You value your data. You’ve gone to great lengths to use password managers to protect yourself by creating unique, complex passwords that are hard-to-guess. Your VPN connection is on and encrypting transmissions each time you go online–regardless of whether its downloading system updates (which you’re on top of) or streaming the latest TV show of your favorite series. And you made sure to enable FileVault 2 on your Mac computer, so that data remains protected at rest using full disk encryption.
SEE: macOS Big Sur: A cheat sheet (free PDF) (TechRepublic)
Among other standard security best practices implemented to harden the system, it is secured from an ever-expanding list of threats that seek to separate you from your data, privacy, and personally identifiable information (PII). And yet, when a Mac goes into hibernation, it stores a copy of the FileVault (FV) key in memory. This default behavior is done to speed up a device waking up, allowing the user to get back to work quickly.
The problem is that while the key is stored in resident memory, it is unencrypted, allowing an attacker the opportunity to recover the non-obfuscated key using freely available tools to repeal FileVault’s protections and gain unauthorized access to the now decrypted data stored on your device. By leveraging the Terminal and the correct syntax hidden away from the CLI’s documentation, a user can effectively configure their devices to delete the key from memory when a device enters hibernation to further enhance the security of their system(s).
SEE: Encrypting communication: Why it’s critical to do it well (TechRepublic)
- Apple computer with OS X 10.7 (or newer)
- FileVault 2 enabled
- Administrative credentials
- Switched network (optional; but recommended if deploying to Macs on network)
- Mobile Device Management server (optional; but recommended if deploying to Macs off network)
- Internet access (optional; but recommended if deploying to Macs remotely)
Enabling full Hibernation (not hybrid sleep)
1. Launch Terminal.
2. Enter the following command to view current settings:
pmset -g | grep -e 'hibernatemode'
3. The output will display the current mode of hibernation. Since macOS has multiple types, we need to verify that the right one is set. A value of 25 is what is required. To set it, enter the command below:
sudo pmset 'hibernatemode' 25
4. With the correct hibernation mode set, whenever the device is put to sleep, the contents of the RAM will be dumped to the system drive and cleared from memory, allowing the system to enter a “no power” mode. When the device wakes from sleep, it will import the contents of the file to RAM to resume its previous state.
Configuring FileVault key deletion on hibernate
1. In Terminal, enter the following command to delete the FV key from RAM:
sudo pmset destroyfvkeyonstandby 1
Once enabled, the setting is set to True and will prevent the FileVault key from being stored in memory. By doing so, maintenance wakes and Apple’s Power Nap feature will also be disabled in accordance with the new configuration. Please keep this in mind when choosing to lockdown this security setting.
If it is necessary to roll back these settings, simply execute the following command to reset the power settings back to their default status and undo the security settings. A list of the hibernation settings and their meanings is listed below the command:
sudo pmset 'hibernatemode' 3
Hibernate mode settings
- 0 = RAM powered while sleeping.
- 3 = RAM powered and written to disk.
- 25 = RAM contents written to disk and not powered.