macOS Security Basics series: The One Where Your Data Wasn’t Encrypted with FileVault

Encryption can mean many things to many people. Depending on your experience level, encryption may be as simple as marking a file or folder hidden within a directory to password-protect a ZIP file with a sixty-four-character password filled with variable key spaces to keep password-cracking software at bay for millennia. This is to say that the term “encryption” itself can expand to include a great many possibilities and variables that can affect them further, like salting a hash value or writing your own cipher — both of which are advanced cryptographic topics that are well beyond the scope of this blog.

Here, we’ll discuss:

• The basic features of macOS encryption
• How FileVault works (and doesn’t work)
• And the benefits of enabling FileVault on your Mac

What is FileVault disk encryption?

Before we delve into the points above, let’s take a little trip on our way back machine to 2003. Apple released OS X “Panther”, or version 10.3, which introduced FileVault (FV), the technology that provides data encryption on Mac. When enabled, FileVault would encrypt the contents of a user’s home volume only by utilizing the user’s credentials as the method to lock and unlock the volume when the user is logged off or successfully authenticated.

It enabled encryption by using Apple’s sparse disk image — similar to a DMG file but encrypted — to contain the contents of the user’s volume, including their Desktop and Documents directories, among others.

In 2007 however, with the release of OS X “Lion” (10.7), the encryption technology developed by Apple was redesigned with additional features and named FileVault 2 (FV2). FV2 is the standard encryption technology available through all iterations of OS X and macOS since then. We’ll dive more into FV2’s features and how it works a little later.

“Wax on, wax off”

As the martial arts master himself, Mr. Miyagi taught Daniel-san Karate through lessons that simplified the basics of defense, Apple has taken a similar approach with regards to enabling/disabling the security protection we’re discussing here today.

Note: Since the original incarnation of FV (referred to as legacy FileVault) has been superseded by FV2, all discussions moving forward will pertain to FileVault 2 exclusively.

How to enable FileVault on Mac

Enabling FV2 is a straightforward process. Whether it’s enabled manually (by a user) or automated (by IT through MDM), the process requires:

1. Authenticate to a Mac with an admin-level credential.
2. Launch System Settings.
3. Click on the Privacy & Security preference pane.
4. Select the FileVault tab.
5. Click Turn On.

That’s it! FV2 is now enabled and will begin the process of encrypting your data. Once this is finished, you will be prompted to reboot the computer, completing the process.

How to disable FileVault on Mac

Now that your Mac’s secure, why would you want to do that?! There may be a few reasons to disable FV2, even if temporarily. To disable this security function:

1. Follow steps 1-4 above.
2. Click Turn Off.

Once again, the Mac will require some time to decrypt all your data in the background as you use your Mac. It should be noted that both enabling and disabling FV2 require your Mac to both be awake and plugged into the AC charger to finalize the encryption and decryption processes respectively.

How to find FileVault Recovery Keys

After FV2 is enabled, users will be prompted to create and safely store a recovery key. This is a backdoor access that one can use to decrypt their data, should the user change their account password, if the account becomes compromised or if they simply forget their credential.

The importance of this key cannot be understated, hence the recommendation to keep it stored in a safe, secure place away from anyone that you would not normally wish to access the secured data on the drive.

Users with iCloud accounts who wish to leverage the cloud-based technology may opt to store a copy of their unique recovery key there. Doing so is protected and secured — as not even Apple can read the key — but it allows users to safely retrieve it from anywhere, any time from any device with access to iCloud for additional peace of mind.

Benefits of using FileVault in enterprise and shared environments

Why use FileVault?

The biggest, arguably greatest feature of FileVault is encryption. After all, this is the primary reason to enable security control in the first place, isn’t it? It is the encryption algorithm, based on the XTS-AES-128 cipher with a 256-bit key that helps “prevent unauthorized access to the information on your startup disk”, according to Apple.

Yep, you read that correctly. Encrypts the entire volume — not just the user’s home folder. That’s no typo, but a key difference between FileVault 2 and legacy FileVault. You’ll remember from above that the latter only protects the home folder of the user that enables legacy FileVault. This requires each user to enable FV to protect their own home folder. Leaving other users’ home volumes along with the operating system itself vulnerable, and open to security threats and attacks.

FileVault 2 rectifies this, however, by providing whole-disk (referred to as volume) encryption once enabled. By leveraging the entire disk, all data stored on the disk is effectively encrypted. This requires users authorized by FV2 to first log in to the Mac, thereby unlocking the storage disk and permitting other users to then log in.

The result? An encrypted system that encompasses the entire storage volume, protecting all data contained therein holistically — not just those that have opted into keeping their data safe.

Protecting business, personal and privacy data while minimizing risk

Just like the Karate Kid series of movies introduced audiences to the memorable (and often imitated) techniques of the Miyagi-Do Karate art: the Drum Technique, Kata and unforgettable Crane Kick are just a few of the signature moves Daniel-san learned to defend himself in tournaments.

Similarly, FileVault 2’s encryption implementation provides users with several benefits that extend beyond keeping data secured through encryption.

• Deploying volume, or startup disk encryption means securing the empty, unused space on the system drive as well. This shrinks the attack surface preventing bad actors from using that to plant malware. Additionally, encryption is often considered the “last ditch effort” by security professionals to maintain the integrity of your personal, corporate and/or privacy data if your MacBook laptop is stolen, the storage drive is removed from your Mac computer or other forms of disk-based attacks are employed to try to compromise your data.
• FV2-enabled devices require each user account that will utilize that device to be FV-enabled, as well. Any users that do not have the secure token or bootstrap tokens associated with their account will be effectively unable to log on to the Mac until a user that is FV-enabled authenticates first and unlocks the disk. This and many other features can be configured to prevent unauthorized users from gaining access to the drive’s contents – whether locally from the Mac or if the drive is removed and connected to another Mac, as is a popular type of data theft attack.
• Both versions of FileVault adhere to the security triad’s confidentiality principle. This means data is not just secured against unauthorized threats, but FV also adheres to the National Institute of Standards and Technology (NIST) guidelines. The NIST is a U.S. government agency that, among other standards-based programs, provides guidance for organizations to manage and reduce cybersecurity risk. Their work on the SP 800-179, Revision 1 provides enterprise-level guidance based on best practices to mitigate risk while strengthening the security posture of your Apple endpoints.
• Managing user access to FV-enabled devices with Jamf Pro is a trivial matter, but for those that wish to go the manual route, admins can easily leverage the Terminal to enable/disable secure token access of per-user accounts and/or to reset passwords, as necessary. Below is the output of the sysadminctl command that is used in managing per-user account access to devices encrypted with FileVault 2:

Jamf + FileVault encryption

Automating and enforcing encryption

While the above certainly applies to Macs used personally and professionally, the scenario presented in this section largely applies only to organizations that are managing their Mac fleet through Mobile Device Management (MDM) software, such as Jamf Pro.

MDM solutions permit IT to not only centrally manage devices but also provide configuration settings to automate the enablement of FV2. Also, it permits streamlining the management of individual recovery keys unique to each device and stores them safely within the record of each device for easy management and even easier retrieval by IT when necessary.

For detailed guidance on using Jamf Pro to set up and manage FileVault 2 and recovery keys for your organization, the administration guide provides detailed information for IT organizations interested in increasing the security posture of their devices while managing their fleet based on industry best practices and adhering to Apple’s security and privacy frameworks.

Ensuring devices are compliant and remain that way

There is no one-size-fits-all when it comes to compliance but there are best practices and solutions that can and do help minimize the exposure to risk from various threat factors. When viewed as part of a comprehensive security strategy, integrating native Apple solutions, like FileVault with Jamf Pro (as mentioned above) helps organizations to enable and enforce volume encryption to keep data safe.

But a defense-in-depth strategy does one solution not make. IT and Security teams need other questions answered in order to better ensure data is protected and that it stays that way. Considerations, such as:

• Which ones don’t have FileVault encryption enabled?
  • If FileVault was enabled at one time, why was it not enforced?
  • If FileVault was never enabled previously, why was it not configured?
• Have changes occurred that prevent encryption from operating as required?
• Are user changes impacting FileVault’s efficacy?
  • If so, which behaviors are affecting FileVault’s operation?
• What other issues impact the enforcement of volume encryption?

Jamf Protect’s endpoint security solution actively monitors devices, assessing endpoint health, such as if FV is and remains enabled. By gathering rich telemetry data and sharing it with Jamf Pro securely, administrators can configure policies that trigger the enforcement of volume encryption workflows in Jamf Pro after being detected by Jamf Protect. Both communicate securely with Apple frameworks to extend native solutions while adding greater capabilities for management teams, like:

• Actively monitoring endpoint health criteria
• Logging and notification of identified compliance issues
• Policy-based compliance enforcement
• Automated remediation workflows
• Continued monitoring for threats and risky user behaviors