Apple FileVault 2: Tips for IT pros (free PDF)
Apple’s FileVault 2 offers whole disk encryption that’s simple to implement and seamless to the user. This ebook explains the basics, then dives into the process of recovering encrypted data and automating deployment and configuration.
From the ebook:
Apple’s FileVault 2 encrypts the entire disk so all data contained therein (regardless of the number of users it’s shared with) is essentially scrambled to everyone except those who have the credentials to unlock the disk, decrypting the data. By design, FileVault grants this authorization only to the account that enables this feature; others can be added to the enabled list later.
This implementation gives the primary user (i.e., the user who enables FileVault initially) greater control, permitting them to unlock the disk, decrypt data, and even remove FileVault altogether. The primary user will also receive the personal recovery key; if access to the account is lost, they can unlock the disk to restore access to the data.
A caveat: All of this rests on one single user with typically no centralized management of users allowed to unlock the disk. IT may or may not have access to the device for management, and worse, no method of accounting for recovery keys generated for each device in the organization.
Fortunately, Apple has included a command-line method to essentially have your cake and eat it too by allowing for management of recovery keys, user account configurations to unlock the disks, and the ability to manage the devices in an ongoing manner that does not compromise user data or its confidentiality. Here are three ways to automate a FileVault deployment, including slight tweaks to better suit the needs of your organization.
- Administrative Mac computer or server with macOS Yosemite or later installed
- Client Mac computer(s) with macOS Yosemite or later installed
- Administrative credentials
- Switched network (optional, though highly recommended if deploying over the network)