Slides from the FileVault 2 Session at MacIT 2014
For those who wanted a copy of my FileVault 2 talk at MacIT 2014, here are links to the slides in PDF and Keynote format.
PDF: http://tinyurl.com/macit14fv2PDF
Keynote slides: http://tinyurl.com/macit14fv2keynote
Categories: FileVault 2, MacIT Conference 2014
Hi Rich,
Thanks for posting these slides, as always they are extremely helpful!
We are having an issue here that is due to us using puppet for config management. Puppet can change an account’s password from underneath filevault leaving the two “accounts” out of sync password wise.
‘fdesetup sync’ sounds like it should be the perfect solution but it doesn’t seem to sync the password, so as a result I am using an expect script to remove the account and re-add it as a work around. This is obviously a bit more complicated in Mavericks as only a filevault account can add another user.
Do you know of any way to force a password sync?
Many thanks,
Matt
p.s.
I’ve tried the *.efires trick to no avail too.
Reblogged this on sea-swoon and commented:
FileVault 2
Matt,
As far as I’m aware, the way Puppet updates password is by accessing the relevant account’s plist and changing the password hash to match the desired hash for the new password. (General idea is described as part of this Puppet bug report: http://projects.puppetlabs.com/issues/12833). The password update process that Apple uses for the FileVault 2 pre-boot login screen requires the password to be changed in a way that opendirectoryd is aware of the change (as that’s how the update process gets run.)
Swapping the hash is not something that opendirectoryd is in the loop for, so that password update process for FileVault 2 does not run when the password is changed via a hash swap. The opendirectoryd module that does this update is named FDESupport. When the update process for a user is successful, you should see something like this in /var/log/opendirectoryd.log: