Detections
Analytics
Catalina - FileVault Supplemental
Information
The supplemental guidance found in this section is applicable for the following rules:* sysprefs_filevault_enforce
In macOS 10.15 the internal Apple File System (APFS) volume (including both system and data storage) can be protected by FileVault.
NOTE: FileVault uses an AES-XTS data encryption algorithm to protect full volumes of internal and external storage. Macs with a secure enclave (T2) utilize the hardware security features of the architecture.
FileVault is described in detail here: link:https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web[].
FileVault can be enabled in two ways within the macOS. It can be managed using the fdesetup command or by a Configuration Profile. When enabling FileVault via either of the aforementioned methods, you will be required to enter a username and password, which must be a local OpenDirectory account with a valid SecureToken password.
[discrete]
==== Using the fdesetup Command
When enabling FileVault via the command line in the Terminal application, you can run the following command.
[source,bash]
----
/usr/bin/fdesetup enable
----
Running this command will prompt you for a username and password and then enable FileVault and return the personal recovery key. There are a number of management features available when managing FileVault via the command line that are not available when using a configuration profile. More information on these management features is available in the man page for `fdesetup`.
NOTE: Apple has deprecated `fdesetup` command line tool from recognizing user name and password for security reasons and may remove the ability in future versions of macOS.
[discrete]
==== Using a Configuration Profile
When managing FileVault with a configuration profile, you must deploy a profile with the payload type `com.apple.MCX.FileVault2`. When using the Enable key to enable FileVault with a configuration profile, you must include 1 of the following:
[source,xml]
----
<key>Enable</key>
<string>On</string>
<key>Defer</key>
<true />
----
[source,xml]
----
<key>Enable</key>
<string>On</string>
<key>UserEntersMissingInfo</key>
<true/>
----
If using the Defer key it will prompt for the user name and password at logout.
The `UserEntersMissingInfo` key will only work if installed through manual installation, and it will prompt for the username and password immediately.
When using a configuration profile, you can escrow the Recovery key to a Mobile Device Management (MDM) server. Documentation for that can be found on Apple's Developer site: link:https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow[].
It's recommended that you use a Personal Recovery key instead of an Institutional key as it will generate a specific key for each device.
NOTE: FileVault currently only uses password-based authentication and cannot be done using a smartcard or any other type of multi-factor authentication.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
NoneSee Also
Item Details
Audit Name: NIST macOS Catalina v1.5.0 - All Profiles
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b.
Plugin: Unix
Control ID: 07b038d4e90994a154224b161ae2f62ec71c7dfbf45128a31dfb01d40f525cb5