If you use a centralized management service like Casper, I think you can update that institutional key via policy all at once. Also, I think with the institutional key, only one half of the key pair is added to the key chain. If your IT security / incident
response team / what ever, maintain the other half of the key pair offline, then you should significantly reduce the risk of compromise.
--
Walter Rowe, Application Hosting
Infrastructure Services / OISM / NIST
US Department of Commerce
Email: email@hidden
Office: 301.975.2885
On Feb 25, 2016, at 1:15 PM, Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS] < email@hidden> wrote:
Walter,
There you go spawning thoughtful discussion again.
If the organization maintains an institutional key, then I would say they do have an escrow of the key, but is that really a better approach than an escrow where each device has it’s own key? If that institutional key gets compromised, you now
have thousands of devices to update, whereas if an individual key is compromised than only one device is potentially compromised.
Paul
--
Paul Campbell | Senior Macintosh Systems Administrator
ASRC Federal Research and Technology Solutions
NASA Ames Research Center
Moffett Field, CA 94035
email@hidden
W: 650.604.4014 | C: 408.401.9114 | F: 650.604.3323
ASRC Federal | Customer-Focused. Operationally Excellent.
On Feb 25, 2016, at 9:38 AM, Rowe, Walter < email@hidden> wrote:
Shouldn’t setting an institutional FileVault2 Master Key mitigate the key escrow issue?
--
Walter Rowe, Application Hosting
Infrastructure Services / OISM / NIST
US Department of Commerce
Email: email@hidden
Office: 301.975.2885
On Feb 25, 2016, at 12:18 PM, Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS] < email@hidden> wrote:
NASA’s largest support contract is switching to FileVault 2 from Symantec PGP, and many of the smaller contracts have used FV2 for years. The primary hurdle as I understood it was that FV2 didn’t natively escrow a key within control of the organization and
so NASA Ames resolved that with a Cauliflower Vest server controlled by our IT Security group. I think the escrow requirement is part of NIST 800-53, which would also apply to the VA I’m guessing.
Paul
--
Paul Campbell | Senior Macintosh Systems Administrator
ASRC Federal Research and Technology Solutions
NASA Ames Research Center
Moffett Field, CA 94035
email@hidden
W: 650.604.4014 | C: 408.401.9114 | F: 650.604.3323
ASRC Federal | Customer-Focused. Operationally Excellent.
On Feb 25, 2016, at 7:50 AM, Alan Lesse < email@hidden> wrote:
Has
anyone been able to use a Mac in the VA or other Federal environment with File Vault?
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list ( email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list ( email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
|