• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] Laptop encryption
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] Laptop encryption

  • Subject: Re: [Fed-Talk] Laptop encryption
  • From: "Trouton, Rich R" <email@hidden>
  • Date: Mon, 28 Nov 2011 21:12:43 +0000
  • Thread-topic: [Fed-Talk] Laptop encryption
Yup, FileVault 2 is not FIPS 140-2 validated at this time.

Why?
-------

In 10.7, Apple has shifted its low-level cryptologic foundation from Common Data Security Architecture (CDSA) to a new overall crypto framework for iOS and Lion named Common Crypto. The FIPS 140-2 validation applies only to CDSA.

Common Crypto is going into the validation process. However, it will be validated first for iOS and will then be validated for Lion. (The idea being that they can re-use a lot of the iOS validation testing when they go for the Lion validation.)

CDSA is still in Lion as a deprecated crypto framework, but FileVault 2 is using Common Crypto for its cryptographic foundation.


How all of this applies to FileVault
-----------------------------------------------

FileVault in 10.6 - FIPS 140-2 validated, but not whole disk encryption.

FileVault 2 in 10.7 - Whole partition encryption, but not FIPS 140-2 validated.


Thanks,
Rich


On Nov 28, 2011, at 3:46 PM, Peter Thoenen wrote:

>> Ben: As far as I am aware, File Vault under OS X 10.7 does meet the
>> standards.  We are treating it that way at NASA.
>>
>> It is full disk encryption and is FIPS 140-2 validated according to:
>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
>> (#1514)
>
> IIRC there was an earlier discussion on this list where 10.6 was validated but
> not 10.7
>
> http://lists.apple.com/archives/fed-talk/2011/Jul/msg00084.html with the
> relevant information, it appears, at:
> https://devforums.apple.com/message/452033 (I don't have access to this)
>
> if you look at FIPS cert 1514, you will see it only convers 10.6 and also only
> in single user mode (not sure who even runs single user mode in an enterprise,
> we aren't).
>
> I believe this is the problem Ben alluded to.
>
> V/r,
>
> -Peter
> <smime.p7s> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list      (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden

---
Rich Trouton
email@hidden

JFRC Help Desk
phone: x4030
email: email@hidden

The best way to get in touch with me is through email.

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >[Fed-Talk] Laptop encryption (From: Ben Richards <email@hidden>)
 >Re: [Fed-Talk] Laptop encryption (From: Matthew Linton <email@hidden>)
 >RE: [Fed-Talk] Laptop encryption (From: Peter Thoenen <email@hidden>)

  • Prev by Date: Re: [Fed-Talk] Laptop encryption
  • Next by Date: RE: [Fed-Talk] Laptop encryption
  • Previous by thread: RE: [Fed-Talk] Laptop encryption
  • Next by thread: Re: [Fed-Talk] Laptop encryption
  • Index(es):
    • Date
    • Thread