Home > Cauliflower Vest, FileVault 2 > Using csfde with FileVaultMaster.keychain

Using csfde with FileVaultMaster.keychain

After reading Allister Banks’s great post on standalone use of Cauliflower Vest’s csfde command-line tool, I wanted to see if it was possible to use csfde with Apple’s FileVaultMaster.keychain recovery key to encrypt a Mac. Good news, it is possible and appears to be scriptable. See below the jump for the details.

Pre-encryption work

The first thing I needed to do was to set up a recovery key on the machine that I wanted to encrypt.

Screen Shot 2012-02-26 at 1.01.49 PM

Once I had built my recovery keychain and prepared it for use, my next step was download the latest Cauliflower Vest tar file. If you prefer to use git, you can also clone a copy of the cauliflowervest repository to your local machine instead of downloading the Cauliflower Vest tar file.

If Xcode isn’t already installed on your build machine, download and install it at this point.

Encrypting your Mac’s boot partition

1. Untar the Cauliflower Vest tar file – To untar, you can double-click on the file and OS X’s built-in Archive utility will uncompress it

2. Once untarred, open Terminal and run the following command:

cd /path/to/cauliflowervest_directory

Screen Shot 2012-02-26 at 12.55.09 PM

3. Inside the cauliflowervest directory, run the following command:

make csfde

Screen Shot 2012-02-26 at 12.56.12 PM

This will create the csfde binary in the following location:


4. Go to the location of the csfde binary by running the following command:

cd /path/to/cauliflowervest_directory/src/csfde/build/Default

Screen Shot 2012-02-26 at 12.57.49 PM  

5. Next, the disk identifier of the drive is needed, so run the following command to get it:

diskutil list

Screen Shot 2012-02-26 at 12.58.39 PM

For the purposes of this example, we’ll use disk0s2 for our disk identifier.

5. Now that you have your disk identifier, run the following command:

./csfde disk_identifier username –

When prompted, enter your password. As noted, it will be visible.

Screen Shot 2012-02-26 at 1.00.08 PM

If scripting this step, you would use the following command:

/path/to/csfde disk_identifier username password

6. After your password is entered, the encryption process will begin and will register that a recovery keychain is being used (highlighted in blue in the screenshot below.)

Screen Shot 2012-02-26 at 1.03.23 PM

7. The actual encryption doesn’t begin until you log in at the pre-boot login screen, so reboot at this point. Encryption should proceed normally after the reboot.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: