2.9.3 Ensure the OS is not Activate When Resuming from Sleep - Intel DestroyFVKeyOnStandby

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

In order to use a computer with Full Disk Encryption (FDE), macOS must keep encryption keys in memory to allow the use of the disk that has been FileVault protected. The storage volume has been unlocked and acts as if it were not encrypted. When the system is not in use, the volume is protected through encryption. When the system is sleeping and available to quickly resume, the encryption keys remain in memory.

If an unauthorized party has possession of the computer and the computer is only slept, there are known attack vectors that can be attempted against the RAM that has the encryption keys or the running operating system protected by a login screen. Network attacks if network interfaces are on, as well as USB or other open device ports, are possible. Most of these attacks require knowledge of unpatched vulnerabilities or a high level of sophistication if all the other controls function as intended.

There is little impact on hibernating the system rather than sleeping after an appropriate time period to remediate the risk of OS level attacks. Hibernation writes the keys to disk and requires FileVault to be unlocked prior to the OS being available. In the case of unauthorized personnel with access to the computer, encryption would have to be broken prior to attacking the operating system in order to recover data from the system.

https://www.helpnetsecurity.com/2018/08/20/laptop-sleep-security/

Mac systems should be set to hibernate after sleeping for a risk-acceptable time period. The default value for 'standbydelay' is three hours (10800 seconds). This value is likely appropriate for most desktops. If Mac desktops are deployed in unmonitored, less physically secure areas with confidential data, this value might be adjusted. The desktop would have to retain power, however, so that the running OS or physical RAM could be attacked.

MacBooks should be set so that the standbydelay is 15 minutes (900 seconds) or less. This setting should allow laptop users in most cases to stay within physically secured areas while going to a conference room, auditorium, or other internal location without having to unlock the encryption. When the user goes home at night, the laptop will auto-hibernate after 15 minutes and require the FileVault password to unlock prior to logging back into system when it resumes.

MacBooks should also be set to a hibernate mode that removes power from the RAM. This will stop the possibility of cold boot attacks on the system.

Macs running Apple silicon chips, rather than Intel chips, do not require the same configuration as Intel-based Macs.

Rationale:

To mitigate the risk of data loss, the system should power down and lock the encrypted drive after a specified time. Laptops should hibernate 15 minutes or less after sleeping.

Impact:

The laptop will take additional time to resume normal operation then if only sleeping rather than hibernating.

Setting hibernatemode to 25 will disable the 'always-on' feature of the Apple Silicon Macs.

Solution

Terminal Method:
Run the following command to set the hibernate delays and to ensure the FileVault keys are set to be destroyed on standby:
Intel Processor Instructions:

$ /usr/bin/sudo /usr/bin/pmset -a standbydelaylow <value<=900>
$ /usr/bin/sudo /usr/bin/pmset -a standbydelayhigh <value<=900>
$ /usr/bin/sudo /usr/bin/pmset -a highstandbythreshold <value>=90>
$ /usr/bin/sudo /usr/bin/pmset -a destroyfvkeyonstandby 1
$ /usr/bin/sudo /usr/bin/pmset -a hibernatemode 25

example:

$ /usr/bin/sudo /usr/bin/pmset -a standbydelaylow 500
$ /usr/bin/sudo /usr/bin/pmset -a standbydelayhigh 500
$ /usr/bin/sudo /usr/bin/pmset -a highstandbythreshold 100
$ /usr/bin/sudo /usr/bin/pmset -a destroyfvkeyonstandby 1
$ /usr/bin/sudo /usr/bin/pmset -a hibernatemode 25

Apple Silicon Processor Instructions:

$ /usr/bin/sudo /usr/bin/pmset -a standby <value<=900>
$ /usr/bin/sudo /usr/bin/pmset -a destroyfvkeyonstandby 1

'Setting destroyfvkeyonstandby to True. When system enters standby with this key set all maintenance wakes and powernap activities are disabled'

$ /usr/bin/sudo /usr/bin/pmset -a hibernatemode 25

Note: Setting hibernate mode and destroy filevault key will require the user to log into the machine after sleep and disable any wake options. hibernatemode must be set to 25 or it will not force the computer into a pre-boot state.
example:

$ /usr/bin/sudo /usr/bin/pmset -a standby 500
$ /usr/bin/sudo /usr/bin/pmset -a destroyfvkeyonstandby 1

'Setting destroyfvkeyonstandby to True. When system enters standby with this key set all maintenance wakes and powernap activities are disabled'

$ /usr/bin/sudo /usr/bin/pmset -a hibernatemode 25

See Also

https://workbench.cisecurity.org/files/4159