S 4.372 Use of FileVault under Mac OS X
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: User
In Mac OS X version "Panther" (10.3) and higher, user folders can be encrypted using FileVault with the AES-128 algorithm. The main FileVault password, however, is encrypted using RSA-1024, resulting in an effective encryption protection of 112 bits. FileVault is directly integrated into the operating system; no additional software is required to encrypt the user folder.
Since it is very easy to use FileVault, it is recommended to generally encrypt the user directories. This applies particularly to sensitive information on mobile computers exposed to an increased risk of theft. Here, FileVault can be an alternative.
FileVault protects the information only when the client was shut down properly or when the user is not logged in yet. After the user has logged in successfully, the disk image encrypted by FileVault in integrated into the system as user directory ("home") and is available. At no time is the entire disk image decrypted; only the currently needed parts are downloaded in the memory. The file is encrypted again as soon as it is no longer in the memory. If the user logs out, the disk image encrypted by FileVault is removed from the file system and the files are protected.
If the users can log in on the client without any authentication required ("Automatic login"), the information protected using FileVault is decrypted without query for a password. For the effective protection of the information using FileVault, the automatic login must be deactivated and an adequately secure password selected (see S 2.11 Provisions governing the use of passwords).
Preparing the use of FileVault
Using FileVault, only user directories stored on the "Mac OS Extended" file systems and for which the "Case sensitive" addition was not activated can be protected. If FileVault is to be used, it is recommended to use the "Mac OS Extended (Journaled)" file system for the partition with the user directories.
In general, it is recommended to install the user directories on a separate partition. When planning the size of the partitions and the required storage space on the hard disk, it must be ensured that additional storage space on the hard disk in the size of the user folder to be encrypted is needed during the encryption process. This requirement depends on the method of operation of FileVault. If FileVault is activated for a user, Mac OS X creates an encrypted disk image, copies all data from the existing user folder into the disk image and deletes the original user folder afterwards. Restoration of deleted, unencrypted user folders should be prevented. This can be ensured selecting the "Using secure deletion" setting.
Activating FileVault
In order to use FileVault, it must be activated. FileVault can already be activated when creating a new user selecting the "Activating the FileVault protection" setting in the user properties.
In order to activate FileVault subsequently for the logged in user, the "Activating FileVault" button must be selected under "System Settings | Security | FileVault". In both cases, it is absolutely necessary to also select the "Using secure deletion" setting due to the method of operation of FileVault described above. The "Using secure virtual storage" setting should also be activated, since otherwise information or even the password can be stored unencrypted in /var/vm.
Data restoration
The administrator must define a main password for the respective computers to be able to restore all user folders encrypted using FileVault on the computers if a FileVault password is lost. The restoration password should be complex enough (see S 2.11 Provisions governing the use of passwords). If an identical restoration password is selected for different clients for reasons of efficiency, it is absolutely necessary to use a sufficiently complex password.
If it is suspected that the main password has become public, for example, because it has been stored at an insecure location, it must be changed immediately, since otherwise all encrypted files on the computer can be accessed.
The main password should be stored at a suitable location to ensure that the data can be restored quickly and independently from the personnel by an administrator (see S 2.22 Escrow of password).
FileVault in connection with standby modes
A Mac OS X client that is not currently being used but that is not turned off may be in a standby mode. This includes the sleep mode. In Mac OS X, this describes both a state in which the computer stores the contents of the RAM on the hard disk and a state in which only the current contents of the memory are frozen.
Under Mac OS X, the information on the FileVault password remains in the memory (RAM) or on the hard disk of the client in the sleep mode. Thus, the confidentiality of the files encrypted using FileVault is at risk. When a higher level of protection is required, it is recommended to not leave a Mac OS X client unattended while in the sleep mode. As an alternative, the user must log out and turn off the client. Like the sleep mode, the screen lock is a threat to the confidentiality, since the password information is also available in the RAM and could be read.
Raising user awareness
The users must be informed that FileVault only encrypts their own user folders and this only when the client under Mac OS X was shut down properly. In addition to this, the users must also be informed on how they should handle the standby modes in connection with FileVault encryption and that the administrator is able to restore the data using the main password when the password is lost. Additional information on the subject of secure data storage and data transport is described in S 4.379 Secure data management and transport under Mac OS X.
Limits of the suitability of FileVault
FileVault does not offer any settings as to which files are encrypted. Only the user folder is encrypted. However, it is also possible that data in other directories contain information which needs to be protected. For example, the /Library/Logs and /var/log directories include various log files with detailed system information; the /Library/Caches and /tmp directories include temporary files or cache files of several data backup programs and there are system-wide setting files in /Library/Preferences. Other encryption programs than FileVault able to encrypt the entire hard disk should be used when a higher protection level is required.
Review questions:
- Is the "Mac OS Extended (Journaled)" file system used for the partitions which are to be encrypted using FileVault and is the "Case sensitive" addition disabled there?
- When using FileVault, has a sufficiently strong user password been set for Mac OS X and the automatic login deactivated?
- Has a sufficiently strong main FileVault password been set and stored securely for Mac OS X?
- Do the Mac OS X users know that only their personal user folders are encrypted when using FileVault?
- Do the Mac OS X users know that they can restore their data by means of the main FileVault password if they lose their user password?