2.5.1.2 Ensure all user storage APFS volumes are encrypted

Information

Apple developed a new file system that was first made available in 10.12 and then became the default in 10.13. The file system is optimized for Flash and Solid State storage and encryption. https://en.wikipedia.org/wiki/Apple_File_System macOS computers generally have several volumes created as part of APFS formatting including Preboot, Recovery and Virtual Memory (VM) as well as traditional user disks.

All APFS volumes that do not have specific roles that do not require encryption should be encrypted. 'Role' disks include Preboot, Recovery and VM. User disks are labelled with '(No specific role)' by default.

Rationale:

In order to protect user data from loss or tampering volumes carrying data should be encrypted.

Impact:

While FileVault protects the boot volume data may be copied to other attached storage and reduce the protection afforded by FileVault. Ensure all user volumes are encrypted to protect data.

Solution

Use Disk Utility to erase a user disk and format as APFS (Encrypted).
Note: APFS Encrypted disks will be described as 'FileVault' whether they are the boot volume or not in the ap list.

See Also

https://workbench.cisecurity.org/files/3569

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|13.6, CSCv7|14.8

Plugin: Unix

Control ID: 12b401701f982a00d46a03b8eb350dc3f5d9b6694b15afb31d1198a4fc674b14