Setting up Cauliflower Vest using a Google Apps domain
Google’s Cauliflower Vest, an open-source FileVault 2 recovery key escrow solution, solves a number of problems for Mac admins in the enterprise space. These problems included:
A. Allowing individual recovery keys to be automatically generated and escrowed for each Mac
B. The ability to have FileVault 2 encryption force-enabled on a Mac
C. Providing secure access to recovery keys and delegating secure access as needed to those recovery keys
Cauliflower Vest addresses those issues, along with providing csfde, a command-line tool for FileVault 2 setups which can be used independently of the rest of Cauliflower Vest infrastructure.
I wanted to see how easy it was to stand up a Cauliflower Vest instance with a Google Apps domain while following the instructions. I figured that I was a good tester for this because:
- I’d never set up a Google Apps domain
- I’d never before worked with Google App Engine
- Python and I have a “we should really get together, but never do” relationship.
In short, hopefully the Cauliflower Vest project folks had posted good directions or this train was going to wreck pretty fast.
Fortunately, the Cauliflower Vest project folks have posted good directions on the project’s wiki and were also extremely responsive over email. With their help, I was able to get up and going. See below the jump for what I did.
Before starting with anything else, I set up my own Google Apps domain named secretplant.com. This is where I will be hosting my Cauliflower Vest App Engine instance and also my source of authentication credentials.
Configuring Cauliflower Vest prior to server deployment
First step is to download Xcode (if not already installed), the latest Google App Engine SDK and the Cauliflower Vest tar file. If you prefer to use git, you can also clone a copy of the cauliflowervest repository to your local machine instead of downloading the Cauliflower Vest tar file.
If Xcode isn’t installed on your build machine, install it at this point.
After that, let’s start following directions!
1. Untar the Cauliflower Vest tar file – To untar, you can double-click on the file and OS X’s built-in Archive utility will uncompress it
2. Once untarred, open Terminal and run the following command:
3. Inside the cauliflowervest directory, run the following command:
Note: It’s important that all tests pass before you continue with the rest of the Cauliflower Vest setup process.
4. Install the Google App Engine SDK that you had previously downloaded by copying it to your /Applications directory and double-clicking on it.
On first launch, you’ll be prompted to install the command line utilities. Go ahead and install them.
5. Visit http://appengine.google.com and click Create Application to create a new application.
In my case, here’s what I used:
Application Identifier: secret-plant
Application Title: secretplant
I set my authentication options so that access was restricted to my secretplant.com Google Apps domain and left the High Replication defaults alone.
6. Next, you’ll need to configure your client and server settings by doing the following:
A. Edit the /path/to/cauliflowervest_directory/src/cauliflowervest/settings.py file with the following command:
Once inside, replace the SUBDOMAIN string value with your application identifier. In my case, here’s what I used:
SUBDOMAIN = ‘secret-plant’
DOMAIN = ‘appspot.com’
NOTE: If you’re planning on testing Cauliflower Vest encryption inside a VM, you’ll also need to edit the following section:
FILEVAULT_REQUIRED_PROPERTIES = ['hdd_serial', 'platform_uuid', 'serial']
VMs don’t correctly report a hard disk serial number to Cauliflower Vest, so the ‘hdd_serial’ value needs to be removed. It should now look like this:
FILEVAULT_REQUIRED_PROPERTIES = ['platform_uuid', 'serial']
B. Edit the /path/to/cauliflowervest_directory/src/cauliflowervest/client/settings.py file with the following command:
Once inside, you can edit the INTRO_TEXT string to send the appropriate message to your users when they’re encrypted with Cauliflower Vest. This text can say whatever you want.
In my case, because I’m testing, I actually left this part alone.
C. Generate your server keys by randomly generating a 16 byte string (used for the aesKeyString value in the next section) and by randomly generating a 32 byte string (used for the hmacKeyString value in the next section). You can do this by running the following commands in terminal:
16 byte string
dd if=/dev/random bs=1k count=1 | md5 | cut -c1-16
32 byte string
dd if=/dev/random bs=1k count=1 | md5
In both cases, you’ll get a hexadecimal string (highlighted in blue in the screenshots above) which you can then plug into the aesKeyString value and the hmacKeyString value in the next step.
D. Edit the /path/to/cauliflowervest_directory/src/cauliflowervest/server/settings.py file with the following command:
Once inside, find the DEMO_KEYS keys section and change the following strings:
Replace 16_byte_string__ with the 16 byte value you generated previously
Replace 32_byte_string_bbbbbbbbbbbbbbbbb with the 32 byte value you generated previously
NOTE: To avoid a Python error problem that’s currently in cauliflowervest-0.8.1, also edit the following section in /path/to/cauliflowervest_directory/src/cauliflowervest/server/settings.py:
DEFAULT_EMAIL_DOMAIN = ‘example.com’
DEFAULT_EMAIL_SENDER = ”
DEFAULT_EMAIL_REPLY_TO = ”
Mine has been edited to the following:
DEFAULT_EMAIL_DOMAIN = ‘secretplant.com’
DEFAULT_EMAIL_SENDER = ‘firstname.lastname@example.org’
DEFAULT_EMAIL_REPLY_TO = ‘email@example.com’
These values aren’t otherwise set by the setup process, so I ran into errors when later trying to access my recovery key. The Cauliflower Vest project folks are aware of this bug and say they’ll be fixing it.
E. To avoid a make error currently in cauliflowervest-0.8.1, edit the /path/to/cauliflowervest_directory/src/cauliflowervest/server/app.yaml file with the following command:
Change the following value from being commented out and add your application identifier
# application: ENTER_APPID_HERE
Mine has been edited to the following:
Deploying Cauliflower Vest to App Engine
Once everything’s been configured, you should be ready to deploy to your App Engine instance.
1. In Terminal, run the following command:
2. Now, run the following command:
This will set up a deployable source bundle to send to your App Engine instance.
3. Lastly, run the following command to deploy the source bundle to your App Engine instance:
You should see a bunch of code fly by as your App Engine instance is set up.
To verify that it’s up and working, go to your AppEngine site. In my case, I’m going to the following site:
You’ll be asked to sign in, and then see a site like this:
Packaging your desktop client
Once the server end is set up, it’s time to set up the client end. The Cauliflower Vest project folks have good instructions for this as well.
1. Open Terminal and run the following command:
2. Next, run this command:
This command will create a disk image and store it in /path/to/cauliflowervest_directory/dist. Inside the disk image is an installer package that will install a binary into /usr/local/bin/cauliflowervest which has been pre-configured to work with your Cauliflower Vest App Engine instance.
This binary will need to be launched by some outside source. The Cauliflower Vest project folks recommend using a loginhook for this. I used their pre-written loginhook and it worked well.
Encrypting the Mac client
To set up your Mac to be encrypted, you’ll need to install the Cauliflower Vest installer package and also set up your loginhook. I stored my loginhook script in /Library/Scripts and named it encrypt_mac.sh. Next, I ran the following command to set my loginhook:
sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/encrypt_mac.sh
Once done, I restarted my VM and then logged in at the login screen. The Cauliflower Vest warning came up and I was then prompted to log in.
Following login, the Mac reported that encryption was enabled and that the passphrase had been successfully escrowed. I was then prompted to restart.
On restart, I was at the FileVault 2 pre-boot login screen with the account icon for my account showing. I authenticated and the regular FileVault 2 login process continued.
Once my desktop came up, I checked the FileVault preference pane and saw that encryption was proceeding normally.
Getting my recovery key
Since encryption’s only half of what I want to accomplish here, I went next to http://secret-plant.appspot.com to get my Mac’s recovery key.
After authenticating, I was back at my Cauliflower Vest site. I selected to look up my machine by the Owner Username and entered my username.
Note: My secretplant.com account is an owner account, so I had full access. Access rights can be delegated and restricted.
At that point, I was looking at a listing for my encrypted Mac. The Volume UUID is a clickable link.
Once the Volume UUID link was clicked, I was given my recovery key.
Testing my recovery key
Once I had my recovery key, I was able to test it out successfully by using it to unlock the encryption and then reset my account password.
Overall, following the directions on the Cauliflower Vest wiki served me pretty well. The folks on the cauliflowervest-discuss mailing list were also very responsive and helped me out when I hit my roadblocks.
I’m pretty impressed with Cauliflower Vest, it works as advertised. The only possible downside I’m seeing is that right now, my workflow is closely tied to Google’s infrastructure (App Engine in particular) and it will likely take some work to get it entirely in-house. For my personal needs, that’s fine, but that may not fit all environments.
That said, Google has recognized this and provided some guidance on how to port the Cauliflower Vest server. As with all open source, if you don’t like what you have, roll your own.