Last updated at 2018-09-12 12:46:14 by oucs0162

FileVault Encryption

Introduction

All MacBook laptops in Orchard must be encrypted using FileVault to help keep the data on them secure in the event that they are lost or stolen. Without FileVault a malicious third party with physical access could create an administrator account on your laptop quite easily and view or steal the data held on it.

What is Encryption?

Encryption scrambles the data on your computer using a strong cipher so that it cannot be read or copied by others without the necessary key to decrypt it. You can think about the encrypted data on the computer like a message stored in code and only you have the means to decode it (your password). Encryption is used in all sorts of areas for data security including secure websites (SSL/TLS - when you see the padlock in your browser communications between your computer and the server are encrypted), secure email, and computer data encryption.

What is FileVault?

FileVault is Apple's standard method for encrypting the data on Macs. It works by encrypting the data on the boot (system) disk in your Mac using your login password as a key to decrypt it. After encryption is started, when the computer starts up it will immediately ask for a username and password. Until a password that is allowed to unlock FileVault is entered, the data on the computer is completely unreadable to third parties. Once a password is successfully entered, the data is decrypted 'on the fly' - meaning as it is loaded - and the computer then loads the operating system and goes straight to the desktop of the user that signed in. This is different to the process on an unencrypted Mac, where the computer would load the operating system first and then ask for a user to log in.

FileVault also creates what is known as a Recovery Key at encryption time, in case you forget your password and need to decrypt the drive in an emergency.

Orchard FileVault

If you have a MacBook, Orchard makes sure that it is encrypted using FileVault automatically. Orchard can detect if a MacBook is not encrypted and will take steps to remediate this. Normally your designated IT Support Staff (ITSS) will normally perform the encryption when the MacBook is initially enrolled to Orchard. The main user of the device (you) is then added to the list of users able to unlock FileVault on the computer.

There is a guide to encryption for ITSS here: ITSS/FileVault

Recovery Key

During the encryption process the Recovery Key is sent to Orchard. Should you ever forget your password and need to log in urgently, you should contact your local IT Support Staff who will be able to give you the Recovery Key. The Recovery Key may also be used by IT Support Staff to decrypt your laptop if you have given them permission to do so.

Orchard tests periodically that the Recovery Key it has saved for your computer is valid for unlocking it, and if it is not it will begin the process of generating a new one. In that case you will see the window below or one very similar. On entering your login password, Orchard will create a new Recovery Key and securely save it to the Orchard database.

filevault-prk-invalid.png

Checking Encryption Status

You can check the encryption status of a Mac by opening System Preferences and then choosing the FileVault tab. In this example we show a MacBook that has finished encrypting with FileVault. If the laptop was currently encrypting or decrypting you would see a progress bar. Do not be alarmed by the message that some users cannot unlock the disk, this is normal (we do not allow local administrator accounts to unlock FileVault as users should not be logging in to their laptops as administrators).

System_Prefs_FV.png

FAQ

  1. Does encryption mean my data is always secure from hackers when my computer is on? Encryption means that the data on your hard drive is only readable if it has been unlocked at the startup boot screen. If unlocked, the computer will be decrypted for anyone that has physical access with a user account. Therefore it is still important to have a strong password and not to leave your computer unattended, and to take normal precautions when visiting websites and opening files and emails.

  2. Does encryption with FileVault slow my computer down? With most modern Mac laptops FileVault has a negligible effect on computer speed, and may in fact make it faster for certain operations.

  3. Who can decrypt my data? Any local user account that has been enabled for FileVault can decrypt the data on the computer. Also, anyone who has the Recovery Key can decrypt it. The viewing of the Recovery Key is limited to staff that would need to provide you with it in an emergency, or that would need to decrypt the laptop with your permission - e.g. for IT support purposes. The key is hidden within the management server and there is an Audit Log of those who have viewed it should you want to know.

  4. What about Symantec Whole Disk Encryption? (WDE) I thought that was what the University recommends? Symantec WDE has extremely poor Mac support. The current version does not work with the latest macOS version at the time of writing. FileVault is built into macOS and is the preferred method for encrypting Macs.

  5. What should I do if my MacBook is lost or stolen? You should report it to your local IT Support Staff as soon as possible. They will be able to send remote commands to your MacBook to lock it with a passcode or wipe the data, depending on whether you believe you will retrieve your computer. If it is wiped, all encryption keys to unlock the disk are deleted from the computer meaning the data cannot be read.


Orchard is a close co-operation of