Tuesday, December 11, 2012

FileVault 2 on OS X

Yesterday, I finally got around to enabling FileVault 2 on my MacBook Air. I don't have any top-secret information on it, but if it were ever lost or stolen, I now have the peace of mind that comes with whole disk encryption.

Enabling FileVault is pretty straight forward, you just go into the System Preferences pane, click on the Security applet and turn it on. It took about 1 hour to encrypt my 2011 MacBook Air with 128GB SSD and didn't require me to be plugged in.

Here are a couple of things to be aware of if you're really security conscious:

  1. Don't store your recovery key with Apple. Copy and paste it into a document, print it out, put it in an envelope somewhere safe. Don't carry this around with your laptop. If you're security conscious enough to want WDE, you should know better than to keep your recovery key in a location that can be socially engineered.

  2. Don't allow more than one user account to unlock the computer. If you have multiple user accounts and they're all able to unlock the computer, your surface area for attack is greater. That said, if this is a shared computer and there are only a couple of accounts, it's probably not a big deal.

  3. Finally, the most important tip in the bunch. Run sudo pmset destroyfvkeyonstandby 1. By default, your recovery key is cached in the EFI, so that your computer can seamlessly resume from sleep without needing a password. I don't know about you, but I almost never shut my MacBook off. It always sleeps. This essentially renders FileVault useless! If my notebook is stolen while sleeping, all that a thief has to do is open the lid and they're in. By running this command, you destroy the copy of the key in EFI and are prompted for your user account password when the notebook wakes from sleep, keeping your data safe in the process.
This Apple deployment document covers this command, as well as many other FileVault best practices and deployment scenerios if you're looking for further reading.

1 comment:

  1. Hi Mark
    we are going to install a new domain . we have public site hosted locally
    and also we have internal site hosted locally .
    our email server is a linux base server and hosted locally
    do you suggest that we use best practice for domain naming .
    also we need to have SSO for emial and domain user and ...

    thanks ,