Using csfde with FileVaultMaster.keychain
After reading Allister Banks’s great post on standalone use of Cauliflower Vest’s csfde command-line tool, I wanted to see if it was possible to use csfde with Apple’s FileVaultMaster.keychain recovery key to encrypt a Mac. Good news, it is possible and appears to be scriptable. See below the jump for the details.
The first thing I needed to do was to set up a recovery key on the machine that I wanted to encrypt.
Once I had built my recovery keychain and prepared it for use, my next step was download the latest Cauliflower Vest tar file. If you prefer to use git, you can also clone a copy of the cauliflowervest repository to your local machine instead of downloading the Cauliflower Vest tar file.
If Xcode isn’t already installed on your build machine, download and install it at this point.
Encrypting your Mac’s boot partition
1. Untar the Cauliflower Vest tar file – To untar, you can double-click on the file and OS X’s built-in Archive utility will uncompress it
2. Once untarred, open Terminal and run the following command:
3. Inside the cauliflowervest directory, run the following command:
This will create the csfde binary in the following location:
4. Go to the location of the csfde binary by running the following command:
5. Next, the disk identifier of the drive is needed, so run the following command to get it:
For the purposes of this example, we’ll use disk0s2 for our disk identifier.
5. Now that you have your disk identifier, run the following command:
./csfde disk_identifier username –
When prompted, enter your password. As noted, it will be visible.
If scripting this step, you would use the following command:
/path/to/csfde disk_identifier username password
6. After your password is entered, the encryption process will begin and will register that a recovery keychain is being used (highlighted in blue in the screenshot below.)
7. The actual encryption doesn’t begin until you log in at the pre-boot login screen, so reboot at this point. Encryption should proceed normally after the reboot.