Home

Joachim Metz edited this page Sep 5, 2016 · 6 revisions
Clone this wiki locally

libfvde is a library to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.

The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.

Project information:

  • Status: experimental
  • Licence: LGPLv3+

Supported FileVault2 implementations:

  • Mac OS X Lion (10.7)
  • Mac OS X Mountain Lion (10.8)
  • Mac OS X Mavericks (10.9)
  • Mac OS X Yosemite (10.10)
  • Mac OS X El Capitan (10.11)

Supported encryption volume types:

  • removable media volume - with encrypted context (initial support as of 20121113 version)
  • system volume

Supported protection methods:

  • password
  • recovery password
  • VMK key data (as of 20121114 version)

Also see:

If you find this project useful please cite the following paper in your publications:

Omar Choudary, Felix Grobert and Joachim Metz. "Security Analysis and Decryption of Filevault 2", in Advances in Digital Forensics IX, IFIP Advances in Information and Communication Technology 410, 2013, pp 349-363.

Work in progress:

  • DEFLATE compressed XML plist
  • removable media volume - without encrypted context
  • removable media volume - decrypted
  • extend CoreStorage volume support
  • partial encrypted volumes

Planned:

  • Dokan support

For more information see: