Images: How to bypass FileVault, BitLocker security

Step 8: Success!
Wow! It worked. The AES encryption key is the same. FileVault has been bypassed.

As you can see in this photograph, the AES key that the "keyfind" utility extracted from the MacBook's RAM is dd6a242a3a90ee1f60a8c53db59a4133. That's the same secret 128-bit key that Apple's utility shows is associated with the FileVault volume. (When you type in your FileVault passphrase, OS X unlocks this AES key.)

I just tested FileVault, of course, but the test shows that people using Microsoft's BitLocker, TrueCrypt, and similar products should also be concerned. Screensavers and suspend-to-RAM can no longer be trusted to keep the contents of a mounted encrypted disk secure. Servers with encryption keys in RAM, perhaps for SSL sessions, are vulnerable. And nosy security functionaries at border crossings become a renewed threat.

There are still ways of protecting your privacy. One is to turn off the computer for at least one minute. That gives the memory enough time to decay.

Another is to keep sensitive data in a separate encrypted file system, such as a PGP disk, that is mounted only when necessary and immediately unmounted when not in use. That should, if the application is designed properly, scrub the keys from memory so they can't be captured with a memory scan.