Search Results

Keyword: ‘csfde’

Using csfde with FileVaultMaster.keychain

February 26, 2012 Leave a comment

After reading Allister Banks’s great post on standalone use of Cauliflower Vest’s csfde command-line tool, I wanted to see if it was possible to use csfde with Apple’s FileVaultMaster.keychain recovery key to encrypt a Mac. Good news, it is possible and appears to be scriptable. See below the jump for the details.

Read more…

Interactive FileVault 2 initialization script

March 13, 2012 2 comments

I’ve written an interactive script that uses the Cauliflower Vest csfde tool as a standalone utility to enable FileVault 2 encryption on your boot volume. The script will ask some questions, then uses that information to initialize the encryption and enable the user account specified.

The script is available here on my GitHub repo.

csfde

The script is expecting the csfde tool to be installed in /usr/local/bin. Install the csfde tool there before running the script.

If the script detects that csfde is not present in /usr/local/bin, it will stop and not run.

Recovery Key

If you are using a managed recovery key (i.e. a properly configured FileVaultMaster.keychain in /LibraryKeychains) – the script will report that fact and not output a machine-generated recovery key.

If you are not using a managed recovery key – the script will output a machine-generated recovery key that is individual to this specific Mac and display it to the user.

If you are using a improperly configured managed recovery key – the script will output a machine-generated recovery key that is individual to this specific Mac and display it to the user.

VERY IMPORTANT: The machine-generated individual recovery key is not saved anywhere outside the machine. Make a record of it or you will have no recovery key to help unlock your Mac’s encryption if there’s a problem.

The script will request a restart and then report [Process Completed] once it has completed initializing the FileVault 2 encryption process and reported on the recovery key. Once you’ve made a record of the recovery key (if needed), It is safe at that point to close the Terminal window and reboot your Mac.

Using the Cauliflower Vest GUI application after encryption

March 4, 2012 Leave a comment

One aspect to Cauliflower Vest is the Cauliflower Vest GUI application, which works with csfde to enable FileVault 2 encryption on the client Mac, obtains the recovery key, and sends it to the App Engine-based escrow service. It can also be used to manage FileVault 2 encryption by providing access to the recovery key for the specific Mac it’s running on, unlocking the encrypted volume or even decrypting the Mac. See below the jump for details.

Read more…

Setting up Cauliflower Vest using a Google Apps domain

February 24, 2012 8 comments

Google’s Cauliflower Vest, an open-source FileVault 2 recovery key escrow solution, solves a number of problems for Mac admins in the enterprise space. These problems included:

A. Allowing individual recovery keys to be automatically generated and escrowed for each Mac

B. The ability to have FileVault 2 encryption force-enabled on a Mac

C. Providing secure access to recovery keys and delegating secure access as needed to those recovery keys

Cauliflower Vest addresses those issues, along with providing csfde, a command-line tool for FileVault 2 setups which can be used independently of the rest of Cauliflower Vest infrastructure.

I wanted to see how easy it was to stand up a Cauliflower Vest instance with a Google Apps domain while following the instructions. I figured that I was a good tester for this because:

  • I’d never set up a Google Apps domain
  • I’d never before worked with Google App Engine
  • Python and I have a “we should really get together, but never do” relationship.

In short, hopefully the Cauliflower Vest project folks had posted good directions or this train was going to wreck pretty fast.

Fortunately, the Cauliflower Vest project folks have posted good directions on the project’s wiki and were also extremely responsive over email. With their help, I was able to get up and going. See below the jump for what I did.

Read more…

%d bloggers like this: