Full disk encryption (FDE) is quickly becoming an industry security standard for most of today’s market spaces. With an increasing focus on data security through the past decade, Apple® and Microsoft® both realized that encrypting the hard drive was an important step to creating a more secure data environment. FileVault was introduced several years ago as the macOS® solution for full disk encryption. The challenge has been to manage that across an enterprise. In this post, we’ll discuss what is FileVault management and how IT teams can implement it across their organization.
What is FileVault?
The concept behind FileVault (and FDE in general) is to encrypt data stored within a hard drive when it is at rest, or not in use. FDE ensures that only the correct user can access the encrypted data typically by entering their unique user credentials (username and passphrase), which decrypts the volume. The result is that if a laptop and/or its hard drive were stolen, a bad actor would also have to know the user’s credentials. As an additional measure in the case the hard drive is removed, a unique recovery key, known only to the organization’s IT admin, can also be used to decrypt the drive. For many organizations where a data breach could be catastrophic, such as the healthcare industry, full disk encryption services are mandatory.
The challenge for IT organizations has been that implementing FDE across an entire organization has been difficult because it isn’t an fully automated process. Not only does it need to be enabled for each user/machine, there is a second step that is virtually mandatory; securely storing recovery keys. If a user forgets their password, they are no longer able to decrypt the drive rendering the data useless. Both FileVault and BitLocker (the Windows-based FDE solution) have implemented recovery keys that admins can use to decrypt the drive. Of course, these keys need to be stored securely, or escrowed.
The Struggle of FileVault Management
This ability to implement and report on FDE and manage recovery keys is what FileVault management boils down to. Without (Read more...)