macOS Security Basics Series: The One Where Everyone Read Your Data Because It Wasn’t Encrypted

Encryption can mean many things to many people. Depending on your experience level, encryption may be as simple as marking a file or folder hidden within a directory to password protecting a ZIP file with a sixty-four-character password filled with variable key spaces to keep password cracking software at bay for a millennia. This is to say that the term“encryption” itself can expand to include a great many possibilities and variables that can affect them further, like salting a hash value or writing your own cipher — booth of which are advanced cryptographic topics that are well beyond the scope of this blog.

Here, we’ll discuss:

• The basic features of macOS encryption
• How FileVault works (and doesn’t work)
• And the benefits to enabling FV on you Mac

Way back machine

Before we delve into the points above, let’s take a little trip to 2003. Apple released OS X “Panther”, or version 10.3, which introduced FileVault (FV), the technology that provides data encryption in Mac. When enabled, FileVault would encrypt the contents of a user’s home volume only by utilizing the user’s credentials as the method to lock and unlock the volume when the user was logged off or successfully authenticated.

It enabled encryption by using Apple’s sparse disk image — similar to a DMG file but encrypted — to contain the contents of the user’s volume, including their Desktop and Documents directories, among others.

In 2007 however, with the release of OS X “Lion” (10.7), the encryption technology developed by Apple was redesigned with additional features and named FileVault 2 (FV2). FV2 is the standard encryption technology available through all iterations of OS X and macOS since then. We’ll dive more into FV2’s features and how it works a little later.

“Wax on, wax off”

As the martial arts master himself, Mr. Miyagi taught Daniel-san Karate through lessons that simplified the basics of defense, Apple has taken a similar approach with regards to enabling/disabling the security protection we’re discussing here today.

Note: Since the original incarnation of FV (referred to as legacy FileVault) has been superseded by FV2, all discussions moving forward will pertain to FileVault 2 exclusively.

Turning encryption on

Enabling FV2 is a straight-forward process. Whether it’s enabled manually (by a user) or automated (by IT through MDM), the process requires:

1. Authenticate to a Mac with an admin-level credential.
2. Launch System Preferences.
3. Click on the Security & Privacy preference pane.
4. Select the FileVault tab.
5. Click Turn On FileVault.

That’s it! FV2 is now enabled and will begin the process of encrypting your data. Once this is finished, you will be prompted to reboot the computer, completing the process.

Turning encryption off

Now that your Mac’s secure, why would you want to do that?! There may be a few reasons to disable FV2, even if temporarily. To disable this security function:

1. Follow steps 1-4 above.
2. Click Turn Off FileVault.

Once again, the Mac will require some time to decrypt all your data in the background as you use your Mac. It should be noted that both enabling and disabling FV2 require your Mac to both be awake and plugged in to the AC charger to finalize the encryption and decryption processes respectively.

Storing FileVault Recovery Keys

After FV2 is enabled, user’s will be prompted to create and safely store a recovery key. This is a backdoor access that one can use to decrypt their data, should the user change their account password, if the account becomes compromised or if they simply forget their credential.

This importance of this key cannot be understated, hence the recommendation to keep it stored in a safe, secure place away from anyone that you would not normally wish to access the secured data on the drive.

Users with iCloud accounts that wish to leverage the cloud-based technology may opt to store a copy of their unique recovery key there. Doing so is protected and secured — as not even Apple can read the key — but it allows users to safely retrieve it from anywhere, any time from any device with access to iCloud for additional peace of mind.

IT + FileVault = Automation F-U-N

While the above certainly applies to Macs used personally and professionally, the scenario presented in this section largely applies only to organizations that are managing their Mac fleet through Mobile Device Management (MDM)software, such as Jamf Pro.

MDM solutions permit IT to not only centrally manage devices, but they also provide configuration settings to automate the enablement of FV2. Also, it permits streamlining the management of individual recovery keys unique to each device and stores them safely within the record of each device for easy management and even easier retrieval by IT when necessary.

For detailed guidance on using Jamf Pro to setup and management FileVault 2 and recovery keys for your organization, the administration guide provides detailed information for IT organizations interested in increasing the security posture of their devices while managing their fleet based on industry best practices and adhering to Apple’s security and privacy frameworks.

“Sweep the leg”

The biggest, arguably greatest feature of FileVault is encryption. After all, this is the primary reason to enable the security control in the first place, isn’t it? It is the encryption algorithm, based on the XTS-AES-128 cipher with a 256-bit key that helps “prevent unauthorized access to the information on your startup disk”, according to Apple.

Yep, you read that correctly. Encrypts the startup disk — not the user’s home volume. That’s no typo, but a key difference between FileVault 2 and legacy FileVault. You’ll remember from above that the latter only protects the home folder of the user that enables legacy FileVault. This requires each user to enable FV to protect their own home folder. Leaving other user’s home volume along with the operating system itself vulnerable, open to security threats and attack.

FileVault 2 rectifies this however, by providing whole-disk encryption once enabled. By leveraging the entire disk, all data stored on the disk is effectively encrypted. This requires users authorized by FV2 to first login to the Mac, thereby unlocking the storage disk and permitting other users to then login.

The result? An encrypted system that encompasses the entire storage disk, protecting all data contained therein holistically — not just those that have opted in to keeping their data safe.

Smooth Moves

Just like the Karate Kid series of movies introduced audiences to the memorable (and often imitated) techniques of the Miyagi-Do Karate art: the Drum Technique, Kata and unforgettable Crane Kick are just a few of the signature moves Daniel-san learned to defend himself in tournaments. Similarly, FileVault 2’s encryption implementation provides users several benefits that extend beyond keeping data secured through encryption.

• Deploying whole disk, or startup disk encryption means securing the empty, unused space on the system drive as well to shrink the attack surface preventing bad actors from using that to plant malware. Additionally, encryption is often considered the “last ditch effort” by security professionals to maintain the integrity of your personal, corporate and/or privacy data if your MacBook laptop is stolen, the storage drive is removed from your Mac computer or other forms of disk-based attacks are employed to try to compromise your data.
• FV2-enabled devices require each user account that will utilize that device to be FV-enabled, as well. Any users that do not have the secure token associated with their account will be effectively unable to logon to the Mac until a user that is FV-enabled authenticates first and unlocks the disk. This feature prevents unauthorized users from gaining access to the drive’s contents – whether locally from the Mac or if the drive is removed and connected to another Mac, as is a popular type of data theft attack.
• Both versions of FileVault adhere to the security triad’s Confidentiality principle. This means data is not just secured against unauthorized threats, but FV also adheres to the National Institute of Standards and Technology(NIST) guidelines. The NIST is a U.S. government agency that, among other standards-based programs, provides guidance for organizations to manage and reduce cybersecurity risk. Their work on the SP 800-179, Revision 1provides enterprise-level guidance based on best practices to mitigate risk while strengthening the security posture of your Apple endpoints.
• Managing user’s access to FV-enabled devices with Jamf Pro is a trivial matter, but for those that wish to go the manual route, admins can easily leverage the Terminal to enable/disable secure token access of per-user accounts and/or to reset passwords, as necessary. Below is the output of the sysadminctl command that is used in managing per-user account access to devices encrypted with FileVault 2: