256bit for full disk encryption?

vanschip-gerard
Contributor

I manage the smaller macOS users in a large WinOS organisation and all the WinOS workstations use Bitlocker set at 256bit. I noticed that DiskUtility lets you use 256bit encryption when making a disk image but not for a physical drive.

Anyone know if thats a hard limitation or something you can get around using terminal? I know Apple has the knock of hiding features from the GUI.

6 REPLIES 6

adamcodega
Valued Contributor

FileVault 2 uses XTS-AES-128 encryption which requires a 256-bit key. You don't need to do anything out of the ordinary when enabling FileVault 2 to use a 256-bit key. [Source] Also there's a March 2018 white paper reiterating that it uses XTS-AES-128, which again requires a 256-bit key.

vanschip-gerard
Contributor

Hi @adamcodega . Know about the 256-bit key and thats not the issue for our risk team. They want me to have 256-bit drive encryption as well and FV is 128-bit. Seeing you can encrypt a disk image at 256-bit I was wondering if that would also be possible with the whole drive.

adamcodega
Valued Contributor

I think there's some confusion about whether FileVault 2 is 256-bit encryption. What makes them say it's not?

tlarkin
Honored Contributor

Bit Locker also has around 41 payloads (why do you really need 40+ payloads for disk encryption?) of options, often has conflicts, is riddled with bugs and if you are local admin you cannot enforce it (known bug I have open with MSFT currently), so I guess pick and choose your battles. FV2 is either on or off and it just works. Bit Locker is a mess of settings and hope for the best. If the level of encryption is really a concern, I would say prove via brute force attacks entropy levels of how much better bit locker is.

My opinion is, can you easily enforce FDE? Can you reliably control FDE? With macOS the answer is actually yes, and it is simple, you just turn it on. More options aren't necessarily always better, they are just options. So, in my personal opinion, is focus on the end result, not the spec. Bit Locker is a rabbit hole of FDE, FV2, while maybe not the same spec, just really works.

vanschip-gerard
Contributor

@adamcodega AES-XTS mode of AES with 128 bit blocks and a 256 bit key - https://en.wikipedia.org/wiki/FileVault

@tlarkin The larger ITS team manages 9000 Windows machines. They have a server that manages the keys and runs audit reports. The Technology standard comes from our global team at which level we are talking about 200.000 users. I'm just the Mac guy trying to get the 70 Macs to match the Windows compliance.

Apple Filevault seems to be clear, 128 bit blocks with a 256 bit key while the Bitlocker pages I read do not separate the blocks from key. For all I know they are the same. Thing is, I need that in writing.

vanschip-gerard
Contributor

@adamcodega I think they found that info on the Microsoft Intune page, they state that Apple Filevault2 is a 128 bit encryption here;
https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-Intune-announces-support-for-macOS-FileVault-disk/ba-p/770675

83610b69c43c4a3384cfeabde1bd57c4