About FDE and YoNTMA

Full Disk Encryption (FileVault) with a strong passphrase really only protects a computer that's shut down or truly hibernated. If it's running, there are few ways to attack it. You can do a DMA attack, you can pull the RAM out and read it, you can try going after it a few other ways.

As mentioned here, Apple does some tricks to prevent DMA attacks while the computer is in screensaver/locked. So that's good, one attack somewhat thwarted.

But at the same time, Apple's sleep mechanism is not a true hibernation. We have to set a few settings to re-enable it to be a true hibernation:

• standbydelay - Needs to be 0. "the delay, in seconds, before writing the hibernation image to disk and powering off memory for Standby."
• destroyfvkeyonstandby - Needs to be 1.
• hibernatemode - Needs to be 25. "The system will store a copy of memory to persistent storage (the disk), and will remove power to memory. The system will restore from disk image. If you want "hibernation" - slower sleeps, slower wakes, and better battery life, you should use this setting."

Where YoNTMA really comes in is a pretty specific threat scenario. Your laptop is somewhere, plugged in, running, and locked. (And FileVault enabled, and some specific power settings set.) Someone wants to take it somewhere to perform a cold boot attack (or just flat out steal it for theft purposes.) It hibernates your laptop to get the keys out of RAM, to try and prevent a Cold Boot attack, or maybe an attempt to still do a DMA attack.

There's a lot of things it doesn't protect you from. It doesn't protect you if they try to perform those attacks without unplugging it. It doesn't protect you if they can get it to a cold boot station quickly (some estimates I've heard of are up to 15 minutes later keys are still accessible.) It doesn't protect you if you have a weak passphrase, or from malware.