2.5.1.1 Ensure FileVault Is Enabled - dontAllowFDEDisable

Information

FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it.

FileVault should be used with a saved escrow key to ensure that the owner can decrypt their data if the password is lost.

FileVault may also be enabled using command line using the fdesetup command. To use this functionality, consult the Der Flounder blog for more details (see link below under References).

Rationale:

Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it.

Impact:

Mounting a FileVault encrypted volume from an alternate boot source will require a valid password to decrypt it.

Solution

Graphical Method:
Perform the following steps to enable FileVault:

Open System Preferences

Select Security & Privacy

Select FileVault

Select Turn On FileVault

Note: This will allow you to create a recovery key for FileVault. Keep the key saved securely in case it is needed at a later date.
Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.MCX

The key to include is dontAllowFDEDisable

The key must be set to <true/>

Note: This profile is required to pass the audit.

See Also

https://workbench.cisecurity.org/files/4176

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|13.6, CSCv7|14.8

Plugin: Unix

Control ID: fe43beb9a5e28559284155e2f0815946731c38b7cb59df08c317c4bccde36045