Increase FileVault security by destroying keys in standby mode
If you use full-disk encryption (FileVault) then your encryption key is stored by default in the EFI BIOS. This helps your Mac while awake from standby/sleep. This is ok for most security requirements, but not totally secure. You can configure your Mac that the key is destroyed when going in standby/sleep mode. The disadvantage is of course, that you have to enter your FileVault password when come back from standby/sleep mode.
How to fix it
macOS 10.11 – 14
- Open terminal.app
- Enter and press return:
sudo pmset -a destroyfvkeyonstandby 1
PLEASE READ THE FOLLOWING TIP AND DISCLAIMER!
Keep in mind: not every security and privacy setting is suitable for everyone. Enhancing the security can lead in losing functionality and/or comfort.
Before making changes, please backup your Mac! Do not make too many change at once. After changing your Mac, check if your normal usage of your Mac has changed in a way which fits to you. Are your really willing to loose some functionality and/or comfort?
Most important is, that you learn and understand what are the advantages and disadvantages of the security settings and that you are aware about the capabilities and risks of your Mac configuration.
To skip this result message from your next security scan, you can deactivate this check. FAQ: How to deactivate a check.
CHECK RESULTS BY SIMPLEUMCHECK DO NOT COVER ALL ASPECTS OF POSSIBLE SECURITY CHECKS OR MAYBE INCORRECT OR INCOMPLETE. THE RESULTS ARE ONLY CLUES FOR RECOMMENDATIONS TO IMPROVE SECURITY AND PRIVACY ON THE MAC.
The use of SimpleumCheck, the checks and FAQ articles are provided under the SimpleumCheck End User License Agreement (EULA).