2.8.1.3 Ensure FileVault is Locked on Sleep

Information

Full Disk Encryption (FDE) is a Data-at-Rest (DAR) solution. It ensures that when the data on the drive is not in use, it is full encrypted, but it can be decrypted (unlocked) as needed. When a Mac sleeps, the encryption keys remain in memory so that the drive is encrypted but unlocked. There are attacks available to interact with the OS and data on the unlocked drive. FileVault volumes should be locked when not in use to resist attack.

Rationale:

The purpose of DAR is to ensure data is encrypted while at rest. If the volume is always unlocked, it is not sufficient.

Impact:

The laptop will require a user to login with their username and password, not TouchID, into the OS after the FileVault key is destroyed.

Solution

Terminal Method:
Run the following command to ensure FileVault keys are set to be destroyed on standby:

$ /usr/bin/sudo /usr/bin/pmset -a destroyfvkeyonstandby 1

See Also

https://workbench.cisecurity.org/benchmarks/14563

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|16.11

Plugin: Unix

Control ID: 1459416e07004895c2f0a5ea08aa31e80462dc17fb1d31f59916a59f737a32ae