From 4c8fbf9f724e3a08339b8b790bd2db0724cb841b Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 7 Jun 2021 16:48:18 -0400 Subject: [PATCH] wording updated to more reflect macOS 11 --- rules/supplemental/supplemental_filevault.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml index 0ecb0270..bc1f394c 100644 --- a/rules/supplemental/supplemental_filevault.yaml +++ b/rules/supplemental/supplemental_filevault.yaml @@ -4,10 +4,11 @@ discussion: | The supplemental guidance found in this section is applicable for the following rules: * sysprefs_filevault_enforce - In macOS 11 the internal Apple File System (APFS) volume (including both system and data storage) can be protected by FileVault. - NOTE: On non-T2 hardware, FileVault uses an AES-XTS data encryption algorithm to protect full volumes of internal and external storage. Macs with the T2 chip utilize the hardware security features of the chip. + In macOS 11 the internal Apple File System (APFS) data volume can be protected by FileVault. The system volume is always cryptographically protected (T2 and Apple Silicon) and is a read-only volume. + + NOTE: FileVault uses an AES-XTS data encryption algorithm to protect full volumes of internal and external storage. Macs with a secure enclave (T2 and Apple Silicon) utilize the hardware security features of the architecture. - FileVault is described in detail here: link:https://support.apple.com/guide/security/when-filevault-is-turned-on-sec4c6dc1b6e/1/web/1[]. + FileVault is described in detail here: link:https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web[]. FileVault can be enabled in two ways within the macOS. It can be managed using the fdesetup command or by a Configuration Profile. When enabling FileVault via either of the aforementioned methods, you will be required to enter a username and password, which must be a local OpenDirectory account with a valid SecureToken password.