FileVault and QuickLook leak some information from encrypted volumes
If you use FileVault and QuickLook you may want to know that the combination of the two may leak some sensitive information from encrypted volumes. Reader Jack R. sent in the following tip, explaining the situation further:
When FileVault and QuickLook are used concurrently, information about what files are stored on the encrypted volume becomes available and completely unencrypted on your hard drive. This is due to QuickLook’s thumbnail caching that is stored within the /var/ directory. Run the following command to see the size of the QuickLook cache to demonstrate the potential:
find /var/folders -name "*QuickLook*" -exec du -h {} \; 2>/dev/null
The worst case scenario is the potential for exposing file names and even QuickLook thumbnails of documents and images. There’s also a sqlite file called index.sqlite within the /var/folders QuickLook cache directories that have a list of file names on the encrypted volumes.
Whether or not this is a legitimate security hole that is patchable or if it’s something I’m aimlessly worried about, I don’t know, but I am willing to bet many people don’t know about this!
Editor note: This definitely seems like a security hole. I imagine the best way to avoid this problem is to just not use QuickLook on the sensitive encrypted data, although that’s more of a workaround than a fix.
So how do you disable QuickLook?
Good question, you can kill the daemon from running by using
killall -9 quicklookd
but that is not a permanent solution.
it might be best to just not use quicklook thus not allowing the thumbnails to be generated. I have yet to find a way to disable Quick Look completely.
Thumbnail cache is disabled for encrypted volumes, including file vault users. You should be able to confirm with following terminal command:
qlmanage -m disks
If this is not the case, there is definitely a bug in Quick Look.
If J is correct, not a big deal, but if the stuff is actually cached, why not just add a script to your machine that periodically deletes the cache file during the day? At least it would lessen the damage on a breach.
Found it in cd ‘/private/var/folders/M4/M4C9EH+OHfCUCPjIRmQAUU+++TI-Caches-/com.Apple.QuickLook.thumbnailcache/’ What would be the consequence of simply deleting the whole com.Apple.QuickLook.thumbnailcache folder?
…and what application can open the files therein so I can read them?
As I mentioned in my previous comment, Quick Look does not store anything in its cache that comes from encrypted volumes.
If you really want to reset the cache, use “qlmanage -r cache” in a Terminal.
There is definitely an issue with Quick Look. I don’t know about FileVault, but it creates and caches previews for files in TrueCrypt encrypted volumes.
It’s certainly missing a level of transparency and manageability showing what it’s doing, what’s stored where, etc.
There is also the fact it for those of us who don’t use QL, not being able to disable it makes it a complete waste of resources. On my machine, It allocates over 500MB of VM, for a feature that I never use.
How do I tell QL to ignore some/all volumes?
Quick Look does not really “allocate” 500MB of memory. It’s purely virtual and generally accounts for a very small amount of real wired memory. This has no real impact on the global system performances.
Actually, it does have a real impact. Virtual memory must be allocated and swapped to disk. The reason I started looking into QL is because of the memory and CPU it was using at login. To quote Robert A. Heinlein, TANSTAAFL (there ain’t no such thing as a free lunch). Virtual memory does have an impact, even if it’s only temporary/transient.
The bottom line is that it uses resources on my system, and I never use it. So far, I’ve found no way to disable it and recover the resources it uses.
Not if that VM is just memory mapped to a file on disk (which is the case).
[...] | OSXDaily En Applesfera | Filevault, ¿qué es y cómo funciona? 3 me [...]
Missing the point with this conversation, which is why so shady a method? These thumbnails , or “pictures” it is taking, what is wrong with storing in ~/Library/Caches?