Information
Full Disk Encryption (FDE) is a Data-at-Rest (DAR) solution. It ensures that when the data on the drive is not in use, it is full encrypted, but it can be decrypted (unlocked) as needed. When a Mac sleeps, the encryption keys remain in memory so that the drive is encrypted but unlocked. There are attacks available to interact with the OS and data on the unlocked drive. FileVault volumes should be locked when not in use to resist attack.
Rationale:
The purpose of DAR is to ensure data is encrypted while at rest. If the volume is always unlocked, it is not sufficient.
Impact:
The laptop will require a user to login with their username and password, not TouchID, into the OS after the FileVault key is destroyed.
Solution
Terminal Method:
Run the following command to ensure FileVault keys are set to be destroyed on standby:
$ /usr/bin/sudo /usr/bin/pmset -a destroyfvkeyonstandby 1
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|16.11
Control ID: 1459416e07004895c2f0a5ea08aa31e80462dc17fb1d31f59916a59f737a32ae