macOS Security Basics Series: The One Where Your Data Wasn’t Encrypted with FileVault

Encryption can mean many things to many people. Depending on your experience level, encryption may be as simple as marking a file or folder hidden within a directory to password-protect a ZIP file with a sixty-four-character password filled with variable key spaces to keep password-cracking software at bay for millennia. This is to say that the term “encryption” itself can expand to include a great many possibilities and variables that can affect them further, like salting a hash value or writing your own cipher — both of which are advanced cryptographic topics that are well beyond the scope of this blog.

In this blog, we’ll discuss:

• The basic features of macOS encryption
• How FileVault works (and doesn’t work)
• The benefits of enabling FileVault on your Mac

What is FileVault volume encryption?

Before we delve into the points above, let’s take a little trip on our way back machine to 2003. Apple released OS X “Panther” (version 10.3), which introduced FileVault (FV), the technology that provides data encryption on Mac. When enabled, FileVault would encrypt the contents of a user’s home volume only by utilizing the user’s credentials as the method to lock and unlock the volume when the user is logged off or successfully authenticated.

It enabled encryption by using Apple’s sparse disk image — similar to a DMG file but much more secure — to contain the contents of the user’s volume, including their Desktop and Documents directories, among others.

In 2007 however, with the release of OS X “Lion” (10.7), the encryption technology developed by Apple was redesigned with additional features and named FileVault 2 (FV2). FV2 is the standard encryption technology available through all iterations of OS X and macOS since then. We’ll dive more into FV2’s features and how it works a little later.

“Wax on, wax off”

As a martial arts master, Mr. Miyagi taught Daniel-san Karate through lessons that simplified the basics of defense; Apple has taken a similar approach with regard to enabling/disabling the security protection we’re discussing here today.

Note: Since the original incarnation of FV (referred to as legacy FileVault) has been superseded by FV2, all discussions moving forward will pertain to FileVault 2 exclusively.

How to enable FileVault on Mac

Enabling FV2 is a straightforward process. In enterprise settings, it is a best practice for IT to enable it automaticallythrough a script or MDM configuration. If enabled manually by the user, the process requires:

1. Authenticating to a Mac with an admin-level credential.
2. Launch System Settings.
3. Click on the Privacy & Security preference pane.
4. Select the FileVault tab.
5. Click Turn On.

That’s it! FV2 is now enabled and will begin the process of encrypting your data. Once this is finished, you will be prompted to reboot the computer, completing the process.

How to disable FileVault on Mac

Now that your Mac’s secure, why would you want to do that?! There may be a few reasons to disable FV2, even if temporarily. To disable this security function:

1. Follow steps 1-4 above.
2. Click Turn Off.

Once again, the Mac will require some time to decrypt all your data in the background as you use your Mac. It should be noted that both enabling and disabling FV2 require your Mac to be both awake and plugged into the AC charger to finalize the encryption and decryption processes, respectively.

ProTip: For enterprise Macs managed by MDM, users will need to contact IT to discuss their options for disabling FV2 since the configuration is enforced to ensure compliance by default.

How to find FileVault Recovery Keys

When FV2 is enabled manually, users are prompted to create and safely store a recovery key. This is a backdoor that one can use to decrypt and access their data should the user change their account password, if the account becomes compromised or if they simply forget their credential.

The importance of this key cannot be understated, hence the recommendation to keep it stored in a safe, secure place away from anyone that you would not normally wish to access the secured data on the device.

Users with iCloud accounts who wish to leverage the cloud-based technology may opt to store a copy of their unique recovery key there. Doing so is protected and secured — as not even Apple can read the key — but it allows users to safely retrieve it from anywhere, anytime, from any device with access to iCloud for additional peace of mind.

Benefits of using FileVault in enterprise and shared environments

Why use FileVault?

The biggest, arguably greatest feature of FileVault is encryption. After all, this is the primary reason to enable security control in the first place, isn’t it? It is the encryption algorithm, based on the XTS-AES-128 cipher with a 256-bit key that helps “prevent unauthorized access to the information on your startup disk”, according to Apple.

Yep, you read that correctly. The entire volume is encrypted — not just the user’s home folder. That’s no typo, but a key difference between FileVault 2 and legacy FileVault. You’ll remember that the latter only protects the home folder of the user that enables legacy FileVault. This requires each user to enable FV to protect their own home folder. Leaving other users’ home volumes along with the operating system itself vulnerable, and open to security threats and targeted attacks.

FileVault 2 rectifies this, however, by providing volume encryption (i.e., safeguarding the entire HDD/SSD) once enabled. By applying it to the volume, all data stored on the entire disk is effectively encrypted. This requires users authorized by FV2 to first log in to the Mac, thereby unlocking the volume and permitting other users to then log in.

The result? An encrypted system that encompasses the entire storage volume, protecting all data contained therein holistically — not just those that have opted-in to keep their data safe.

Protecting business, personal and privacy data while minimizing risk

Just like the Karate Kid series of movies introduced audiences to the memorable (and often imitated) techniques of the Miyagi-Do Karate art: the Drum Technique, Kata and unforgettable Crane Kick are just a few of the signature moves Daniel-san learned to defend himself in tournaments.

Similarly, FileVault 2’s encryption implementation provides users with several benefits that extend beyond keeping data secure through encryption.

• Deploying volume, or startup disk encryption means securing the empty, unused space on the system drive as well. This shrinks the attack surface preventing bad actors from using it to plant malware. Additionally, encryption is often considered the “last ditch effort” by security professionals to maintain the integrity of your personal, corporate and/or privacy data if your MacBook is stolen, the storage drive is physically removed from your Mac computer or other disk-based attacks are employed to try to read and compromise your data.
• FV2-enabled devices require each user account that will utilize that device to be FV-enabled, as well. Any users that do not have the secure token or bootstrap tokens associated with their account will be effectively unable to log on to the Mac until a user that is FV-enabled authenticates first and successfully unlocks the disk. This and many other features can be configured to prevent unauthorized users from gaining access to the drive’s contents – whether locally from the Mac or if the drive is removed and connected to another Mac, a popular type of data theft attack.
• Both versions of FileVault adhere to the security triad’s confidentiality principle. This means data is not just secured against unauthorized threats, but FV also adheres to the National Institute of Standards and Technology (NIST) guidelines. NIST is a U.S. government agency that, among other standards-based programs, provides guidance for organizations to manage and reduce cybersecurity risk. Their work on the SP 800-179, Revision 1 provides enterprise-level guidance based on best practices to mitigate risk while strengthening the security posture of your Apple endpoints.
• Managing user access to FV-enabled devices with Jamf Pro is a trivial matter, but for those that wish to go the manual route, admins can easily leverage the Terminal to enable/disable secure token access of per-user accounts and/or to reset passwords, as necessary. Below is the output of the sysadminctl command that is used in managing per-user account access to devices encrypted with FileVault 2:

Jamf + FileVault encryption

Automating and enforcing encryption

While the above certainly applies to Macs used personally and professionally, the scenario presented in this sectionlargely applies only to organizations that are managing their Mac fleet through Mobile Device Management software.

MDM solutions permit IT to not only centrally manage devices but also provide configuration settings to automate the enablement of FV2. Also, it permits streamlining the management of individual recovery keys unique to each device and stores them safely within the record of each device for easy management and even easier retrieval by IT when necessary.

For detailed guidance on using Jamf to set up and manage FileVault 2 and recovery keys for your organization, our administration guide provides detailed information for IT organizations interested in increasing the security posture of their devices while managing their fleet based on industry best practices and adhering to Apple’s security and privacy frameworks.

Ensuring devices are compliant and remain that way

There is no one-size-fits-all when it comes to compliance, but there are best practices and solutions that can and do help minimize exposure to risk from various threat factors. When viewed as part of a comprehensive security strategy, integrating native Apple solutions, like FileVault with Jamf device management, helps organizations to enable and enforce volume encryption to keep data safe.

But a defense-in-depth strategy does one solution not make

IT and Security teams need other questions answered to best ensure data is protected -- and stays that way.

Considerations, such as:

• Which Macs don’t have FileVault encryption enabled?
  • If it was enabled at one time, why was it not enforced?
  • If it was never enabled, why was it not configured?
• Have changes occurred that prevent encryption from operating as required?
• Are user changes impacting FileVault’s efficacy?
  • If so, which behaviors are affecting its operation?
• What other issues impact the enforcement of volume encryption?

Jamf's endpoint security solution actively monitors devices, assessing endpoint health, such as if FV2 is and remains enabled. By gathering rich telemetry data and sharing it securely with Jamf Pro, administrators can configure policies that trigger the automated enforcement of volume encryption workflows in Jamf Pro after FV's health status is identified by Jamf Protect. Both communicate securely with Apple frameworks to extend native solutions while adding greater capabilities for management teams, like:

• Actively monitoring endpoint health criteria
• Logging and notification of identified compliance issues
• Policy-based compliance enforcement
• Automated remediation workflows
• Continued monitoring for threats and risky user behaviors

Key Takeaways

How does FileVault work?

• Uses Advanced Encryption Standard (AES-XTS) for encryption.
• Encrypts the entire volume, making the device unusable without unlocking.
• Utilizes a unique decryption key for the volume that is stored separately from the device.

What are the benefits of using FileVault?

• Enhances data security with industry-standard encryption technologies.
• Protects against unauthorized access, even with physical possession of the device.
• Helps organizations address compliance requirements related to data security with regulations like HIPAA and GDPR.

How is FileVault enabled?

• Enable it through System Settings > Privacy & Security > FileVault.
• Encrypts all existing and new data on the Mac automatically once enabled.
• Through configuration profiles deployed from MDM solutions.

What is the FileVault recovery key, and why is it important?

• Serves as a "backdoor" to decrypt data if credentials are forgotten or compromised.
• Essential to store the recovery key securely due to its critical importance.
• Securely store recovery keys within iCloud or device records in MDM to avoid data loss.

Does enabling FileVault impact Mac performance?

• Modern devices minimize performance impacts with powerful processors and specialized hardware, i.e., Secure Enclave.
• Legacy encryption methods were known to slow devices and reduce battery life.
• Decryption/encryption of volumes occurs during the locking/authentication process when devices aren't in use.

Are there any benefits to managing FileVault to scale for businesses?

• Jamf Pro offers endpoint management for monitoring and securing devices and managing recovery keys.
• Policies ensure compliance by keeping FV2 enabled and configured on managed devices.
• Integrations between solutions using secure API unlock additional automated workflows.