FileVault 2

strawgate edited this page May 3, 2016 · 3 revisions
Clone this wiki locally

Overview

FileVault 2 is the encryption technology developed by Apple and embedded in every recent release of the Mac Operating System.

To implement FileVault 2 using C3 Protect you must follow the following steps:

  1. Push FileVault Probes
  2. Enable FileVault Analyses
  3. Push FileVault Encryption

Before continuing we will cover some caveats with this particular implementation of FileVault 2

Caveats

FileVault Caveats

  1. Whichever user FileVault is first enabled for is considered the super user for FileVault. After the first user is added no other user can be added without either the first user's credentials or the recovery key.
  2. FileVault has to be activated by a user. Enabling FileVault will not occur until a user logs in or logs out at which point they become the super user

C3-Protect Implementation Caveats

  1. By default the invoke encryption fixlet will make the next user to login the super user for FileVault encryption.
  2. A personal recovery key will be used to enable encryption on the endpoint instead of an organizational key.
  3. The personal key will be stored on the encrypted disk. This is the default behavior of Bitlocker on Windows but in full disclosure this is not as secure as not storing the key on the endpoint but given that the disk it is on is encrypted and the recovery key is only readable by root is a reasonable compromise to allow recovery by the administrator.
  4. Users of Mavericks or newer will be given 10 logins to enable FileVault before it is enforced for their endpoint.

Implementation

Push FileVault Probes

Action the following Fixlets as policy actions:

  • Invoke - FileVault 2 Configuration Probe - Mac
  • Invoke - FileVault 2 Encryption Status Probe - Mac

These should be actioned to reapply whenever relevant waiting whatever time span you consider to be an acceptable age of the data regarding FileVault. The system impact for these fixlets is minimal so applying daily is fine.

You can also apply them more frequently for newly provisioned machines and less frequently for existing machines (a machines encryption status is most likely to change within the first couple of days of being provisioned)

Enable FileVault Analyses

The following analyses should be enabled for FileVault to work:

  • FileVault 2 - Audit - Mac
  • FileVault 2 - Recovery Password - Mac

The first one provides general information from the encryption prove and configuration probe. The second analysis provides the recovery password for the endpoint and will only start to provide information once the first user to login or logout enables FileVault.

Push FileVault Encryption

The final step to enabling FileVault encryption is to action Fixlet: Invoke - FileVault 2 Encrypt System Volume - Mac

This will cause the next user to login or logout to enable FileVault. They will become the super user for the endpoint, a recovery key will be generated, and the endpoint will begin the encryption process.

Warnings

A small number of warning fixlets are available in the C3-Protect site for potential configuration issues. If you see these relevant in your environment please carefully consider the description of the fixlet and take appropriate action.