The global average that businesses lost from data breaches in 2023 was $4.45 million—an increase of 15.3% from 2020[1]. Data loss is a serious concern for many business owners, large and small, which makes protecting business data necessary.
Backing up the data to encrypted hard drives or flash drives provides a backup copy in the event of data loss. It gives an easy way to recover encrypted files if the computer system is compromised.
The encryption keeps the drive secured by preventing access to sensitive data if the drive gets lost or stolen. This is where FileVault encryption comes into play. However, in addition to encryption, managing FileVault according to specific business requirements is crucial, which can be done using an MDM like Scalefusion.
In this blog, we’ll explore what FileVault full disk encryption entails, examine the benefits of using FileVault for full disk encryption, and walk through the steps to enable FileVault on macOS devices using Scalefusion MDM.
What is FileVault Full Disk Encryption?
FileVault full disk encryption for macOS devices is Apple’s built-in data security feature, available on macOS version 10.3 and above. This feature operates in the background, automating the disk encryption. FileVault prevents unauthorized access to data and documents stored on the disk by encrypting the disk and demands a recovery key for accessing encrypted data.
Understanding FileVault Recovery Keys: PRK and IRK
FileVault recovery keys are required to restore data when a user forgets their user credentials. An Apple recovery key is generally set up when the initial FileVault configuration is triggered. There are three types of recovery keys:
a. Personal Recovery Key (PRK)
A personal recovery key is a randomized alphanumeric string generated by macOS when FileVault is enabled. This unique string is provided to the user to recover access to the encrypted data if the password is forgotten. If FileVault is enabled after enrolling the device in Scalefusion, these keys are displayed on the Scalefusion dashboard, ensuring easy access for recovery purposes.
b. Institutional Recovery Key (IRK)
An institutional recovery key is a certificate created by IT administrators for encryption purposes. This type of key allows enterprises to generate and distribute certificates via the Scalefusion dashboard. The primary advantage of IRK is that it requires minimal user interaction when enabling FileVault disk encryption for macOS devices. In case the user forgets their password, the IT admins can provide the institutional recovery key, ensuring easy and secure access to encrypted data.
c. PRK and IRK
For enhanced security and flexibility, organizations can opt to use both personal and institutional recovery Keys (PRK & IRK). In this setup, a PRK is provided to the end user while the IT admins manage an IRK. This dual-key approach ensures either key can be used to recover the drive.
Benefits of Using FileVault Disk Encryption in Enterprise Settings
Large volumes of data stored on disks at the enterprise level need to be encrypted to ensure better security. FileVault disk encryption addresses this requirement by offering the following benefits:
1. Volume or Startup Disk Encryption
FileVault encrypts data and unused or empty space on the system drive in addition to reducing the attack surface and preventing bad actors from planting malware in the unused space. The result is an encrypted system that encompasses the enterprise storage volume and protects all data contained therein holistically.
2. Adherence to Triad’s Confidentiality Principle
FileVault adheres to the security triad’s confidentiality principle. Data is secured against unauthorized threats, and FileVault also adheres to the National Institute of Standards and Technology (NIST) guidelines. These guidelines provide enterprise-level guidance based on best practices to mitigate risk while strengthening the security posture of Apple endpoints.
3. Robust Data Protection
FileVault utilizes XTS-AES-128 encryption with a 256-bit key to provide robust data protection. XTS-AES-128 encryption provides strong data protection by combining the AES algorithm’s efficiency and security with the XTS mode’s added resilience. It enhances data integrity and confidentiality, making it highly resistant to attacks.
How to Enable FileVault on macOS Devices with Scalefusion MDM
Administrators can configure and push the FileVault Policy to all Scalefusion-managed macOS devices by following the steps below:
Step 1. Click ‘Device Profiles’ under the ‘Device Profiles and Policies’ tab on the Scalefusion dashboard.
Step 2. Click the ‘Create New Profile‘ button at the top-right corner to create a new macOS device profile or edit an existing one.
Step 3. Click the FileVault section and toggle the ‘Enable FileVault’ option to turn on the FileVault on the managed devices. Configure the following settings as per requirement:
a. Enable FileVault: This setting turns on FileVault and the hard disk will be encrypted in the background.
b. Recovery key type: IT admins can choose the key type that will be used to encrypt or decrypt the disk. Three recovery key types can be enforced:
- Personal recovery key (PRK): Select this to enforce only PRK
- Institutional recovery key (IRK): Select this to enforce only IRK
- Institutional recovery key and Personal recovery key (IRK AND PRK): Select this to enforce both PRK and IRK
c. Upload institutional recovery key: IT admins need to upload a .cer, .p12, or .pem file that will be used as the recovery key if they choose IRK or IRK and PRK as their recovery key type. Additionally, admins will need to enter the password if the file is password-protected.
d. Prompt user to enable FileVault: Administrators can select when to show end users the prompt containing the password to enable FileVault on the managed devices. The options are:
- Login & Logout: Prompt will be shown at login & logout
- Login: Prompt will be shown only at login
- Logout: Prompt will be shown only at logout
e. Max bypass attempt: IT teams can choose the number of times a user can bypass the prompt to enable FileVault before logging into the device.
f. Allow users to turn off FileVault: Enable this option to allow users to turn off FileVault once the disk is encrypted. The user cannot turn off FileVault if this setting is disabled.
Step 5. Verify FileVault status
a. On the Scalefusion dashboard
- Navigate to the ‘Devices’ section and select the view to ‘macOS Devices’ for viewing the encryption status.
- Click on the device name and navigate to the settings icon on the top right and click on ‘Full Device Information’ to view device details.
b. On a Mac device
- Once the FileVault policy has been applied on a device, a prompt is displayed for the user to enable FileVault when logging in or out.
- Once FileVault is enabled, the following is displayed when the user navigates to the FileVault tab under ‘System Preferences’ in the ‘Security and Privacy’ section.
| Read More: Full Disk Encryption with FileVault |
Enhance FileVault Management with Scalefusion MDM
Enabling FileVault for macOS devices through Scalefusion enhances data security and simplifies its management for IT administrators. By leveraging FileVault’s robust encryption capabilities and Scalefusion’s intuitive FileVault management features, organizations can secure data with confidence and safeguard it against unauthorized access, maintaining compliance with industry standards.
Contact our experts to book a free demo and opt for a 14-day free trial today.
Reference:
1. SecureData
Frequently Asked Questions (FAQs)
1. What is FileVault Management?
FileVault can be managed on macOS devices using an MDM solution for leveraging advanced deployment and configurations. It enables IT admins to deploy FileVault on managed macOS devices and configure it according to their organizational policies. Managing FileVault using MDM is also referred to as deferred enablement and requires a log-out or log-in event from the user’s end.
2. Should I use FileVault disk encryption on Mac?
FileVault disk encryption on macOS devices enhances data security. By enabling FileVault full disk encryption, all the information on your Mac is encrypted and protected with your login password, making it much harder for unauthorized users to access your data.
2. What does FileVault do on Apple?
FileVault for Mac is a security feature that provides full disk encryption for the startup disk on your Apple device. It encrypts and protects your entire disk, ensuring that all data, files, and information are secure from unauthorized access. FileVault encryption uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk.
3. How does FileVault work?
FileVault works by encrypting the entire contents of your startup disk using XTS-AES-128 encryption. Once enabled, FileVault full disk encryption ensures that your data is secure both at rest and during use. When you log in to your Mac, the encrypted file vault is decrypted using your login password or recovery key. This process ensures that only authorized users can access the data stored on the disk. FileVault management tools also allow administrators to manage encryption settings and recovery keys across multiple devices.
4. How to check if FileVault disk encryption is enabled?
To check if FileVault disk encryption is enabled on your Mac, go to System Preferences, then click on Security & Privacy, and select the FileVault tab. If FileVault is turned on, it will indicate that FileVault is enabled and that your disk is encrypted. If not, you can enable FileVault Mac by following the on-screen instructions. Additionally, you can use the Terminal command ‘fdesetup status’ to check the status of FileVault encryption.
