2.6.5 Ensure FileVault Is Enabled - dontAllowFDEDisable

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it.

FileVault should be used with a saved escrow key to ensure that the owner can decrypt their data if the password is lost.

FileVault may also be enabled using command line using the fdesetup command. To use this functionality, consult the Der Flounder blog for more details (see link below under References).

Rationale:

Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it.

Impact:

Mounting a FileVault encrypted volume from an alternate boot source will require a valid password to decrypt it.

Solution

Graphical Method:
Perform the following steps to enable FileVault:

Open System Settings

Select Security & Privacy

Select Turn On...

Note: This will allow you to create a recovery key for FileVault. Keep the key saved securely in case it is needed at a later date.
Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.MCX

The key to include is dontAllowFDEDisable

The key must be set to <true/>

Note: This profile is required to pass the audit.

See Also

https://workbench.cisecurity.org/files/4159