Archive

Archive for the ‘FileVault 2’ Category

Unlock your FileVault-encrypted boot drive using Disk Utility on macOS Mojave

January 18, 2019 Leave a comment

In the event that you need to unlock an unbootable FileVault-encrypted boot drive on macOS Mojave, it’s possible to do so using Disk Utility and the password to a FileVault-enabled account on the drive.

For more details, see below the jump.

Read more…

Unlock or decrypt your FileVault-encrypted boot drive from the command line on macOS Mojave

January 15, 2019 2 comments

As part of working with FileVault on macOS Mojave, it may be necessary to decrypt an encrypted boot drive in order to fix a problem. On Mojave all boot volumes will use Apple File System (APFS), so to unlock or decrypt an encrypted boot drive from the command line, you will need to do the following:

  1. Identify the relevant encrypted APFS volume
  2. Unlock the encrypted APFS volume
  3. If needed, decrypt the encrypted APFS volume

For more details, see below the jump.

Read more…

T2, FileVault and brute force attack protection

November 1, 2018 1 comment

Apple recently released an overview document for its new T2 chip, which includes how the new T2 chip-equipped Macs have new protections against brute force attacks. This protection only applies if FileVault is enabled and is similar in concept to how iOS devices set with passcodes are protected against brute force attacks.

On iOS, if an incorrect passcode is entered more than five times, a one minute delay is set.

Img 58462d7da9d03 477x600

After the sixth try, the delay is now five minutes and the delays get longer from there until the device has the 10th wrong passcode entered and the device wipes.

Screen Shot 2018 11 01 at 4 31 50 PM

On Apple iOS devices with a Secure Enclave, those delays are enforced by the Secure Enclave processor. Similarly, the T2 chip-equipped Macs also have a Secure Enclave processor which is managing access attempts and introducing delays.

For Macs with Secure Enclave, the enforcement looks like this:

  • 30 unlock attempts via using the password at the login window or target disk mode
  • 10 unlock attempts via using the password in Recovery Mode
  • 30 unlock attempts for each enabled FileVault recovery mechanism
    • iCloud recovery
    • FileVault personal recovery key
    • FileVault institutional recovery key

The maximum number of unlock attempts is 90, regardless of the mix of methods used. After 90 attempts, the Secure Enclave processor will no longer process any requests to do the following:

  • Unlock the volume
  • Decrypt the volume
  • Verify the password / recovery key

Delays are also imposed on macOS between attempts.

Screen Shot 2018 11 01 at 8 40 50 AM

So what happens after 90 attempts? Does the Mac lock forever and become a paperweight?

After checking with AppleCare Enterprise, the answer is that the Mac will not be a paperweight, but that the Mac’s boot drive will need to be erased before it can be used again. This approach helps make sure that the Mac is still usable, but also ensures that the encrypted data stored on the boot drive is no longer recoverable.

For more information about brute force protection for encrypted iOS and macOS devices, I recommend checking out Apple’s currently available white papers:

Detecting if a logged-in user on a FileVault-encrypted Mac has a Secure Token associated with their account

May 10, 2018 1 comment

A challenge many Mac admins have been dealing with is the introduction of the Secure Token attribute, which is now required to be added to a user account before that account can be enabled for FileVault on an encrypted Apple File System (APFS) volume.

In my own shop, we wanted to be able to identify if the primary user of a Mac had a Secure Token associated with their account. The reason we did this was:

  1. We could alert the affected help desk staff.
  2. We could work with our users to rebuild their Macs on an agreed-upon schedule where their data was preserved.
  3. We could hopefully avoid working with our users on an emergency basis where their data could be lost.

To help with this, we developed a detection script. For more details, please see below the jump.

Read more…

Session videos available from MacAD UK Conference 2018

March 29, 2018 1 comment

A number of session videos (including mine) have been posted from MacAD UK 2018. For those interested, the videos are available on YouTube via the link below:

https://www.youtube.com/playlist?list=PLe6gxSMzV0S_puM4DliqV0JD4pwlGgO1m

For convenience, I’ve linked my session here.

Cancelling an unwanted FileVault deferred enablement

March 12, 2018 Leave a comment

There are sometimes occasions when FileVault deferred encryption has been enabled for a particular Mac and then needs to be turned off. Since FileVault is not yet turned on at this point, there is no obvious way to turn off this deferred enablement.

However, it is possible to turn off a deferred enablement if needed. For more details, please see below the jump.

Read more…

Slides from the “Managing FileVault 2 on macOS High Sierra” Session at MacAD UK 2018 Conference

February 21, 2018 4 comments

For those who wanted a copy of my FileVault 2 management talk at MacAD UK 2018, here are links to the slides in PDF and Keynote format.

PDF – http://tinyurl.com/MacADUK2018pdf

Keynote – http://tinyurl.com/MacADUK2018key

Hat tip to the attendee who brought to my attention that fdesetup sync is not supported on encrypted APFS boot drives. I’ve now updated the slides to reflect that it works on macOS High Sierra for HFS+ drives only.

HFS+

Screen Shot 2018 02 21 at 12 54 13 PM

APFS

Screen Shot 2018 02 21 at 1 04 16 PM

%d bloggers like this: