I've been asked to look into encrypting the data on users laptops to
minimize the damage done by a lost or stolen laptop. The first
thing that
comes to mind is Filevault which seems like it could be adequate.
Has anyone
used this in large deployments? Are there any other solutions for
automatic
data encryption on Macs?
I would use FileVault only if the requirements insisted on it. It
works and all that, but it puts all your files together --
everything from your web cache and bookmarks to your highly secret
documents -- into one encrypted stream. So you need to have your
'secret' stuff open the whole time you're logged in. So you tend
to be casual about how secure you keep it.
The way I've done it for a few people around here it to make them
an encrypted sparse disk image where they keep all the secret
stuff. They can log in and use a web browser without needing to
mount the image. When they switch to working on the security
stuff, they mount the image, do all the stuff they need to, then
unmount it again. This has the added advantage that you can
backup /all/ your secure materials in one go -- just copy the disk
image -- and the backup is automatically secure.
Since FileVault is really just a way of putting your entire home
folder into a disk image, the crackability of the two methods is
identical, and Apple's standard meet or exceed the requirements of
the US, UK and EU.
Something else to consider with encrypted dmg files is that the user
is only one who will have the password to open this file. You'll want
something that lines up with your corporate policy.
There are also some FileVault best practices that can be used when
deploying the same Master Password/FileVault Master decryption key.
The Master password and FileVault encryption key are here:
/Library/Keychains/FileVaultMaster.keychain
If you are deploying imaged systems, there is no need to have the
decryption key deployed on every machine in the field. I would
suggest creating a FileVaultMaster.keychain file that contains the
certificate and the private key and copying that to a USB flash drive
and putting it in a secure location (i.e. safe or vault.) Then now
that you have a copy of the key, delete the private key only from the
FileVaultMaster.keychain. This will allow you to have the same
encryption on the drives but since you need the private key to unlock
the file, only you have access to the private key necessary to do so.
Keep in mind that even if you use the same master password on every
system, each certificate and keychain pair is uniquely generated when
the Master Password is created. The way to work within those lines
would be to copy the same file above to every systems that you manage.
However, any systems that currently have FileVault enabled will be
already set to use the existing FileVault key. If you need to rotate
these with this new global filevaultmaster, you'll need to
unFileVault the account and reFileVault the account.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Client-management mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/client-management/email@hidden
