Archive

Archive for the ‘FileVault 2’ Category

Session videos available from Penn State MacAdmins Conference 2014

July 22, 2014 Leave a comment

The good folks at Penn State have posted the session videos from the Penn State MacAdmins Conference 2013. The sessions slides and videos are all accessible from the Penn State MacAdmins’ Resources page at the link below:

http://macadmins.psu.edu/conference/resources/

As all the session videos have been posted to YouTube, I’ve linked my FileVault 2 session here:

The Extending OS X Management Systems with Scripting session I co-hosted with Jeremy Reichman is linked here:

Slides from the FileVault 2 Session at Penn State MacAdmins 2014

July 10, 2014 Leave a comment

For those who wanted a copy of my FileVault 2 talk at Penn State MacAdmins, here are links to the slides in PDF and Keynote format.

PDF: http://tinyurl.com/PSUMac2014PDF

Keynote slides: http://tinyurl.com/PSUMac2014key

Referencing a FileVault 2 institutional recovery key as part of an fdesetup plist file in Mavericks

July 5, 2014 Leave a comment

As part of the man page for fdesetup, Apple provides a sample plist file as a guide for those who want to import authentication credentials as part of running commands with fdesetup.

Screen Shot 2014-07-04 at 9.14.18 PM

As part of the plist, there are two plist keys that reference using a keychain which contains the private key for an institutional recovery key:

KeychainPath

KeychainPassword

For KeychainPath, you will need to provide the file path to the keychain as the plist value. For KeychainPath, you will need to provide the password that unlocks that keychain.

For example, if you put the keychain file into the /tmp directory, you would reference /tmp/filename.keychain as the KeychainPath plist value. If the password to unlock that keychain is seKritPassword, you would reference seKritPassword as the KeychainPassword plist value.

Screen Shot 2014-07-04 at 9.11.03 PM

One particular thing to note is that the KeychainPath entry on the fdesetup man page references that this works with certain fdesetup commands, but does not specify which commands are applicable.

Screen Shot 2014-07-04 at 9.15.46 PM

As of OS X 10.9.4, it appears that you can leverage the KeychainPath and KeychainPassword plist keys with the following two fdesetup commands.

fdesetup changerecovery

Screen Shot 2014-07-04 at 8.52.33 PM


Screen Shot 2014-07-04 at 8.39.27 PM


fdesetup removerecovery

Screen Shot 2014-07-04 at 8.53.18 PM

Screen Shot 2014-07-04 at 8.57.12 PM

If using the current institutional key to authenticate, the plist should look like this.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeychainPath</key>
<string>/path/to/filename.keychain</string>
<key>KeychainPassword</key>
<string>password</string>
</dict>
</plist>

Screen Shot 2014-07-04 at 8.44.02 PM

If you are using the current institutional key to authenticate a change to a new institutional recovery key, you can also embed the public key of the new institutional recovery key in the plist. In that case, the plist will look like this.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeychainPath</key>
<string>/path/to/filename.keychain</string>
<key>KeychainPassword</key>
<string>password</string>
<key>Certificate</key>
<data>
(Certificate data goes here.)
</data>
</dict>
</plist>

Screen Shot 2014-07-04 at 8.43.14 PM

Automating fdesetup authrestart in Mavericks

June 24, 2014 1 comment

One of the more interesting functions in Apple’s fdesetup tool is the authrestart verb, which allows a FileVault 2-encrypted Mac to restart and bypass the FileVault 2 pre-boot login screen. Instead, the Mac reboots as a unlocked system and goes straight to the regular login window.

When you run the fdesetup authrestart command, it asks for a password or a personal recovery key. The password must be an account that has been enabled for FileVault 2 (i.e. an account that shows up at the FileVault 2 pre-boot login screen.) After that, it puts an unlock key in system memory and reboots. On reboot, the reboot process automatically clears the unlock key from memory.

For those who want to automate this process, Apple added some functionality to fdesetup authrestart in Mavericks to support importing the authentication via a properly formatted plist. The plist needs to follow the format below:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Password</key>
<string>password</string>
</dict>
</plist>

plist_format_for_fdesetup_authrestart

You would store either the password of an existing FileVault 2-enabled user or the existing personal recovery key in the Password key in the plist.

Once the plist has been set up and properly formatted, run the following command to run the authrestart process and reference the password or recovery key in the plist file for authentication.

sudo fdesetup authrestart -inputplist < /path/to/filename.plist

Screen Shot 2014-06-23 at 7.17.18 PM

The man page for fdesetup also indicates that you can use a keychain with both the private and public keys associated with an institutional recovery key to authenticate the authrestart process. Based on the manpage, you should be able to run the following command to run the authrestart process and reference the institutional recovery key for authentication.

sudo fdesetup authrestart -key /path/to/filename.keychain

As of OS X 10.9.3, this does not appear to work. Instead of being prompted for the keychain’s password and the Mac restarting, an Error: Unable to restart message is displayed and nothing else happens.

Screen Shot 2014-06-23 at 7.30.24 PM

If manually restarted, the Mac will reboot to the FileVault 2 pre-boot login screen.

Screen Shot 2014-06-23 at 8.00.19 PM

I’ve filed a bug with Apple at bugreport.apple.com about this behavior. If you want to also file a bug report on this, please reference the following bug ID when submitting your report:

17423687

I’ve got the details of my bug report posted at Open Radar:

http://openradar.appspot.com/radar?id=6385064946434048

FileVault 2 session at Penn State MacAdmins Conference 2014

June 21, 2014 Leave a comment

I’ll be speaking about FileVault 2 at the Penn State MacAdmins Conference 2014, which is being held from July 8th – 11th, 2013 in State College. For those interested, my talk will be on Thursday, July 10th.

For a description of what I’ll be talking about, please see the Managing Mavericks’ FileVault 2 with fdesetup session description. You can see the whole list of speakers here on the Sessions page.

Unlocking or decrypting a FileVault 2-encrypted Fusion Drive from the command line

April 27, 2014 5 comments

Unlocking or decrypting a FileVault 2-encrypted Fusion drive from the command line can be a little different from how you would handle a non-Fusion drive. This is because Apple has created Fusion drives by using the Core Storage volume manager that they first introduced in OS X 10.7.x. Normally when you enable FileVault 2, there is not an existing Core Storage volume on the drive being encrypted and the FileVault 2 process creates it. When a drive is decrypted using the diskutil cs revert command, that CoreStorage volume is then removed as part of the process.

However, with Fusion drives, not only is there an existing CoreStorage volume present before encryption, you want to make sure it’s not being removed as part of the decryption process. Doing so would destroy the Fusion drive setup and potentially result in the loss of all data stored on the Fusion drive.

There’s two tools that you can use to safely decrypt a Fusion drive on OS X Mavericks:

fdesetup

diskutil

Read more…

Slides from the FileVault 2 Session at MacIT 2014

March 26, 2014 3 comments

For those who wanted a copy of my FileVault 2 talk at MacIT 2014, here are links to the slides in PDF and Keynote format.

PDF: http://tinyurl.com/macit14fv2PDF

Keynote slides: http://tinyurl.com/macit14fv2keynote

Removing all recovery keys from a FileVault 2-encrypted Mavericks Mac

March 24, 2014 2 comments

One of the functions added to the fdesetup tool on 10.9 is removerecovery. This function removes the current recovery key(s) from a FileVault 2-encrypted Mac and can be used to remove with the personal and/or institutional recovery keys from a Mac.

One interesting aspect of this is that this function can be used to remove all recovery keys from a FileVault 2-encrypted Mac running Mavericks. Once the recovery keys have been removed from your Mac, only FileVault 2-enabled accounts will be able to unlock or decrypt it. For more details, see below the jump.

Read more…

Disabling FileVault 2 with fdesetup on Mountain Lion and Mavericks

March 22, 2014 1 comment

Recently, I was asked how to disable FileVault 2 without needing to go into System Preferences. The general idea was that an organization may want to provide their users without admin rights a way to turn off FileVault 2 on an as-needed basis.

Most of the work I’ve done has been focused around turning on FileVault 2 and managing it, rather than providing a way for users to turn it off. That said, fdesetup on both Mountain Lion and Mavericks provides a way to disable FileVault 2 with proper authorization.

To disable FileVault 2 on the Mac you’re logged into, run the following command with root privileges:

fdesetup disable

You’ll be prompted for either the password of an enabled user or a personal recovery key.

Screen Shot 2014-03-22 at 5.39.08 PM  

Screen Shot 2014-03-22 at 5.47.15 PM

Note: If a personal recovery key was not set up on a particular Mac, you’ll only be prompted for the password of an enabled user.

Screen Shot 2014-03-22 at 6.14.48 PM

Once the password or personal recovery key has been entered, the Mac will begin to decrypt.

For those who want to automate this procedure, you can do this using an expect script or other means. As an example, I’ve written an expect script which automates running the fdesetup disable process described above.

FileVault 2 session at MacIT 2014

March 15, 2014 Leave a comment

I’ll be speaking about FileVault 2 at MacIT 2014, which is being held from March 26th – 29th, 2014 in San Francisco. For those interested, my talk will be on Wednesday, March 26th.

For a description of what I’ll be talking about, please see the IT804: Managing Mavericks’ FileVault2 with fdesetup session page, which is linked on the MacIT Wednesday Full Agenda page.

Follow

Get every new post delivered to your Inbox.

Join 143 other followers

%d bloggers like this: