Archive for the ‘Cauliflower Vest’ Category

“Getting Started with Cauliflower Vest” in MacTech’s May 2012 issue

June 17, 2012 1 comment

For those interested in using Google’s Cauliflower Vest for FileVault 2 management, I have an article in MacTech’s May 2012 issue. It’s titled Getting Started with Cauliflower Vest and is a guide to getting your own Cauliflower Vest setup up and running.

Categories: Cauliflower Vest, MacTech

Slides from the FileVault 2 Decoded Session at Penn State MacAdmins Conference 2012

For those who wanted a copy of my FileVault 2 Decoded session slides from Penn State’s MacAdmins Conference 2012, here are links to the slides in PDF and Keynote format.

PDF document link:

Keynote slides link:

Interactive FileVault 2 initialization script

March 13, 2012 2 comments

I’ve written an interactive script that uses the Cauliflower Vest csfde tool as a standalone utility to enable FileVault 2 encryption on your boot volume. The script will ask some questions, then uses that information to initialize the encryption and enable the user account specified.

The script is available here on my GitHub repo.


The script is expecting the csfde tool to be installed in /usr/local/bin. Install the csfde tool there before running the script.

If the script detects that csfde is not present in /usr/local/bin, it will stop and not run.

Recovery Key

If you are using a managed recovery key (i.e. a properly configured FileVaultMaster.keychain in /LibraryKeychains) – the script will report that fact and not output a machine-generated recovery key.

If you are not using a managed recovery key – the script will output a machine-generated recovery key that is individual to this specific Mac and display it to the user.

If you are using a improperly configured managed recovery key – the script will output a machine-generated recovery key that is individual to this specific Mac and display it to the user.

VERY IMPORTANT: The machine-generated individual recovery key is not saved anywhere outside the machine. Make a record of it or you will have no recovery key to help unlock your Mac’s encryption if there’s a problem.

The script will request a restart and then report [Process Completed] once it has completed initializing the FileVault 2 encryption process and reported on the recovery key. Once you’ve made a record of the recovery key (if needed), It is safe at that point to close the Terminal window and reboot your Mac.

Using the Cauliflower Vest GUI application after encryption

March 4, 2012 Leave a comment

One aspect to Cauliflower Vest is the Cauliflower Vest GUI application, which works with csfde to enable FileVault 2 encryption on the client Mac, obtains the recovery key, and sends it to the App Engine-based escrow service. It can also be used to manage FileVault 2 encryption by providing access to the recovery key for the specific Mac it’s running on, unlocking the encrypted volume or even decrypting the Mac. See below the jump for details.

Read more…

Removing unwanted recovery keys from a Cauliflower Vest server

March 4, 2012 Leave a comment

As machines are retired or otherwise taken out of circulation, their recovery keys may not need to stay listed on the Cauliflower Vest AppEngine instance. There isn’t a direct way to remove these keys from the Cauliflower Vest web interface, but it is possible to do this via the App Engine admin console.

To do this:

1. Go to the App Engine admin console at

2. Click on the Datastore Viewer link.

Screen Shot 2012-03-03 at 9.27.27 PM

3. In the Query: By Kind menu, select FileVaultVolume. This will produce a list of the encrypted volumes that have escrowed keys.

Screen Shot 2012-03-03 at 9.27.15 PM

4. Select the ones you want to remove, then click the Delete button.

Note: There’s no undo function once you hit the Delete button. Please make sure you have selected only the entries you want before clicking Delete.

Using csfde with FileVaultMaster.keychain

February 26, 2012 Leave a comment

After reading Allister Banks’s great post on standalone use of Cauliflower Vest’s csfde command-line tool, I wanted to see if it was possible to use csfde with Apple’s FileVaultMaster.keychain recovery key to encrypt a Mac. Good news, it is possible and appears to be scriptable. See below the jump for the details.

Read more…

Enabling hidden admin accounts with Cauliflower Vest

February 25, 2012 1 comment

One interesting facet of Cauliflower Vest enabling users from the command-line is that any user on the system can be enabled. This includes hidden admin users with a UID that’s lower than 500, which can’t be enabled through the FileVault preference pane. After some testing, I found that enabling hidden admin accounts is pretty straightforward for those who can use Casper and Cauliflower Vest. See below the jump for the details.

Read more…

Setting up Cauliflower Vest using a Google Apps domain

February 24, 2012 8 comments

Google’s Cauliflower Vest, an open-source FileVault 2 recovery key escrow solution, solves a number of problems for Mac admins in the enterprise space. These problems included:

A. Allowing individual recovery keys to be automatically generated and escrowed for each Mac

B. The ability to have FileVault 2 encryption force-enabled on a Mac

C. Providing secure access to recovery keys and delegating secure access as needed to those recovery keys

Cauliflower Vest addresses those issues, along with providing csfde, a command-line tool for FileVault 2 setups which can be used independently of the rest of Cauliflower Vest infrastructure.

I wanted to see how easy it was to stand up a Cauliflower Vest instance with a Google Apps domain while following the instructions. I figured that I was a good tester for this because:

  • I’d never set up a Google Apps domain
  • I’d never before worked with Google App Engine
  • Python and I have a “we should really get together, but never do” relationship.

In short, hopefully the Cauliflower Vest project folks had posted good directions or this train was going to wreck pretty fast.

Fortunately, the Cauliflower Vest project folks have posted good directions on the project’s wiki and were also extremely responsive over email. With their help, I was able to get up and going. See below the jump for what I did.

Read more…

Cauliflower Vest – Dumb name, brilliant solution for enterprise-manageable FileVault 2 encryption

February 22, 2012 Leave a comment

Google’s rolled out Cauliflower Vest, an open-source FileVault 2 recovery key escrow solution, that allows enterprise management of FileVault 2 encryption to go much further than was previously possible. It leverages the strengths of Apple’s non-enterprise recovery key system while bringing in additional features that most enterprise-focused environments are looking for.

At the moment, I’m going to start poking and prodding at this but I wanted to take a moment to recognize the folks whose hard work brought this to the Mac community:

Anthony Lieuallen, Avi Drissman, Edward Marczak, Felix Gröbert, Greg Castle, John Randolph, Justin McWilliams, and Mark Mentovai

Thanks, guys.

%d bloggers like this: