Home > Cauliflower Vest, FileVault 2, Mac administration > Setting up Cauliflower Vest using a Google Apps domain

Setting up Cauliflower Vest using a Google Apps domain

Google’s Cauliflower Vest, an open-source FileVault 2 recovery key escrow solution, solves a number of problems for Mac admins in the enterprise space. These problems included:

A. Allowing individual recovery keys to be automatically generated and escrowed for each Mac

B. The ability to have FileVault 2 encryption force-enabled on a Mac

C. Providing secure access to recovery keys and delegating secure access as needed to those recovery keys

Cauliflower Vest addresses those issues, along with providing csfde, a command-line tool for FileVault 2 setups which can be used independently of the rest of Cauliflower Vest infrastructure.

I wanted to see how easy it was to stand up a Cauliflower Vest instance with a Google Apps domain while following the instructions. I figured that I was a good tester for this because:

  • I’d never set up a Google Apps domain
  • I’d never before worked with Google App Engine
  • Python and I have a “we should really get together, but never do” relationship.

In short, hopefully the Cauliflower Vest project folks had posted good directions or this train was going to wreck pretty fast.

Fortunately, the Cauliflower Vest project folks have posted good directions on the project’s wiki and were also extremely responsive over email. With their help, I was able to get up and going. See below the jump for what I did.

Prep work

Before starting with anything else, I set up my own Google Apps domain named secretplant.com. This is where I will be hosting my Cauliflower Vest App Engine instance and also my source of authentication credentials.

Configuring Cauliflower Vest prior to server deployment

First step is to download Xcode (if not already installed), the latest Google App Engine SDK and the Cauliflower Vest tar file. If you prefer to use git, you can also clone a copy of the cauliflowervest repository to your local machine instead of downloading the Cauliflower Vest tar file.

If Xcode isn’t installed on your build machine, install it at this point.

After that, let’s start following directions!

1. Untar the Cauliflower Vest tar file – To untar, you can double-click on the file and OS X’s built-in Archive utility will uncompress it

2. Once untarred, open Terminal and run the following command:

cd /path/to/cauliflowervest_directory

Screen Shot 2012-02-24 at 9.10.44 AM

3. Inside the cauliflowervest directory, run the following command:

make test


Screen Shot 2012-02-24 at 9.12.18 AM

Note: It’s important that all tests pass before you continue with the rest of the Cauliflower Vest setup process.

4. Install the Google App Engine SDK that you had previously downloaded by copying it to your /Applications directory and double-clicking on it.

Screen Shot 2012-02-23 at 8.11.17 PM

On first launch, you’ll be prompted to install the command line utilities. Go ahead and install them.

Screen Shot 2012-02-23 at 8.11.32 PM

5. Visit http://appengine.google.com and click Create Application to create a new application.

Screen Shot 2012-02-24 at 8.14.14 AM cropped  

In my case, here’s what I used:

Application Identifier: secret-plant

Application Title: secretplant

I set my authentication options so that access was restricted to my secretplant.com Google Apps domain and left the High Replication defaults alone.

6. Next, you’ll need to configure your client and server settings by doing the following:

A. Edit the /path/to/cauliflowervest_directory/src/cauliflowervest/settings.py file with the following command:

pico /path/to/cauliflowervest_directory/src/cauliflowervest/settings.py

Once inside, replace the SUBDOMAIN string value with your application identifier. In my case, here’s what I used:

SUBDOMAIN = ‘secret-plant’

DOMAIN = ‘appspot.com’

Screen Shot 2012-02-23 at 8.14.09 PM

NOTE: If you’re planning on testing Cauliflower Vest encryption inside a VM, you’ll also need to edit the following section:

FILEVAULT_REQUIRED_PROPERTIES = ['hdd_serial', 'platform_uuid', 'serial']

VMs don’t correctly report a hard disk serial number to Cauliflower Vest, so the ‘hdd_serial’ value needs to be removed. It should now look like this:

FILEVAULT_REQUIRED_PROPERTIES = ['platform_uuid', 'serial']

Screen Shot 2012-02-23 at 8.15.13 PM

B. Edit the /path/to/cauliflowervest_directory/src/cauliflowervest/client/settings.py file with the following command:

pico /path/to/cauliflowervest_directory/src/cauliflowervest/client/settings.py

Once inside, you can edit the INTRO_TEXT string to send the appropriate message to your users when they’re encrypted with Cauliflower Vest. This text can say whatever you want.

In my case, because I’m testing, I actually left this part alone.

C. Generate your server keys by randomly generating a 16 byte string (used for the aesKeyString value in the next section) and by randomly generating a 32 byte string (used for the hmacKeyString value in the next section). You can do this by running the following commands in terminal:

16 byte string

dd if=/dev/random bs=1k count=1 | md5 | cut -c1-16

Screen Shot 2012-02-24 at 9.38.00 AM

32 byte string

dd if=/dev/random bs=1k count=1 | md5

Screen Shot 2012-02-24 at 9.39.42 AM

In both cases, you’ll get a hexadecimal string (highlighted in blue in the screenshots above) which you can then plug into the aesKeyString value and the hmacKeyString value in the next step.

D. Edit the /path/to/cauliflowervest_directory/src/cauliflowervest/server/settings.py file with the following command:

pico /path/to/cauliflowervest_directory/src/cauliflowervest/server/settings.py

Once inside, find the DEMO_KEYS keys section and change the following strings:

‘aesKeyString': base64.urlsafe_b64encode(’16_byte_string__’),

Replace 16_byte_string__ with the 16 byte value you generated previously

Screen Shot 2012-02-23 at 2.16.45 PM

‘hmacKeyString': base64.urlsafe_b64encode(

’32_byte_string_bbbbbbbbbbbbbbbbb’),

Replace 32_byte_string_bbbbbbbbbbbbbbbbb with the 32 byte value you generated previously

Screen Shot 2012-02-23 at 2.16.56 PM

NOTE: To avoid a Python error problem that’s currently in cauliflowervest-0.8.1, also edit the following section in /path/to/cauliflowervest_directory/src/cauliflowervest/server/settings.py:

DEFAULT_EMAIL_DOMAIN = ‘example.com’

DEFAULT_EMAIL_SENDER = ”

DEFAULT_EMAIL_REPLY_TO = ”

Mine has been edited to the following:

DEFAULT_EMAIL_DOMAIN = ‘secretplant.com’

DEFAULT_EMAIL_SENDER = ‘rtrouton@secretplant.com’

DEFAULT_EMAIL_REPLY_TO = ‘rtrouton@secretplant.com’

Screen Shot 2012-02-23 at 9.07.22 PM

These values aren’t otherwise set by the setup process, so I ran into errors when later trying to access my recovery key. The Cauliflower Vest project folks are aware of this bug and say they’ll be fixing it.

E. To avoid a make error currently in cauliflowervest-0.8.1, edit the /path/to/cauliflowervest_directory/src/cauliflowervest/server/app.yaml file with the following command:

pico /path/to/cauliflowervest_directory/src/cauliflowervest/server/app.yaml

Change the following value from being commented out and add your application identifier

# application: ENTER_APPID_HERE

Screen Shot 2012-02-23 at 8.21.55 PM

Mine has been edited to the following:

application: secret-plant

Screen Shot 2012-02-23 at 8.22.09 PM

Deploying Cauliflower Vest to App Engine

Once everything’s been configured, you should be ready to deploy to your App Engine instance.

1. In Terminal, run the following command:

cd /path/to/cauliflowervest_directory

2. Now, run the following command:

make server_config

This will set up a deployable source bundle to send to your App Engine instance.

3. Lastly, run the following command to deploy the source bundle to your App Engine instance:

make release

You should see a bunch of code fly by as your App Engine instance is set up.

Screen Shot 2012-02-23 at 8.23.33 PM

To verify that it’s up and working, go to your AppEngine site. In my case, I’m going to the following site:

http://secret-plant.appspot.com/

You’ll be asked to sign in, and then see a site like this:

Screen Shot 2012-02-24 at 12.21.19 PM

Packaging your desktop client

Once the server end is set up, it’s time to set up the client end. The Cauliflower Vest project folks have good instructions for this as well.

1. Open Terminal and run the following command:

cd /path/to/cauliflowervest_directory

2. Next, run this command:

make dmg

This command will create a disk image and store it in /path/to/cauliflowervest_directory/dist. Inside the disk image is an installer package that will install a binary into /usr/local/bin/cauliflowervest which has been pre-configured to work with your Cauliflower Vest App Engine instance.

Screen Shot 2012-02-23 at 8.29.25 PM

This binary will need to be launched by some outside source. The Cauliflower Vest project folks recommend using a loginhook for this. I used their pre-written loginhook and it worked well.

Encrypting the Mac client

To set up your Mac to be encrypted, you’ll need to install the Cauliflower Vest installer package and also set up your loginhook. I stored my loginhook script in /Library/Scripts and named it encrypt_mac.sh. Next, I ran the following command to set my loginhook:

sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/encrypt_mac.sh

Once done, I restarted my VM and then logged in at the login screen. The Cauliflower Vest warning came up and I was then prompted to log in.

Screen Shot 2012-02-23 at 8.34.16 PM

Screen Shot 2012-02-23 at 8.34.42 PM

Following login, the Mac reported that encryption was enabled and that the passphrase had been successfully escrowed. I was then prompted to restart.

Screen Shot 2012-02-23 at 8.36.31 PM

On restart, I was at the FileVault 2 pre-boot login screen with the account icon for my account showing. I authenticated and the regular FileVault 2 login process continued.

Screen Shot 2012-02-23 at 8.36.56 PM

Once my desktop came up, I checked the FileVault preference pane and saw that encryption was proceeding normally.

Screen Shot 2012-02-23 at 8.37.33 PM

Getting my recovery key

Since encryption’s only half of what I want to accomplish here, I went next to http://secret-plant.appspot.com to get my Mac’s recovery key.

Screen Shot 2012-02-23 at 8.38.18 PM

After authenticating, I was back at my Cauliflower Vest site. I selected to look up my machine by the Owner Username and entered my username.

Screen Shot 2012-02-23 at 8.39.23 PM

Note: My secretplant.com account is an owner account, so I had full access. Access rights can be delegated and restricted.

At that point, I was looking at a listing for my encrypted Mac. The Volume UUID is a clickable link.

Screen Shot 2012-02-23 at 8.39.52 PM  

Once the Volume UUID link was clicked, I was given my recovery key.

Screen Shot 2012-02-23 at 9.09.20 PM  

Testing my recovery key

Once I had my recovery key, I was able to test it out successfully by using it to unlock the encryption and then reset my account password.

Screen Shot 2012-02-23 at 9.14.00 PM

Screen Shot 2012-02-23 at 9.14.18 PM

Wrap up

Overall, following the directions on the Cauliflower Vest wiki served me pretty well. The folks on the cauliflowervest-discuss mailing list were also very responsive and helped me out when I hit my roadblocks.

I’m pretty impressed with Cauliflower Vest, it works as advertised. The only possible downside I’m seeing is that right now, my workflow is closely tied to Google’s infrastructure (App Engine in particular) and it will likely take some work to get it entirely in-house. For my personal needs, that’s fine, but that may not fit all environments.

That said, Google has recognized this and provided some guidance on how to port the Cauliflower Vest server. As with all open source, if you don’t like what you have, roll your own.

  1. Gary Larizza
    February 24, 2012 at 7:12 pm

    Awesome, Rich :) Rock on with your bad self! NOW – next step, let’s get this running WITHOUT GAE

  2. Yochai
    February 27, 2012 at 7:02 pm

    Agreed, anyone who gets this thing running without GAE is a hero!

  3. Yochai Gal
    June 6, 2012 at 5:07 pm

    Rich, do you have any idea when a non-GAE version would be available? Thanks!

    • June 6, 2012 at 5:35 pm

      Yochai,

      At this point, a non-GAE backend for Cauliflower Vest has yet to be released. I don’t know when one will be available.

  4. Jimmy
    June 29, 2012 at 4:12 pm

    Any gothcha’s on the LoginHook script? I triple checked the default script that you mentioned and set up procedures. I am still unable to get the script to launch.

    • June 29, 2012 at 4:32 pm

      Jimmy,

      Is the script set to be executable? If you’re not sure, run “sudo chmod a+x /path/to/script” (no quotes) and try it again.

      It also may be that the Cauliflower Vest GUI application didn’t build properly. You can launch the GUI application by running the following command:

      /usr/local/bin/cauliflowervest

  5. Jimmy
    June 29, 2012 at 6:15 pm

    I did chmod a+x the script, but no joy. Kicking off the GUI manually seems to work. Thanks!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 148 other followers

%d bloggers like this: