I’ll be speaking about FileVault 2 at the Penn State MacAdmins Conference 2013, which is being held from May 22nd – 24th, 2013 in State College. For those interested, my talk will be on Thursday, May 23.
I was recently asked to help test a new utility called FileVault Setup for setting up and enforcing FileVault 2 encryption. It’s designed to be a user-friendly interface for Apple’s fdesetup tool on OS X 10.8.x which supports turning on FileVault 2 encryption and enabling a single user account.
One nice thing about this tool from my perspective is that it’s designed to be independent of any server-based resources. To the best of my knowledge, this is the first tool I’ve seen that allows FileVault encryption to be enforced on a machine entirely from the machine’s own resources. See below the jump for the details.
I recently communicated with a Mac admin who was concerned about using FileVault 2 in his environment because he didn’t want to lose access to tools like single-user mode. Like a number of Mac admins, he’d found single-user mode valuable in helping to diagnose and fix issues on troublesome Macs.
Fortunately, Apple makes it reasonably easy to boot into single-user mode on a FileVault 2-encrypted system. Here’s how to boot into single-user on a FileVault 2-encrypted system:
1. Hold down Command-S after powering the system.
2. The Mac will be begin booting into single user, then the FileVault 2 pre-boot login screen will appear.
3. Authenticate at the FileVault 2 pre-boot login screen by selecting an account and providing the account’s password.
4. The Mac will then unlock and continue booting into single-user mode.
To show what this looks like, I’ve made a short video showing the process. In this instance, I booted into single-user mode and performed a disk check using fsck, then continued with the rest of the boot process.
For those who wanted a copy of my FileVault 2 talk at MacIT 2013, here are links to the slides in PDF and Keynote format.
Keynote slides: http://tinyurl.com/MacIT2013key
I’ve updated the FileVault 2 status check scripts so that they’re now able to correctly handle unencrypted Fusion drives. The scripts should now report accurately on 10.8.x Macs that use Fusion drives, as well as other 10.7.x and 10.8.x Macs.
The changes are now available as part of my regular script. They have also been rolled into both the Casper Extension Attribute and the Absolute Manage Custom Info Item scripts. Use them in good health and please let me know if you find any problems with them.
One of the new features that appeared with Macs that shipped with Lion and Mountain Lion was Apple’s Internet Recovery. If you encounter a situation in which you cannot start from the Mac’s Recovery HD partition, such as where the internal hard drive has failed or when you’ve installed a new disk without an OS on it, Mac models that were released after July 2011 can use Internet Recovery. Internet Recovery lets you start your Mac directly from Apple’s servers using a NetBoot-like process and gives you the same functionality that Recovery HD does.
Because Internet Recovery has the same capabilities as your Mac’s Recovery HD partition, it can be used to unlock or decrypt a FileVault 2-encrypted Mac. This is potentially valuable in case of emergency, as it means that you can do recovery of a FileVault-encrypted drive even in a situation where the Mac’s Recovery HD partition has been damaged or corrupted in some way.
To boot to Internet Recovery, start up your Mac and hold down Command-Option-R on your keyboard.
You should see a gray screen with an animated globe appear. It should say something like “Starting Internet Recovery. This may take a while.” Depending on your connection speed, it may also switch to a countdown clock to show you how long until it’s fully booted.
Once booted to Internet Recovery, you should see the Recovery interface.
From there, you use the methods described in the links below to unlock or decrypt your FileVault 2 encrypted Mac:
Since the release of Google’s Cauliflower Vest, one of the wishlist items that a number of Mac admins have wanted is to use Cauliflower Vest’s capabilities without needing to use Google App Engine as the server backend. Crypt, a new open-source project being developed by Graham Gilbert, looks like a step in the right direction. See below the jump for details.
Credant has added support for managing FileVault 2-encrypted Macs to Credant Enterprise Edition for Mac 7.5.x. Based on my working with it over the past couple of weeks, it looks like a solid solution for managing FileVault 2 encryption on both 10.7.x and 10.8.x. For more details, see below the jump.
“Managing FileVault 2 on OS X Mountain Lion with the Casper Suite” session video from JNUC 2012 now available
JAMF Software has posted the session video for my Managing FileVault 2 on OS X Mountain Lion with the Casper Suite session from JAMF Nation User Conference 2012. For those interested, there’s a streaming version of the video available here on the JAMF News site.
For offline viewing, a high-res version is also available.
For a description of what I’ll be talking about, please see IT824: FileVault 2 Decoded on the Day 1 Agenda page.