You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

CAUTIONS

  • Be sure to backup your data before encrypting any of it during the pilot.  We expect that we will encounter some problems where a misplaced certificate or lost password will result in the data be lost forever.  The goal of the pilot is to evaluate the products and processes, not protect or destroy your data.
  • Be sure to use to use a Master Password in case you forget the user password.  FileVault uses a decryption key stored in a user's key chain which become unaccessible if the password is force reset. The only way to recover the encrypted data if the user's password is reset is if you have already established a Master Password for the system and remember it.
  • Allow plenty of time the first time.  Encrypting large pieces of data will take time.  As it depends on your hardware and data size, we don't have any guidelines as of yet.  By the end of the first phase, we hope to have general guidelines for how long the initial setup takes.
  • Remember that an FileVault does not protect data shared across the network or from network based attacks.  Be sure to use secure methods to transfer files, like SFTP.
  • Disable Automatic login; Automatic login unlocks the files when the machine is booted, so even though the files are encrypted when the system is powered off, all a thief has to do to access them is power on the system..
  • Require password to wake this computer from sleep or screen saver.  Most laptops are rarely powered off completely, but live in a suspended state.&nbsp Also, you want to protect your data if you walk away from the machine for a period of time so enable a screen saver and require a password to access the machine upon returning;

Steps to enable FileVault

  1. Go to System Preferences.
  2. Click on Security - it has a picture of a house with a padlock knob on it.
  3. Set a Master Password by clicking on the button to do so. If you already have one set, make sure you know what it is.
  4. To turn on FileVault, click on the button labelled Turn On FileVault...
  5. Click OK.
  6. Click OK again.
  7. Select the desired behavior, most likely, Apply changes to this folder, subfolders and files.
  8. Click OK.
  9. After some time, the folder name (or file) should be green indicating that it is encrypted.

To add a Data Recovery Agent:

  1. Open the Local Security Settings control panel as an Administrator.
  2. Expand Public Key Policies
  3. Select Encrypting File System
  4. Right click in the blank window on the right and select Add Data Recovery Agent.
  5. need .cer file for users... (need to figure this out)
  6. To be continued (Jon will work with Jeff on creating a recovery agent certificate to test with after Jeff returns from IETF)
  • No labels