Home > FileVault 2, Mac administration, Mac OS X > FileVault Setup.app – local FileVault 2 encryption setup and enforcement

FileVault Setup.app – local FileVault 2 encryption setup and enforcement

I was recently asked to help test a new utility called FileVault Setup for setting up and enforcing FileVault 2 encryption. It’s designed to be a user-friendly interface for Apple’s fdesetup tool on OS X 10.8.x which supports turning on FileVault 2 encryption and enabling a single user account.

One nice thing about this tool from my perspective is that it’s designed to be independent of any server-based resources. To the best of my knowledge, this is the first tool I’ve seen that allows FileVault encryption to be enforced on a machine entirely from the machine’s own resources. See below the jump for the details.

Building

You can build the latest version of the application using the Xcode project files available from the GitHub repository. There’s also a already-built application available for download from the GitHub repo.

Installation

This application can be installed anywhere on the Mac, though the GitHub project page recommends either /Applications or /Applications/Utilities. For the purposes of my testing, I put it into /Applications.

Screen Shot 2013-04-29 at 9.58.54 AM

If you want to hide the application from your users, I’d recommend putting it into a location like /var/root.

Operation

The application was designed to be run by a Mac OS X loginhook. This allows it to be launched when a user logs in, but also runs the application with root privileges. Running this application with root privileges is important because fdesetup requires root privileges to run.

Since this is a process that’s more easily shown than explained, I’ve made a video showing the process from the user’s perspective.

Note: The video has been edited to artificially reduce the amount of time it took to encrypt. Run time of the pre-edited video was 9 minutes.

Management

The application has four command line switches that can be used to tell it how to run:

-FVSDoNotAskForSetup YES / NO – suppresses prompting the user to enable FileVault 2 encryption. The default is NO

-FVSForceSetup YES / NO – enforces the setup and arrests login until the user accepts. The default is NO

-FVSUseKeychain YES / NO – Sets the FileVault 2 encryption to use /Library/Keychains/FileVaultMaster.keychain as an institutional recovery key. The default is YES

-FVSCreateRecoveryKey YES / NO – Sets the FileVault 2 encryption to generate and use an alphanumeric individual recovery key. The default is YES

FileVault Setup can also be managed by MCX or by the defaults command. FileVault Setup accepts four defaults:


FVSDoNotAskForSetup: suppresses prompting the user to enable FileVault 2 encryption, default is NO / FALSE

FVSForceSetup: enforces the setup and arrests login until the user accepts, default is NO / FALSE

FVSUseKeychain: Sets the FileVault 2 encryption to use /Library/Keychains/FileVaultMaster.keychain as an institutional recovery key, default is YES / TRUE

FVSCreateRecoveryKey: Sets the FileVault 2 encryption to generate and use an alphanumeric individual recovery key, default is YES / TRUE

The settings are stored in the following domain: ca.sfu.its.filevaultsetup

Running FileVault Setup without any command line switches or other management will mean it will run with the following configuration:

/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSDoNotAskForSetup NO -FVSForceSetup NO -FVSUseKeychain YES -FVSCreateRecoveryKey YES

In this case, FileVault 2 encryption set up is not forced. For the recovery keys, FileVault Setup will have fdesetup both generate an alphanumeric individual recovery key and set /Library/Keychains/FileVaultMaster.keychain as an institutional recovery key.

Recovery Keys

As mentioned above, in its default configuration FileVault Setup will try to set up two recovery keys by using a properly configured /Library/Keychains/FileVaultMaster.keychain as the institutional recovery key and also generate an alphanumeric individual recovery key.

To make sure that the individual recovery key is recorded for later reference, FileVault Setup will generate a plist file containing the individual recovery key and store it in the following location:

/private/var/root/fdesetup_output.plist

The plist itself will look similar to this:


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>EnabledDate</key>
	<string>2013-04-29 22:17:00 -0400</string>
	<key>HardwareUUID</key>
	<string>00000000-0000-1000-8000-000C29CEF923</string>
	<key>HasMasterKeychain</key>
	<true/>
	<key>LVGUUID</key>
	<string>9807169C-24E6-4DDC-975A-71D078D73390</string>
	<key>LVUUID</key>
	<string>2BF1F4CA-5E97-4A6B-820A-A87F1DEA5B1D</string>
	<key>PVUUID</key>
	<string>0B0DE25B-8D24-4E31-B1B0-0831455C3A65</string>
	<key>RecoveryKey</key>
	<string>QFDA-9W5V-K2W3-93MR-Y7T8-DPZ5</string>
	<key>SerialNumber</key>
	<string>VMWVk2F+NYrG/tkLIignnJaiw</string>
</dict>
</plist>

If you want to use only the institutional recovery key, you would need to ensure that there is a properly configured FileVaultMaster.keychain stored in /Library/Keychains, then use FVSUseKeychain YES and FVSCreateRecoveryKey NO:

Example command:

/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSUseKeychain YES -FVSCreateRecoveryKey NO

If you want to use only the individual recovery key, you would need to ensure that there is not a FileVaultMaster.keychain stored in /Library/Keychains, then use FVSUseKeychain NO and FVSCreateRecoveryKey YES.

Example command:

/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSUseKeychain NO -FVSCreateRecoveryKey YES

Testing FileVault Setup

My testing was focused on forcing FileVault 2 encryption and using the command-line switches to tell FileVault Setup what to do. As part of that, I set up the following loginhook:


#!/bin/sh

FVSETUP=/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup
DISKUTIL="/usr/sbin/diskutil"
LOGGER="/usr/bin/logger"


# check_encryption_state taken
# from the Cauliflower Vest wiki's
# loginhook script:
# http://code.google.com/p/cauliflowervest/wiki/LoginHook

check_encryption_state() {
  ${DISKUTIL} cs list | grep -q -e 'Conversion\ Status.*Pending'
  if [[ ${?} -eq 0 ]]; then
    ${LOGGER} "Disk encryption pending, skipping."
    exit 0
  fi

  ${DISKUTIL} cs list | grep -q -e 'Conversion\ Status.*Complete'
  if [[ ${?} -eq 0 ]]; then
    ${LOGGER} "Disk encryption complete, skipping."
    exit 0
  fi

  ${DISKUTIL} cs list | grep -q -e 'Conversion\ Status.*Converting'
  if [[ ${?} -eq 0 ]]; then
    ${LOGGER} "Disk encrypting or decrypting, skipping."
    exit 0
  fi
}


# If the FileVault Setup binary is present,
# proceed with encryption. If not, exit the
# script.

if [[ ! -f "$FVSETUP" ]]; then
 ${LOGGER} "FileVault Setup not installed on Mac in specified location"
 exit 0
fi

if [[ -f "$FVSETUP" ]]; then
 ${LOGGER} "FileVault Setup present on Mac"

# Check to see if the Mac is encrypted
# or already encrypting. The application
# also checks for this, but I added this
# to help speed up the loginhook script's
# end if needed

 check_encryption_state
 
   # Replace YOUR_LOCAL_ADMIN_ACCOUNT with 
   # an account that you want to be able
   # to login to the Mac without triggering
   # the encryption to run.

  if [[ $1 == "root" || $1 == "YOUR_LOCAL_ADMIN_ACCOUNT" ]]; then
   ${LOGGER} "Exiting encryption setup for user account: $1"
   exit 0
   else

    # If the Mac isn't encrypted, run FileVault Setup

    "${FVSETUP}" -FVSForceSetup YES -FVSOptionsHere
    ${LOGGER} "Enabling encryption on this Mac."    
  fi
 else
  exit 0
fi

While I used this login hook for my testing, I also tried a much simpler loginscript:


#!/bin/sh

/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES

I was able to replicate my earlier encryption results, but the pause at the loginwindow (for the loginhook script to run) was a few seconds longer.

From my testing, here’s the commands that will worked along the ones that will generate errors. The errors will be coming from fdesetup or CoreStorage and are the result of FileVault Setup being asked to initialize an unsupported FileVault 2 configuration:

Successful FileVault 2 enablement

With no recovery keychain in /Library/Keychains, FileVault Setup forced FileVault 2 enablement and generated an individual recovery key as the Mac’s only recovery key with the following command:

/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES -FVSUseKeychain NO -FVSCreateRecoveryKey YES

With FileVaultMaster.keychain stored in /Library/Keychains, FileVault Setup forced FileVault 2 enablement and set the FileVaultMaster.keychain as the Mac’s only recovery key with the following command:

/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES -FVSUseKeychain YES -FVSCreateRecoveryKey NO

With FileVaultMaster.keychain stored in /Library/Keychains, FileVault Setup forced FileVault 2 enablement and set both the FileVaultMaster.keychain and an individual recovery key with the following command:

/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES

With FileVaultMaster.keychain stored in /Library/Keychains, FileVault Setup forced FileVault 2 enablement and set the FileVaultMaster.keychain as the Mac’s only recovery key with the following command:

/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES -FVSCreateRecoveryKey NO

Unsuccessful FileVault 2 enablement

With FileVaultMaster.keychain stored in /Library/Keychains, FileVault Setup gave a fdesetup error 18 with the following command:

/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES -FVSUseKeychain NO

error_18

With no recovery keychain on the Mac, FileVault Setup gave a fdesetup error 19 with the following command:

/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES -FVSUseKeychain YES -FVSCreateRecoveryKey NO

With no recovery keychain on the Mac, FileVault Setup gave a fdesetup error 19 with the following command:

/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES -FVSCreateRecoveryKey YES

With no recovery keychain on the Mac, FileVault Setup gave a fdesetup error 19 with the following command:

/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES

error_19

With no recovery keychain on the Mac, FileVault Setup gave an error 15 with the following command:

/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES -FVSUseKeychain NO -FVSCreateRecoveryKey NO

This last error is because FileVault Setup was being asked to set up FileVault 2 encryption without a recovery key. This does not work; you must have a recovery key when encrypting a Mac with FileVault 2.

error_15

Running FileVault Setup on an already-encrypted Mac

One of the nicer features of this application is that it can detect if the Mac has already been encrypted with FileVault 2. If it’s launched on a Mac that’s encrypted, it displays a message that FileVault 2 has already been enabled. Once you click the OK button to acknowledge the message, FileVault Setup then quits.

Screen Shot 2013-04-29 at 3.29.43 PM

At the login window, FileVault Setup will not appear when triggered by the loginhook on an already-encrypted Mac. Instead, the app will silently quit in the background.

Conclusion

If you’re looking for a way to enforce FileVault 2 on your Macs and don’t have access to server resources, FileVault Setup is a great addition to your set of tools. It will give you the ability to encourage encryption on your machines or force it, depending on your security needs.

It also gives you the ability to prepare a machine and deploy it to your users without encrypting it first, as the loginhook will ensure that encryption gets turned on at the first login.

  1. CJ
    May 2, 2013 at 12:01 am

    Nice tool. I’m wondering if it might be possible to take it a step further now and add in some hooks to store the generated recovery key to Active Directory (assuming BitLocker Recovery Key attribute). Must investigate a bit more but this would be desirable for companies to be able to securely store (and use if needed) the recovery key for the machine.

  2. Eldon Ahrold
    May 3, 2013 at 2:59 am

    You could remove the main window dependency for the drive already encrypted message if you put an alertModal() call in the awakeFromNib() rather than a beginSheetModalForWindow_modalDelegate_didEndSelector_contextInfo_()

  3. October 9, 2014 at 9:46 pm

    I have been working on using Filevault Setup.app + MunkiReport-PHP + a configuration profile to enable, escrow the key for, and enforce filevault, respectively. The solution isn’t perfect, though, as I’m not sure how to automatically confirm that the key has been escrowed.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 164 other followers

%d bloggers like this: