2.6.6 Ensure FileVault Is Enabled

Information

FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it.

FileVault should be used with a saved escrow key to ensure that the owner can decrypt their data if the password is lost.

FileVault may also be enabled using command line using the fdesetup command. To use this functionality, consult the Der Flounder blog for more details (see link below under References).

Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it.

Solution

Graphical Method:

Perform the following steps to enable FileVault:

- Open System Settings
- Select Security & Privacy
- Select Turn On...

Note: This will allow you to create a recovery key for FileVault. Keep the key saved securely in case it is needed at a later date.

Profile Method:

Create or edit a configuration profile with the following information:

- The PayloadType string is com.apple.MCX
- The key to include is dontAllowFDEDisable
- The key must be set to <true/>

Note: This profile is required to pass the audit.

Impact:

Mounting a FileVault encrypted volume from an alternate boot source will require a valid password to decrypt it. Apple has also implemented an escalating policy for failed passwords. To find out more about that, read here:

Passcodes and passwords

See Also

https://workbench.cisecurity.org/benchmarks/15550

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|13.6, CSCv7|14.8

Plugin: Unix

Control ID: 377e3544a640eaf001016301c713c86cb9767bd63261c6d845f02b903d08206c