Consider the case of a MacBook Pro with FileVault active. The computer is on and I’m properly logged on.
I frequently need to access sensitive data located in text files on an encrypted volume. The encrypted volume is created when I mount a particular file that lives on the main hard disk. The encryption program that mounts the file and makes the data available as a volume is called VeraCrypt.
When I leave my computer for brief periods, I lock my screen (Ctrl-Cmd-Q) but the computer is still on.
If someone were to break in and steal my computer and run off with it while it were in that state, would he be able to read the contents of my VeraCrypt volume?
Assume that none of the volume’s files are open at the time of the theft. But the volume is mounted. Assume system file sharing is turned off and firewall is turned on. Assume no one else knows my system password.
Assume that the thief doesn’t have NSA-level hacking expertise; He doesn’t even know what he’s looking for (e.g. the volume name or what it contains). He’s just a run-of-the-mill criminal who saw a crime of opportunity to grab a laptop, but he’s open to snagging any content of value on the computer itself if he can find any.
One thing I could do is dismount the Veracrypt virtual drive every time I leave the computer alone. It’s protected with a strong password that no one could guess. But dismounting and remounting that drive forces me to shutdown and subsequently restart and reinitialize a number of other processes that are specific to the work I do. It takes some time. My preference would be to leave that drive mounted during the brief time I’m away, but only if the lock screen provides sufficient security to protect the data.
I did read Data security while MacBook is on lock screen but this focuses more on FileVault, which as I understand it, offers minimal protective value when the computer is powered on.
Instead, I’m more interested in preventing read-access of a VeraCrypt volume. I’m not concerned about the data being deleted, overwritten, or otherwise corrupted by a bad actor — just read. I don’t care about the hypothetical thief reading anything else on the system’s main hard drive; My question is strictly about the readability of the encrypted volume when the OS is locked.