Information
In order to use a computer with Full Disk Encryption (FDE), macOS must keep encryption keys in memory to allow the use of the disk that has been FileVault protected. The storage volume has been unlocked and acts as if it were not encrypted. When the system is not in use, the volume is protected through encryption. When the system is sleeping and available to quickly resume, the encryption keys remain in memory.
If an unauthorized party has possession of the computer and the computer is only slept, there are known attack vectors that can be attempted against the RAM that has the encryption keys or the running operating system protected by a login screen. Network attacks if network interfaces are on, as well as USB or other open device ports, are possible. Most of these attacks require knowledge of unpatched vulnerabilities or a high level of sophistication if all the other controls function as intended.
There is little impact on hibernating the system rather than sleeping after an appropriate time period to remediate the risk of OS level attacks. Hibernation writes the keys to disk and requires FileVault to be unlocked prior to the OS being available. In the case of unauthorized personnel with access to the computer, encryption would have to be broken prior to attacking the operating system in order to recover data from the system.
https://www.helpnetsecurity.com/2018/08/20/laptop-sleep-security/
Mac systems should be set to hibernate after sleeping for a risk-acceptable time period.
MacBooks should be set so that the sleep is 15 minutes (900 seconds) or less. This setting should allow laptop users in most cases to stay within physically secured areas while going to a conference room, auditorium, or other internal location without having to unlock the encryption. When the user goes home at night, the laptop will auto-hibernate after 15 minutes and require the FileVault password to unlock prior to logging back into the system when it resumes.
MacBooks should also be set to a hibernate mode that removes power from the RAM. This will stop the possibility of cold boot attacks on the system.
Macs running Apple silicon chips, rather than Intel chips, do not require the same configuration as Intel-based Macs.
To mitigate the risk of data loss, the system should power down and lock the encrypted drive after a specified time. Laptops should hibernate 15 minutes or less after sleeping.
Solution
Terminal Method:
Run the following command to set the sleep time and hibernate mode:
$ /usr/bin/sudo /usr/bin/pmset -a sleep <value<=10>
$ /usr/bin/sudo /usr/bin/pmset -a displaysleep <value<=15 & >value of sleep>
example
:
$ /usr/bin/sudo /usr/bin/pmset -a sleep 10
$ /usr/bin/sudo /usr/bin/pmset -a displaysleep 15
Impact:
The laptop will take additional time to resume normal operation if only sleeping rather than hibernating.
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|16.11
Control ID: 586536d229b2b2dfb66702954b174516b743eb1ad93b8127c1c1c1bc279199fd