Monday, September 3, 2012

FileVault2 destroyfvkeyonstandby

In their filevault2 doco apple describes the destroyfvkeyonstandby setting:
...the FileVault key is stored in EFI to transparently come out of standby mode. Organizations especially sensitive to a high-attack environment, or potentially exposed to full device access when the device is in standby mode, should mitigate this risk by destroying the FileVault key in firmware. Doing so doesn’t destroy the use of FileVault, but simply requires the user to enter the password in order for the system to come out of standby mode.
To destroy the filevault key on standby:
# pmset destroyfvkeyonstandby 1
And check the setting with:
# pmset -g

No comments: