: writing 323256 pages
Dec 30 23:38:30 Kimono kernel[0]: image1Size 62692864
Dec 30 23:38:30 Kimono kernel[0]: all time: 13612 ms, comp time: 5390 ms, deco time: 0 ms,
Dec 30 23:38:30 Kimono kernel[0]: image 536006656, uncompressed 1016086528 (248068), compressed 534103756 (52%), sum1 59807d4c, sum2 a4c826c6
Dec 30 23:38:30 Kimono kernel[0]: hibernate_write_image done(0)
Dec 30 23:38:30 Kimono kernel[0]: sleep