Maximize FileVault Security by Destroying Key Storage in Standby Mode

Maximum FileVault Security Standby mode is a power saving feature that automatically hibernates a Mac after it has been in sleep mode for a while, which it does to further decrease drain on battery. When a Mac using FileVault encryption is placed into standby mode, a FileVault key (yes, this key is encrypted) is stored in EFI (firmware) so that it can quickly come out of standby mode when woken from deep sleep. For 99% of users, that hardly matters and it’s not a security concern, but for those who are concerned about absolute maximum security and protecting a Mac from some unusually aggressive attacks (i.e. espionage level), you can set OS X to automatically destroy that FileVault key when it’s placed in power-saving standby mode, preventing that stored key from being a potential weak point or attack target.

By enabling this setting, FileVault users must enter their FileVault password when a Mac is awoken from standby mode, because the FV key is no longer stored for quick awakening. Hardly an inconvenience, but it does slow down waking from deep sleep a bit, and it does require the user to engage in an additional level of authentication beyond the standard lock and login features before the Mac becomes usable again.

Increase FileVault Security By Destroying FileVault Keys in Standby Mode

This command must be entered into the Terminal, found in /Applications/Utilities/

pmset -a destroyfvkeyonstandby 1

The -a flag applies the setting to all power profiles, meaning both battery and charger.

If you find this feature unnecessary or frustrating, it can be reversed easily by setting the 1 to a 0 and using the command again as follows:

pmset -a destroyfvkeyonstandby 0

Note that depending on the active user account privileges, you may need to prefix both of these commands with sudo for them to execute from superuser, thus the commands would be as follows:

Enabling FileVault Key Destruction

sudo pmset -a destroyfvkeyonstandby 1

Set Filevault to destroy the key in standby mode

Disabling FileVault Key Destruction

sudo pmset -a destroyfvkeyonstandby 0

You can always check pmset settings to see if this is currently enabled or disabled by using the following command:

pmset -g

Admittedly, this is a bit technical and a bit extreme, and thus won’t apply to the vast majority of Mac users. Nonetheless, for those in sensitive security environments, those who have very sensitive data stored on their computers, or even for individuals who desire the utmost in personal security, this is a very valuable option and should be considered if the trade-off of a slower wake time is worth the additional security benefit.

As always with FileVault, do not forget the password, or else all content on the Mac will become inaccessible permanently as the encryption level is so strong that virtually nothing could overcome it in a human timescale. If you’re new to FileVault and the concept of full disk encryption, be sure to set it up properly, and don’t ever lose the FileVault recovery key.

For much more technical information on this topic, Apple has an excellent FileVault deployment guide available in PDF format.