Archive

Archive for November 29, 2011

Insert Citations and Bibliography from Mekentosj Papers to Word 2011

November 29, 2011 3 comments

One of my users requested help today with inserting document citations from Mekentosj Papers into Word 2011, where the user wanted to use the Papers Word 2008 export feature instead of using Endnote. The procedure was not intuitive, so I’ve documented it and posted it here in the event anyone else needs it. See below the jump for the procedure.

Read more…

Rotating the FileVault 2 Master Password

November 29, 2011 11 comments

If you want to use FileVault 2 with FileVaultMaster.keychain as a managed recovery key, the issue of regularly changing your institution’s Master Password may come up if your worksite mandates password rotation. Since the Master Password’s sole function is to act as the password used to unlock the FileVaultMaster.keychain, this should be relatively straightforward. As long as the public key on your Macs and the private and public keys in your escrowed FileVaultMaster.keychain stay the same, the password to unlock FileVaultMaster.keychain can be updated as often as needed.

There’s two strategies you can use here:

1. You can change the password on a copy of your institution’s FileVaultMaster.keychain and push the updated FileVaultMaster.keychain to /Library/Keychains on your Macs – In my opinion, this is probably the most secure way to do this because you’re replacing one encrypted file with another encrypted file, without revealing in transit what the new password is. The main danger would be an incomplete or corrupted copy of the keychain file somehow being pushed to the machines.

2. You can use the security command to update the existing FileVaultMaster.keychain on the machines – In this case, you’re using the security command’s keychain password functionality to update the password used to unlock /Library/Keychains/FileVaultMaster.keychain from a known old password to a known new password. You would need to use sudo, or run it as root, as the FileVault keychain should be owned and writable only by root. Here’s the command to use (command should be all on one line):

sudo security set-keychain-password -o old_master_password -p new_master_password /Library/Keychains/FileVaultMaster.keychain

The main security concern here would be that the passwords referenced in the command would be sent in the clear, and all sudo-using commands will show up in /var/log/system.log. Running the commands as the root user without using sudo would mean that the command should not show up in /var/log/system.log, but it may show up in the root user’s history.

%d bloggers like this: