±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35636
New Yesterday: 8 Visitors: 158

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Mac Disk Utility Encryption - Security review?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

wotsits
Senior Member
 

Mac Disk Utility Encryption - Security review?

Post Posted: Apr 09, 19 21:12

macOS offers its own native encryption like Windows BitLocker does. You have the option in Mac to encrypt external drives and containers using AES-128 or AES-256.

I'm looking for some kind of review into the security and effectiveness if I were to use this for some enterprise purpose?
I do recall a major security problem not long ago where the password could be extracted in plain text!  
 
  

C.R.S.
Senior Member
 

Re: Mac Disk Utility Encryption - Security review?

Post Posted: Apr 09, 19 22:43

FileVault and Mac hardware are not suitable for enterprise use due to their lack of support for cryptographic hardware to withhold keys from the (unprivileged) users.
At least equally important as protection in the event of losing a device is to enforce user separation and rights.  
 
  

wotsits
Senior Member
 

Re: Mac Disk Utility Encryption - Security review?

Post Posted: Apr 10, 19 15:21

- C.R.S.
FileVault and Mac hardware are not suitable for enterprise use due to their lack of support for cryptographic hardware to withhold keys from the (unprivileged) users.
At least equally important as protection in the event of losing a device is to enforce user separation and rights.


Thanks for this.

To be clear, are you talking about the ability of users to reset encryption keys using iCloud as an option (this can be disabled), or do you mean the inability to test whether Apple has any 'backdoors' in their encryption?

Since FileVault and BitLocker are not suitable for enterprise, is FOSS the only option?  
 
  

C.R.S.
Senior Member
 

Re: Mac Disk Utility Encryption - Security review?

Post Posted: Apr 10, 19 20:51

- wotsits

To be clear, are you talking about the ability of users to reset encryption keys using iCloud as an option (this can be disabled)


I am not aware of the detailed options there, but the general problem in an enterprise environment is: Your end user is a non-admin and should stay such. Therefore, you prevent offline access to the application files and operating system by encrypting the device. But this is useless if you hand over the encryption keys to the end user. You need a key storage device from which the keys cannot be extracted easily. Of course, also a knowledge element is required to protect against data extraction from a stolen device. The typical configuration is Bitlocker with TPM+Startup PIN.

- wotsits
Since FileVault and BitLocker are not suitable for enterprise, is FOSS the only option?


Bitlocker is suitable in this respect; it is even the only commercial solution that I am aware of which tackles this problem.
There are also third-party solutions that support smart cards, which would be sufficient if their pre-boot environment performed some sort of hardware attestation and boot code verification against the crypto device - but AFAIK they don't. There surely are/were some open-source projects for TPM support, but they die relatively quickly, because the community isn't keen on solving enterprise issues and enterprises use Bitlocker.

Whether you trust a TPM or closed-source software, is another debate. The theory behind open- vs. closed-source it is fought out by forum warriors in the security community ever since, with an easy win for open-source. However, I have yet to see a single client infrastructure whose effective security was improved by moving it to open-source. In practice, this means to sacrifice a substantial share of all crucial security functions. Some actors, like governments and banks, are willing to provide the resources for their implementation, but they mostly keep the code for themselves and most of these projects are gradual failures, too.  
 
  

wotsits
Senior Member
 

Re: Mac Disk Utility Encryption - Security review?

Post Posted: Apr 10, 19 23:22

Thanks for your information.  
 

Page 1 of 1