Archive

Archive for the ‘FileVault 2’ Category

Managing Yosemite’s FileVault 2 with fdesetup

February 2, 2015 7 comments

With the release of Yosemite, Apple has continued to add functionality to fdesetup, a valuable command-line tool for enabling, administering and disabling Apple’s FileVault 2 encryption. This tool gives Mac administrators the following command-line abilities:

  • Enable or disable FileVault 2 encryption on a particular Mac
  • Use a personal recovery key, an institutional recovery key, or both kinds of recovery key.
  • Enable one or multiple user accounts at the time of encryption
  • Get a list of FileVault 2-enabled users on a particular machine
  • Add additional users after FileVault has been enabled
  • Remove users from the list of FileVault enabled accounts
  • Add, change or remove individual and institutional recovery keys
  • Report which recovery keys are in use
  • Perform a one-time reboot that bypasses the FileVault pre-boot login
  • Report on the status of FileVault 2 encryption or decryption

I’ll be taking you through all of the capabilities mentioned above, with a focus on showing exactly how they work. See below the jump for details.

Read more…

FileVault 2 deferred enablement in Yosemite

January 31, 2015 Leave a comment

One of the requirements when enabling an account for FileVault 2 is that the account’s own password must be provided in order for the account to be enabled. This is because the account’s password is used to generate a unique derived key via PBKDF2. This key is necessary for the account to unlock FileVault 2’s encryption, so the account’s password must be provided in order to enable an account.

Apple recognized that there would be situations where Mac admins would need to set up FileVault 2 for a person where the admin would not have the password for that person’s user account. To avoid the immediate need to enter a password, fdesetup has a -defer flag in Mountain Lion, Mavericks and Yosemite that can be used with fdesetup‘s enable verb to delay enabling FileVault 2 until after the current (or next) user logs out. With the -defer flag, the user will be prompted for their password at their next logout or restart. The recovery key information is not generated until the user password is obtained, so the -defer option requires a file location where this information will be written to as a plist file.

Screen Shot 2015-01-31 at 12.33.03 PM

The property list file will be created as a root-only readable file and contain information similar to what’s show below.

Screen Shot 2015-01-31 at 12.30.24 PM

Note: For security reasons, the plist file with the recovery key information should not stay on the encrypted system. Please copy it to a safe location and then securely delete this plist file from the encrypted system.

Run the following command with root privileges to defer enabling FileVault 2 and specify the account you want:

fdesetup enable -user username -defer /path/to/filename.plist

Screen Shot 2015-01-31 at 2.23.07 PM

If there is no user account specified with the -user option, then the current logged-in user will be enabled for FileVault 2. If there is no user specified and no users are logged in when the command is run, then the next user that logs in will be chosen and enabled.

If you don’t want to specify the account, run the following command with root privileges:

fdesetup enable -defer /path/to/filename.plist

Screen Shot 2015-01-31 at 2.24.49 PM

On logout, the user will be prompted to enter their account password.

Screen Shot 2015-01-31 at 10.57.19 AM

Once entered, FileVault 2 will be enabled and the recovery information plist file will be created. Once the enabling process is complete, the Mac will restart.

Screen Shot 2015-01-31 at 10.57.20 AM

An important thing to keep in mind about the –defer option is that it enables one single user account at the time of turning on FileVault 2 encryption. The –defer option does not enable multiple user accounts and cannot be used to enable accounts once FileVault 2 encryption has been turned on.

In Yosemite, Apple added new options for fdesetup‘s -defer flag. These new options now allow Mac admins to set a deferred enablement with the following options:

  1. Enforce FileVault 2 enablement at logout
  2. Enforce FileVault 2 enablement at login
  3. Enforce FileVault 2 enablement at both login and logout

For more information, see below the jump.

Read more…

Yosemite’s FileVault 2 pre-boot recovery options

January 17, 2015 2 comments

One of the changes that Apple has introduced with Yosemite is a more straightforward way to recover from login problems at the FileVault 2 pre-boot login screen.

When a FileVault 2-encrypted Mac sits for more than a minute with an account selected at the FileVault 2 pre-boot login screen, a message like the one below should appear:

If you’re having a problem entering your password, press and hold the power button on your Mac to shut it down. Then press it again to start it up in the Recovery OS.

Screen Shot 2015-01-15 at 1.40.50 PM

If the instructions are followed, the Mac will boot from the Mac’s recovery partition on the next startup and go into a Reset Password wizard.

In the Reset Password wizard, there are currently three options available.

  1. I forgot my password
  2. My password doesn’t work when logging in
  3. My keyboard isn’t working when typing my password to login

Screen Shot 2015-01-16 at 8.20.23 AM

Each option will do different things, so let’s take a look at each. For more details, see below the jump.

Read more…

fdesetup sync – fdesetup’s misunderstood command

December 21, 2014 1 comment

Apple’s fdesetup tool includes a number of commands, including fdesetup sync. In the fdesetup manpage, sync is listed with the following description:

Synchronizes information from Open Directory to FileVault

Screen Shot 2014-12-21 at 10.55.50 AM

Since the description is brief and vague, misunderstandings about what fdesetup sync‘s functions were almost inevitable. Based on my research, here’s fdesetup sync does:

1. Automate the disabling of FileVault 2-enabled accounts

fdesetup sync checks with a Mac’s directory service (Active Directory, Open Directory, OpenLDAP, etc.) to see which accounts have been removed. If an account has been removed from the directory service, running fdesetup sync on an encrypted Mac will automatically remove the account from the list of FileVault 2 enabled accounts. The sync only affects the account’s FileVault 2 status and will not remove the account or account home folder from the Mac.

An important thing to know is that fdesetup is only checking to see if the account is there or not there. It’s unable to determine if an account has been set to be disabled. If an account has been disabled but the account is still there, fdesetup sync will not change the FileVault 2 status of the account in question.

2. Automate the update of accounts’ user pictures

fdesetup sync checks with a Mac’s directory service (Active Directory, Open Directory, OpenLDAP, etc.) to see which accounts have user pictures associated with the account. If an account’s user picture is updated on the directory service, running fdesetup sync will allow the updated user picture to also be displayed on the FileVault 2 pre-boot login screen.

In many cases, this information will also have been updated automatically by the OS without the need for fdesetup sync to be run.

With those capabilities in mind, here’s two common misunderstandings I’ve seen or heard of in connection with fdesetup sync:

1. fdesetup sync updates the passwords at the pre-boot login screen

It does not. Based on my research, it appears that this job may be handled by opendirectoryd’s FDESupport module. I haven’t confirmed that with Apple though, so for the moment, treat this information about FDESupport as being my opinion rather than a fact.

2. fdesetup sync can automatically add accounts to a FileVault 2-encrypted Mac.

It does not, and the manpage for fdesetup is explicit about this point elsewhere in the manpage.

Screen Shot 2014-12-21 at 11.59.00 AM

NOTE: The manpage for fdesetup has a typo where it refers to a fdesetupsyncusers” command. This is actually referring to fdesetup sync.

Ten Things You Might Not Know About FileVault 2

December 18, 2014 11 comments

One of the changes that Steve Jobs briefly mentioned in the course of the WWDC 2011 keynote address was that Apple had revamped its FileVault encryption solution for Mac OS X 10.7.x, changing it from encryption that primarily protected your accounts home folder to encryption that protects your whole boot volume. Since that initial announcement, FileVault 2 has evolved into an encryption solution that can be easily managed by both home users and enterprises alike.

That said, almost every technology solution has details and parts that aren’t generally well known and FileVault 2 is not different in that regard. To help Mac admins who are managing FileVault 2 in their own environment, I’ve put together a list of 10 things I’ve run across in my work with FileVault 2 that I’ve either been asked about frequently or which seem to be completely undocumented by Apple. Most of these I’ve previously documented in one form or another, so some of these may seem familiar. See below the jump for the list.

Read more…

Yosemite System Preferences issue when enabling FileVault 2 with an institutional recovery key

December 3, 2014 7 comments

In 10.10.0 and 10.10.1, I’ve noticed an issue when enabling FileVault 2 via System Preferences when using an institutional recovery key.

In Mavericks and earlier versions of OS X, the behavior of System Preferences looked like this:

  1. Click the lock to unlock the FileVault preference pane
  2. Click the Turn on FileVault… button
  3. A list of users that can be enabled for FileVault 2 is displayed. The logged-in user account is marked with the green checkbox that shows that the account is enabled.
  4. A message is displayed that a recovery key has been set by a company, school or institution.
  5. A message prompting the user to restart is displayed.
  6. Once the Restart button has been clicked, the FileVault 2 initialization process continues and restarts the Mac.
  7. The Mac restarts to the FileVault 2 pre-boot login screen.

To illustrate, I’ve made a video showing the described behavior.

In Yosemite 10.10.0 and 10.10.1, the behavior of System Preferences looks like this:

  1. Click the lock to unlock the FileVault preference pane
  2. Click the Turn on FileVault… button
  3. A message is displayed that a recovery key has been set by a company, school or institution.
  4. System Preferences then displays no additional messages and will appear to hang for up to two minutes.
  5. The Mac restarts without further input from the user.
  6. The Mac restarts to the FileVault 2 pre-boot login screen.

To illustrate, I’ve made a video showing the described behavior.

As Yosemite’s current behavior is different and omits several steps that were present in previous versions of OS X, I believe this is a bug in Yosemite instead of intended behavior.

To help get it fixed, I’ve filed a bug report. For those interested in duping it, it’s bug ID 19124344.

For those interested in the details, I’ve also posted the bug report to Open Radar:

http://openradar.appspot.com/19124344

Using OS X 10.8’s fdesetup tool and non-enabled admin accounts to enable users for FileVault 2 on Mavericks and Yosemite

November 14, 2014 Leave a comment

Back in OS X 10.8.x, one of the newly-created fdesetup tool’s functions was to enable users for FileVault 2. To do so, you needed to provide both the username and password of either a previously enabled account or an admin account, as well as the password of the account you want to add.

One interesting twist was that the admin user in question did not themselves need to be enabled for FileVault 2. In my testing on 10.8.x, I found that an admin user could authorize the enabling of other accounts even if the admin account wasn’t enabled. An admin account could also enable itself using this process, by being both the authorizing admin account and the account being enabled.

In Mavericks and later, this behavior changed. If you’re using Mavericks or Yosemite, the fdesetup tool included with those operating systems now prevents non-enabled admin users from enabling other non-enabled users.

That seemed to close the book on non-enabled admin accounts being able to enable users for FileVault 2, until Google’s Macintosh Operations Team posted a script that they said would make a Mac unbootable.

As part of the discussion about that script, something really interesting was discovered. For more details, see below the jump.

Read more…

Follow

Get every new post delivered to your Inbox.

Join 207 other followers

%d bloggers like this: