Security and Privacy System Preferences

Security and Privacy system preferences in macOS let the user configure FileVault and control some aspects of authorization on the computer. For example, users can indicate whether a password should be required after sleep or the screen saver begins.

At the bottom of the dialog is the lock icon provided by the authorization view (see Designing Secure User Interfaces in Secure Coding Guide). When this icon shows a closed lock, authorization is required before the user can change the settings in this system preferences pane.

FileVault and Encrypted Volumes

When the user turns on FileVault, macOS uses 128-bit AES encryption to encrypt everything on the root volume (or everything in the user’s home folder prior to OS X 10.7).

The system automatically decrypts files upon access if an authorized user is logged in, but the files remain encrypted on disk. This provides maximum security for a user’s files if all of the following are true:

• All sensitive data is stored on an encrypted volume (or in the user’s home directory prior to OS X 10.7).

• Permissions are set appropriately to protect the data from other users on the system.

• Automatic login is disabled.

• A password is required to wake from sleep or to wake from the screen saver.

A user can also create new external volumes with FileVault encryption using Disk Utility. Alternatively, if a user wants to securely store files somewhere other than a FileVault-protected volume (such as on an external hard disk or removable media), the user can create an encrypted disk image.

For more information about FileVault, see Apple Knowledge Base Article HT4790.

Users and Groups System Preferences

When a user installs macOS on a computer, that user automatically becomes a member of the admin group (described in The Admin Group). Subsequently, the user or any other member of the admin group can use the Users & Groups system preferences panes to add new users to the system.

For each new user, the administrator can specify whether that user should be a member of the admin group. If not, the administrator can limit the system features and apps to which that user has access.

Keychain Access

Keychain Access is an macOS utility that lets users see and modify the passwords, certificates, and other data that are stored in their keychains.

With Keychain Access, users can:

• Create new keychains

• Add and delete keychain items

• Lock and unlock keychains

• Choose one keychain to be the default

• See which certificates are available for use by email and web apps, who owns each certificate, and who issued each certificate

• See and change passwords stored for various apps, tools, and websites

• Securely store other secrets, such as passwords, credit card numbers, and notes

When a keychain is locked and an app or other tool needs to gain access to a keychain item, Keychain Services prompts the user for a password.

In addition, the Keychain Access menu includes items to open the Certificate Assistant and Kerberos Ticket Viewer utilities. The Certificate Assistant enables users to create certificates, request certificates from a certificate authority, create a public/private key pair, or evaluate a certificate. The Kerberos Ticket Viewer lets users see any Kerberos tickets in use on the system, and enables them to renew or destroy a ticket, or change a ticket’s password. Kerberos is described in more detail in Authentication, Authorization, and Permissions Guide.

Mail

Apple’s Mail app and other email apps can extract a public key from the signing certificate of any signed email and use it to encrypt messages sent to the owner of that key. See Digital Signatures in Cryptographic Services Guide for more information about digital signatures, and see Help in the Mail app for details on sending encrypted email.