FileVault Encryption Management on macOS
Manage FileVault disk encryption across your MacFleet deployment with comprehensive monitoring, compliance reporting, and automated encryption management. This tutorial provides enterprise-grade solutions for maintaining data security through disk encryption.
Understanding FileVault Encryption
FileVault is Apple's full-disk encryption technology that protects data at rest on macOS devices:
- Full Disk Encryption - Encrypts entire startup disk
- XTS-AES-128 encryption algorithm with 256-bit key
- Hardware acceleration on supported Mac devices
- Recovery key management for enterprise deployment
- Compliance requirements for data protection standards
Basic Encryption Status Monitoring
Check FileVault Status
#!/bin/bash
# Check current FileVault encryption status
sudo fdesetup status
echo "FileVault status check completed"Verify Encryption State
#!/bin/bash
# Get detailed encryption information
echo "=== FileVault Status ==="
status=$(sudo fdesetup status)
echo "$status"
# Parse status for automation
if echo "$status" | grep -q "FileVault is On"; then
echo "✅ Encryption: ENABLED"
exit 0
elif echo "$status" | grep -q "FileVault is Off"; then
echo "❌ Encryption: DISABLED"
exit 1
else
echo "⚠️ Encryption: UNKNOWN STATE"
exit 2
fiEncryption Progress Monitoring
macOS 10.11 and 10.12 (Core Storage)
#!/bin/bash
# Monitor encryption/decryption progress for older macOS versions
echo "=== Core Storage Encryption Progress ==="
progress=$(diskutil cs list | grep "Conversion Progress")
if [[ -n "$progress" ]]; then
echo "Encryption in progress:"
echo "$progress"
else
echo "No encryption/decryption operation in progress"
fimacOS 10.13+ (APFS)
#!/bin/bash
# Monitor encryption progress for APFS (macOS 10.13+)
echo "=== APFS Encryption Progress ==="
# Check encryption progress
enc_progress=$(diskutil apfs list | grep "Encryption Progress")
if [[ -n "$enc_progress" ]]; then
echo "Encryption in progress:"
echo "$enc_progress"
fi
# Check decryption progress
dec_progress=$(diskutil apfs list | grep "Decryption Progress")
if [[ -n "$dec_progress" ]]; then
echo "Decryption in progress:"
echo "$dec_progress"
fi
if [[ -z "$enc_progress" && -z "$dec_progress" ]]; then
echo "No encryption/decryption operation in progress"
fiUniversal Progress Monitor
#!/bin/bash
# Universal encryption progress monitor
check_encryption_progress() {
local macos_version
macos_version=$(sw_vers -productVersion | cut -d. -f1-2)
echo "=== Encryption Progress Monitor ==="
echo "macOS Version: $macos_version"
case "$macos_version" in
"10.11"|"10.12")
echo "Using Core Storage monitoring..."
diskutil cs list | grep "Conversion Progress" || echo "No progress detected"
;;
*)
echo "Using APFS monitoring..."
local enc_progress dec_progress
enc_progress=$(diskutil apfs list | grep "Encryption Progress")
dec_progress=$(diskutil apfs list | grep "Decryption Progress")
if [[ -n "$enc_progress" ]]; then
echo "Encryption: $enc_progress"
elif [[ -n "$dec_progress" ]]; then
echo "Decryption: $dec_progress"
else
echo "No encryption/decryption operation in progress"
fi
;;
esac
}
check_encryption_progressAdvanced Enterprise Management
Comprehensive Encryption Audit
#!/bin/bash
# MacFleet FileVault Enterprise Audit Tool
# Comprehensive encryption status and compliance checking
# Configuration
LOG_FILE="/var/log/macfleet_encryption.log"
REPORT_DIR="/var/log/macfleet_reports"
CONFIG_FILE="/etc/macfleet/encryption_policy.conf"
# Create directories if they don't exist
mkdir -p "$(dirname "$LOG_FILE")" "$REPORT_DIR" "$(dirname "$CONFIG_FILE")"
# Default configuration
cat > "$CONFIG_FILE" 2>/dev/null << 'EOF' || true
# MacFleet Encryption Policy Configuration
REQUIRE_FILEVAULT=true
ALERT_ON_DISABLED=true
MONITOR_PROGRESS=true
COMPLIANCE_REPORTING=true
AUTO_REMEDIATION=false
NOTIFICATION_EMAIL=""
EOF
# Source configuration
source "$CONFIG_FILE" 2>/dev/null || true
# Logging function
log_action() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE"
}
# Get system information
get_system_info() {
echo "=== System Information ==="
echo "Hostname: $(hostname)"
echo "macOS Version: $(sw_vers -productVersion)"
echo "Build: $(sw_vers -buildVersion)"
echo "Hardware: $(system_profiler SPHardwareDataType | grep "Model Name" | awk -F: '{print $2}' | xargs)"
echo "Serial: $(system_profiler SPHardwareDataType | grep "Serial Number" | awk -F: '{print $2}' | xargs)"
echo "Audit Date: $(date)"
echo ""
}
# Check FileVault status
check_filevault_status() {
echo "=== FileVault Status Analysis ==="
local status
status=$(sudo fdesetup status 2>/dev/null)
if echo "$status" | grep -q "FileVault is On"; then
echo "✅ FileVault Status: ENABLED"
log_action "FileVault encryption is properly enabled"
# Get enabled users
local enabled_users
enabled_users=$(sudo fdesetup list 2>/dev/null)
if [[ -n "$enabled_users" ]]; then
echo "Enabled Users:"
echo "$enabled_users"
fi
return 0
elif echo "$status" | grep -q "FileVault is Off"; then
echo "❌ FileVault Status: DISABLED"
log_action "SECURITY ALERT: FileVault encryption is disabled"
if [[ "$ALERT_ON_DISABLED" == "true" ]]; then
echo "⚠️ COMPLIANCE VIOLATION: Encryption required by policy"
fi
return 1
else
echo "⚠️ FileVault Status: UNKNOWN"
log_action "WARNING: Cannot determine FileVault status"
return 2
fi
}
# Check encryption progress
check_encryption_progress() {
echo "=== Encryption Progress ==="
local macos_version
macos_version=$(sw_vers -productVersion | cut -d. -f1-2)
case "$macos_version" in
"10.11"|"10.12")
local cs_progress
cs_progress=$(diskutil cs list | grep "Conversion Progress")
if [[ -n "$cs_progress" ]]; then
echo "Core Storage Progress: $cs_progress"
log_action "Encryption/Decryption in progress: $cs_progress"
else
echo "No Core Storage conversion in progress"
fi
;;
*)
local enc_progress dec_progress
enc_progress=$(diskutil apfs list | grep "Encryption Progress")
dec_progress=$(diskutil apfs list | grep "Decryption Progress")
if [[ -n "$enc_progress" ]]; then
echo "APFS Encryption Progress: $enc_progress"
log_action "APFS encryption in progress: $enc_progress"
elif [[ -n "$dec_progress" ]]; then
echo "APFS Decryption Progress: $dec_progress"
log_action "APFS decryption in progress: $dec_progress"
else
echo "No APFS encryption/decryption in progress"
fi
;;
esac
}
# Check disk information
check_disk_info() {
echo "=== Disk Information ==="
# Boot disk info
local boot_disk
boot_disk=$(diskutil info / | grep "Device Node" | awk '{print $3}')
echo "Boot Disk: $boot_disk"
# Disk size and usage
echo "Disk Usage:"
df -h /
# APFS information (macOS 10.13+)
if command -v diskutil >/dev/null && diskutil apfs list >/dev/null 2>&1; then
echo -e "\nAPFS Container Info:"
diskutil apfs list | grep -E "(Container|Volume|Encryption)"
fi
}
# Generate compliance report
generate_compliance_report() {
local report_file="$REPORT_DIR/encryption_compliance_$(date +%Y%m%d_%H%M%S).json"
echo "=== Generating Compliance Report ==="
# Get FileVault status
local filevault_enabled=false
local status_detail=""
if sudo fdesetup status 2>/dev/null | grep -q "FileVault is On"; then
filevault_enabled=true
status_detail="enabled"
else
status_detail="disabled"
fi
# Create JSON report
cat > "$report_file" << EOF
{
"report_type": "encryption_compliance",
"timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
"hostname": "$(hostname)",
"serial_number": "$(system_profiler SPHardwareDataType | grep "Serial Number" | awk -F: '{print $2}' | xargs)",
"macos_version": "$(sw_vers -productVersion)",
"encryption": {
"filevault_enabled": $filevault_enabled,
"status_detail": "$status_detail",
"compliance_status": "$([ "$filevault_enabled" == "true" ] && echo "compliant" || echo "non_compliant")",
"policy_required": $REQUIRE_FILEVAULT
},
"disk_info": {
"boot_disk": "$(diskutil info / | grep "Device Node" | awk '{print $3}')",
"file_system": "$(diskutil info / | grep "File System" | awk -F: '{print $2}' | xargs)"
},
"audit_details": {
"audit_date": "$(date)",
"policy_version": "1.0",
"remediation_required": $([ "$filevault_enabled" != "true" ] && echo "true" || echo "false")
}
}
EOF
echo "Compliance report saved to: $report_file"
log_action "Compliance report generated: $report_file"
}
# Remediation actions
perform_remediation() {
echo "=== Automated Remediation ==="
if [[ "$AUTO_REMEDIATION" != "true" ]]; then
echo "Auto-remediation disabled in policy"
return 0
fi
# Check if FileVault is disabled
if ! sudo fdesetup status 2>/dev/null | grep -q "FileVault is On"; then
echo "⚠️ FileVault is disabled - remediation required"
log_action "REMEDIATION: FileVault encryption is disabled"
echo "Manual remediation steps:"
echo "1. Open System Preferences > Security & Privacy"
echo "2. Click the FileVault tab"
echo "3. Click Turn On FileVault"
echo "4. Follow the setup wizard"
echo ""
echo "Or use MDM to enforce FileVault encryption policy"
# Create remediation ticket (placeholder)
echo "Creating remediation ticket for device: $(hostname)"
fi
}
# Main audit function
main() {
log_action "=== MacFleet FileVault Audit Started ==="
get_system_info
check_filevault_status
local filevault_status=$?
echo ""
check_encryption_progress
echo ""
check_disk_info
echo ""
if [[ "$COMPLIANCE_REPORTING" == "true" ]]; then
generate_compliance_report
echo ""
fi
if [[ $filevault_status -ne 0 ]]; then
perform_remediation
fi
log_action "=== FileVault audit completed with status: $filevault_status ==="
return $filevault_status
}
# Execute main function
main "$@"Enterprise Policy Management
Policy Configuration Template
#!/bin/bash
# Create comprehensive encryption policy
cat > /etc/macfleet/encryption_policy.conf << 'EOF'
# MacFleet Enterprise Encryption Policy
# Version: 2.0
# Core Requirements
REQUIRE_FILEVAULT=true
ENFORCE_IMMEDIATE_ENCRYPTION=true
ALLOW_PERSONAL_RECOVERY_KEY=false
REQUIRE_INSTITUTIONAL_RECOVERY_KEY=true
# Monitoring Configuration
ALERT_ON_DISABLED=true
MONITOR_PROGRESS=true
PROGRESS_CHECK_INTERVAL=3600 # seconds
COMPLIANCE_REPORTING=true
AUDIT_FREQUENCY=86400 # daily
# Remediation Settings
AUTO_REMEDIATION=false
ESCALATION_THRESHOLD=72 # hours
NOTIFICATION_EMAIL="security@company.com"
HELP_DESK_CONTACT="+1-555-0123"
# Security Policies
MIN_RECOVERY_KEY_LENGTH=24
RECOVERY_KEY_ROTATION_DAYS=90
ENCRYPTION_ALGORITHM="XTS-AES-128"
# Compliance Standards
COMPLIANCE_FRAMEWORKS="SOC2,HIPAA,PCI-DSS"
DATA_CLASSIFICATION_REQUIRED=true
AUDIT_TRAIL_RETENTION_DAYS=2555 # 7 years
EOF
echo "Enterprise encryption policy configured"Recovery Key Management
#!/bin/bash
# Enterprise recovery key management
manage_recovery_keys() {
echo "=== Recovery Key Management ==="
# Check if institutional recovery key is set
local has_institutional_key=false
if sudo fdesetup list 2>/dev/null | grep -q "institutional"; then
has_institutional_key=true
echo "✅ Institutional recovery key configured"
else
echo "❌ No institutional recovery key found"
fi
# Validate recovery key
if [[ "$has_institutional_key" == "true" ]]; then
echo "Recovery key validation:"
sudo fdesetup validaterecovery 2>/dev/null && echo "✅ Recovery key valid" || echo "❌ Recovery key invalid"
fi
# Escrow recovery key (MDM integration)
echo "Recovery key escrow status:"
if system_profiler SPConfigurationProfileDataType | grep -q "FDERecoveryKeyEscrow"; then
echo "✅ Recovery key escrowed to MDM"
else
echo "⚠️ Recovery key not escrowed"
fi
}
manage_recovery_keysMonitoring and Alerting
Continuous Monitoring Script
#!/bin/bash
# Continuous FileVault monitoring daemon
DAEMON_NAME="macfleet-encryption-monitor"
PID_FILE="/var/run/${DAEMON_NAME}.pid"
CHECK_INTERVAL=300 # 5 minutes
# Daemon functions
start_monitoring() {
if [[ -f "$PID_FILE" ]]; then
echo "Monitoring daemon already running (PID: $(cat "$PID_FILE"))"
return 1
fi
echo "Starting FileVault monitoring daemon..."
# Background monitoring loop
(
while true; do
# Quick status check
if ! sudo fdesetup status 2>/dev/null | grep -q "FileVault is On"; then
logger -t "$DAEMON_NAME" "ALERT: FileVault encryption disabled on $(hostname)"
# Send notification (customize for your environment)
osascript -e 'display notification "FileVault encryption is disabled!" with title "MacFleet Security Alert"' 2>/dev/null || true
fi
sleep "$CHECK_INTERVAL"
done
) &
echo $! > "$PID_FILE"
echo "Monitoring daemon started (PID: $!)"
}
stop_monitoring() {
if [[ -f "$PID_FILE" ]]; then
local pid
pid=$(cat "$PID_FILE")
kill "$pid" 2>/dev/null
rm -f "$PID_FILE"
echo "Monitoring daemon stopped"
else
echo "Monitoring daemon not running"
fi
}
# Execute based on argument
case "${1:-start}" in
start)
start_monitoring
;;
stop)
stop_monitoring
;;
restart)
stop_monitoring
sleep 2
start_monitoring
;;
status)
if [[ -f "$PID_FILE" ]]; then
echo "Monitoring daemon running (PID: $(cat "$PID_FILE"))"
else
echo "Monitoring daemon not running"
fi
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
;;
esacImportant Security Notes
FileVault Best Practices
- Enable before deployment - Encrypt devices before user deployment
- Escrow recovery keys - Use MDM for centralized key management
- Regular key rotation - Rotate institutional recovery keys periodically
- Monitor compliance - Continuous monitoring for policy violations
- Test recovery procedures - Regularly test key recovery processes
Enterprise Considerations
- Performance impact - Minimal on modern Mac hardware with T2/Apple Silicon
- Initial encryption time - Can take several hours for large drives
- Recovery planning - Ensure recovery key availability for support
- User training - Educate users on encryption benefits and recovery
- Compliance reporting - Regular audits for regulatory requirements
Apple Silicon Considerations
- Hardware acceleration - Optimized encryption performance
- Secure Enclave - Enhanced key protection
- Progress monitoring limitations - Some monitoring tools may not work
- Boot security - Additional security features beyond FileVault
Remember to test these scripts thoroughly in your environment before deploying to production devices.
