FileVault 2 deferred enablement in Yosemite

One of the requirements when enabling an account for FileVault 2 is that the account’s own password must be provided in order for the account to be enabled. This is because the account’s password is used to generate a unique derived key via PBKDF2. This key is necessary for the account to unlock FileVault 2’s encryption, so the account’s password must be provided in order to enable an account.

Apple recognized that there would be situations where Mac admins would need to set up FileVault 2 for a person where the admin would not have the password for that person’s user account. To avoid the immediate need to enter a password, fdesetup has a -defer flag in Mountain Lion, Mavericks and Yosemite that can be used with fdesetup‘s enable verb to delay enabling FileVault 2 until after the current (or next) user logs out. With the -defer flag, the user will be prompted for their password at their next logout or restart. The recovery key information is not generated until the user password is obtained, so the -defer option requires a file location where this information will be written to as a plist file.

The property list file will be created as a root-only readable file and contain information similar to what’s show below.

Note: For security reasons, the plist file with the recovery key information should not stay on the encrypted system. Please copy it to a safe location and then securely delete this plist file from the encrypted system.

Run the following command with root privileges to defer enabling FileVault 2 and specify the account you want:

fdesetup enable -user username -defer /path/to/filename.plist

If there is no user account specified with the -user option, then the current logged-in user will be enabled for FileVault 2. If there is no user specified and no users are logged in when the command is run, then the next user that logs in will be chosen and enabled.

If you don’t want to specify the account, run the following command with root privileges:

fdesetup enable -defer /path/to/filename.plist

On logout, the user will be prompted to enter their account password.

Once entered, FileVault 2 will be enabled and the recovery information plist file will be created. Once the enabling process is complete, the Mac will restart.

An important thing to keep in mind about the –defer option is that it enables one single user account at the time of turning on FileVault 2 encryption. The –defer option does not enable multiple user accounts and cannot be used to enable accounts once FileVault 2 encryption has been turned on.

In Yosemite, Apple added new options for fdesetup‘s -defer flag. These new options now allow Mac admins to set a deferred enablement with the following options:

1. Enforce FileVault 2 enablement at logout
2. Enforce FileVault 2 enablement at login
3. Enforce FileVault 2 enablement at both login and logout

For more information, see below the jump.

Yosemite adds the following options for fdesetup‘s enable verb’s -defer flag:

• -forceatlogin max_cancel_attempts
• -dontaskatlogout

These additional options allow a deferred FileVault 2 enablement to be enforced at the login window, rather than waiting for a logout or restart of the Mac in question. To demonstrate how this appears, I’ve made a video showing the following process:

1. Logging in at the OS login window
2. Being prompted to enable FileVault 2
3. The Mac performing initial FileVault 2 setup
4. The Mac automatically rebooting to the FileVault 2 pre-boot login screen.

Note: The video has been edited to artificially reduce the amount of time it took to initialize FileVault 2 setup. Run time of the pre-edited video was 1 minute, 12 seconds.

The -forceatlogin option must be set with an accompanying numerical value. This numerical value governs how many times the account which is being enabled can cancel having the FileVault 2 encryption process begin. For example, running the following command with root privileges will set a maximum number of ten cancellations:

fdesetup enable -defer /path/to/filename.plist -forceatlogin 10

If the user chooses to cancel, they will need to select the Don’t Enable button in the dialog window which will appear. They will also be informed of how many more times they can log in before FileVault 2 encryption must be enabled.

If immediate enforcement is desired, setting a value of zero will enforce FileVault 2 encryption at the next login. To do this, run the following command with root privileges:

fdesetup enable -defer /path/to/filename.plist -forceatlogin 0

The fdesetup commands shown above will enforce FileVault 2 enablement at both login and logout. If only enforcement at login is desired, the -dontaskatlogout option can be used. This will prevent a deferred FileVault 2 enablement from being enforced at logout. For example, running the following command with root privileges will enforce FileVault 2 encryption at the next login but not prompt the user on logout:

fdesetup enable -defer /path/to/filename.plist -forceatlogin 0 -dontaskatlogout

The commands shown above will set up a deferred enablement with a personal recovery key (PRK). To set up a deferred enablement with an institutional recovery key (IRK), you will need to add the -keychain flag to the fdesetup command. For example, if you want to set up a deferred enablement of FileVault 2 where both a PRK and an IRK are used and the user is forced to enable FileVault 2 at the next login, run the following command with root privileges:

fdesetup enable -keychain -defer /path/to/filename.plist -forceatlogin 0

If you want to set up a deferred enablement where only an IRK is used and the user is forced to enable FileVault 2 at the next login, but not prompted at logout, run the following command with root privileges:

fdesetup enable -keychain -defer /path/to/filename.plist -forceatlogin 0 -dontaskatlogout -norecoverykey