OS X Security Tip: Destroy FileVault Key on Standby
I haven't talked much about technology as of late. With so much other news, especially on the gun rights front, I haven't had much time nor reason to writeup any technology tips. With that said I have a security tip that OS X users who use FileVault on their main drive may find useful. While investigating another power management issue I found a pmset (an OS X command line application for adjusting power management settings) value mentioned in the command's man page:
destroyfvkeyonstandby - Destroy File Vault Key when going to standby mode. By default File vault keys are retained even when system goes to standby. If the keys are destroyed, user will be prompted to enter the password while coming out of standby mode.(value: 1 - Destroy, 0 - Retain)
As a user of FileValut and my laptop's standby mode I found this value interesting. As far as I knew the FileVault key was destroyed when my computer entered standby. Apparently that's not the default behavior. Looking further into this command I found a FileVault 2 training document [PDF] put out by Apple that had more to say about the destroyfvkeyonstandby value:
All computers have firmware of some type—EFI, BIOS—to help in the discovery of hardware components and ultimately to properly bootstrap the computer using the desired OS instance. In the case of Apple hardware and the use of EFI, Apple stores relevant information within EFI to aid in the functionality of OS X. For example, the FileVault key is stored in EFI to transparently come out of standby mode.
Organizations especially sensitive to a high-attack environment, or potentially exposed to full device access when the device is in standby mode, should mitigate this risk by destroying the FileVault key in firmware. Doing so doesn’t destroy the use of FileVault, but simply requires the user to enter the password in order for the system to come out of standby mode.
The destruction of the FileVault key when going to standby mode can be accomplished by setting a specific power management environment variable using the pmset command. Performing the following command on the targeted system interactively, or during the execution of a script for automation or deployments, sets the key for destruction:
# pmset destroyfvkeyonstandby 1
I used the command "pmset -a destroyfvkeyonstandby 1" (the same as the command mentioned in the manual with the addition of the -a flag, which applies the value to all power profiles) but I don't believe the -a flag is actually necessary. Now, hopefully, my FileVault key is actually destroyed when the computer enters standby mode.