Saturday, August 3, 2013

Why DestroyFVKeyOnStandby and hibernatefile don't mix

Work has moved me off my beloved MacBook Air to a 2011 MacBook Pro. Switching back to the Pro feels like going from a light laptop to a brick. However, I am doing a LOT of new stuff, including learning the NetApp and DS3500 storage units. The 2011 MacBook Air maxes out at 4G, and I need 8G of memory and all 4 i7 cores in this Pro to run a lot more Java programs and VMWare VMs.

To keep work files secure, I turn on FileVault 2 to encrypt the disk, and I turn run pmset -a destroyfvkeyonstandby 1 hibernatemode 25 to make the Mac sleep securely. However, my Mac still wasn't forgetting the FileVault key.

Then I realized that I'd made a different action causing a problem. I have a Samsung 840 Pro SSD and a Toshiba 1T platter disk in the CD drive spot (thanks to the OWC DiskDoubler). To get writes off the SSD, I moved the sleepimage and the swap files out to a partition on the Toshiba. Ends up, when pmset says "keep the sleepimage on the root drive", they mean it. If the sleepimage is on an external disk, the computer really won't go to sleep.

If you have an SSD and FileVault 2 on, just get in the habit of shutting down instead of sleeping.